AWS Management & Governance Blog

Amazon Managed Grafana supports direct SAML integration with identity providers

In response to customer requests, Amazon Managed Grafana now supports direct Security Assertion Markup Language (SAML) 2.0 integration, without the need to go through AWS Identity and Access Management (AWS IAM) or AWS Single Sign-On (AWS SSO). SAML authentication support enables you to use your existing identity provider to offer single sign-on for logging into the Grafana console of your Amazon Managed Grafana workspaces, manage access control, search your data, and build visualizations.

Amazon Managed Grafana uses just-in-time (JIT) provisioning, where the user is created based on the initial SAML assertion and any subsequent connections authenticate with the service user directly.

In this blog post, we share the IdPs who built and launched an sponsored application from their directory to Amazon Managed Grafana . You can create your own application if you like, but these official applications were tested and approved by AWS and our external IdPs.

Prerequisites

To complete the steps in this post, you need the following:

  • An AWS account.
  • An active account with one of the IdPs from step 2, who supports SAML.

Walkthrough

In the following steps, we show you how to create and configure an Amazon Managed Grafana workspace, configure an application on your identity provider’s portal, configure the SAML setup for admins and viewers, and then access the Amazon Managed Grafana workspace.

Step 1: Create an Amazon Managed Grafana workspace

  1. In the Amazon Managed Grafana console, create a workspace. Enter a name and optional description for the workspace.
  2. For authentication method, choose Security Assertion Markup Language (SAML).
  3. Under Permission type, choose Service managed. For more information, review the Getting started with Amazon Managed Grafana blog post.

The Configure settings page displays two options for authentication method: AWS SSO and SAML.

Figure 1: Setting up Amazon Managed Grafana with SAML as the authentication method

  1. Under IAM permission access settings, choose Current account. In Data sources, select the AWS data sources.

Service managed permission settings displays two options for specifying account access: Current account and Organization). Under Data sources, AWS IoT SiteWise, AWS X-Ray, Amazon CloudWatch, Amazon TimeStream, and other AWS services are selected.

Figure 2: Setting up Amazon Managed Grafana permissions and configuring data sources

  1. Choose Next.
  2. In the following screen titled Review and create, review the settings and choose Create workspace.
  3. After the workspace is created, make a note of the Amazon Managed Grafana workspace URL. It contains a unique workspace ID and the AWS Region. You’ll need these values to configure the Amazon Managed Grafana SAML application in your preferred IdP. In Figure 3, you’ll see a console message that says the SAML setup is pending user input.

The MyGrafana-Workspace details page displays the workspace URL, authentication access type, IAM role, and more.

Figure 3: Amazon Managed Grafana workspace configuration page

Step 2: Configure an Amazon Managed Grafana application on your external identity provider’s portal

Following are the steps to configure the Amazon Managed Grafana application on your IdP portal. Choose the section that refers to your IdP for detailed steps.

Azure AD

CyberArk

OneLogin

Okta

Ping Identity

Azure AD

  1. Sign in to the Azure console as an admin.
  2. Choose Azure Active Directory.
  3. Choose Enterprise Applications.
  4. Search for and then choose Amazon Managed Grafana SAML 2.0.
  5. Choose the application and then choose Setup.

Configure the Azure AD application

  1. On the left side, under Manage go to Users and groups and assign the application to the users and groups you want.
  2. Choose Single sign-on and then choose Next.
  3. On the SAML configuration page, in Identifier (Entity ID), paste the service provider identifierURL from the Amazon Managed Grafana workspace.
  4. In Reply URL (Assertion Consumer Service URL), paste the service provider reply URL from the Amazon Managed Grafana workspace.
  5. Sign Assertion should be selected and Encrypt Assertion should be cleared.
  6. In the User Attributes & Claims section, make sure these attributes are mapped. The attributes are case sensitive.
    • mail set with user.userprincipalname.
    • displayName set with user.displayname.
    • Unique User Identifier set with user.userprincipalname. (This is the NameID.)
    • Add any other attributes, that are required as part of your workflow to configure Admin, Editor or Viewer role for an Amazon Managed Grafana user.
  7. Copy the SAML metadata URL to be used in the Amazon Managed Grafana workspace SAML configuration.

Configure Amazon Managed Grafana SAML with Azure AD

  1. Go to your Amazon Managed Grafana workspace, under Security Assertion Markup Language (SAML) choose Complete Setup.
  2. Under Import the metadata, paste the Azure AD URL you copied from the SAML metadata URL.
  3. Under Assertion mapping, ensure that the check box for “I want to opt-out of assigning admins to my workspace” is cleared and not selected.
  4. Under Assertion attribute role for admin, enter the Assertion attribute role and Admin role values to match the attribute name and value you had previously configured under the User Attributes & Claims section in your Azure-AD application.  For admin flow, see Step 3: Configure the SAML setup on Amazon Managed Grafana for admins and viewers.
  5. (Optional) If you changed the default attributes in your Azure AD application, expand Additional settings and set the new attribute names. By default, the Azure AD displayName attribute will be passed to the name attribute. The Azure AD mail attribute will be passed to the email and login attributes.
  6. Choose Save SAML Configuration.

For more information, please review Azure AD documentation.

CyberArk

  1. Sign in to the CyberArk Identity Admin Portal.
  2. Under the Apps section choose Web Apps.
  3. In the upper-right, choose Add Web App.
  4. Search for Amazon Managed Grafana SAML 2.0 and then choose Add.

Configure the CyberArk application

  1. In the Trust section of the admin portal, under Identity Provider Configuration, choose Metadata.
  2. Copy and save the URL. You will need it for the Amazon Managed Grafana workspace SAML configuration.
  3. Under Service Provider Configuration, choose the Manual Configuration.
  4. For the SAML settings, in SP Entity ID, paste your service provider identifier URL from the Amazon Managed Grafana workspace.
  5. In Assertion Consumer Service (ACS) URL, paste your service provider reply URL from the Amazon Managed Grafana workspace.
  6. Set Sign Response or Assertion to Assertion.
  7. Make sure that NameID Format is emailAddress, and then choose Save.
  8. In the SAML Response section, make sure these attributes are mapped. In Application Name, the Amazon Managed Grafana attribute should be entered. This field is case-sensitive. In Attribute Value, the CyberArk attribute should be entered.
  9. In displayName, enter DisplayName.
  10. In mail, enter Email.
  11. Add any other attributes, that are required as part of your workflow to configure Admin, Editor or Viewer role for an Amazon Managed Grafana user.
  12. In the Permissions section, choose the users and groups to assign this application to and then choose Save.

Configure Amazon Managed Grafana SAML with CyberArk

  1. Go to your Amazon Managed Grafana workspace, under Security Assertion Markup Language (SAML) choose Complete Setup.
  2. Under Import the metadata, paste the CyberArk URL you copied from the identity provider configuration metadata URL.
  3. Under Assertion mapping, ensure that the check box for “I want to opt-out of assigning admins to my workspace” is cleared and not selected.
  4. Under Assertion attribute role for admin, enter the Assertion attribute role and Admin role values to match the attribute name and value you had previously configured as part of the SAML Response section in your CyberArk application. For admin flow, see Step 3: Configure the SAML setup on Amazon Managed Grafana for admins and viewers. 
  5. (Optional) If you changed the default attributes in your CyberArk application, expand Additional settings and set the new attribute name. By default, the CyberArk displayName attribute will be passed to the name attribute. The CyberArk mail attribute will be passed to the email and login attributes.
  6. Choose Save SAML Configuration.

For more information, please review CyberArk documentation.

OneLogin

  1. Sign in to the OneLogin Admin Portal.
  2. Choose Applications and then choose Applications.
  3. In the upper-right, choose Add app.
  4. Search for and then choose Amazon Managed Grafana.

Configure the OneLogin application

  1. Enter a display name and then choose Save.
  2. Under the menu on the left, choose Configuration and then paste your Amazon Managed Grafana workspace URL from the Amazon Managed Grafana console.
  3. Under Parameters, fields NameID, mail, and displayName (case sensitive) already have default values set as Email, Email, FirstName LastName respectively and you don’t need to change those. These fields will be passed as required attributes to Amazon Managed Grafana . In this example, to grant an admin role access to the user you can add the parameter Department and value sde, make sure these parameters are configured in the Amazon Managed Grafana console as explained in Step 3.
  4. Under SSO, copy the issuer URL to be used in the Amazon Managed Grafana workspace SAML configuration, and then choose Save.
  5. On the top ribbon, choose Users and assign the users you want to use this application.

Configure Amazon Managed Grafana SAML with OneLogin

  1. Go to your Amazon Managed Grafana workspace, under Security Assertion Markup Language (SAML) choose Complete Setup.
  2. Under Import the metadata, paste the issuer URL you copied from your OneLogin app.
  3. Under Assertion mapping, ensure that the check box for “I want to opt-out of assigning admins to my workspace” is cleared and not selected.
  4. Under Assertion attribute role for admin, enter the Assertion attribute role and Admin role values to match the Field name you had previously configured under the Parameters section in your OneLogin application. For admin flow, see Step 3: Configure the SAML setup on Amazon Managed Grafana for admins and viewers. 
  5. (Optional) If you changed the default fields in your OneLogin application, expand Additional settings and set the new field names. By default, the OneLogin displayName field will be passed to the name attribute. The OneLogin mail field will be passed to the email and login attributes.
  6. Choose Save SAML Configuration.

For more information, please review OneLogin documentation.

Okta

  1. Sign in to the Okta console as an admin.
  2. In the left panel, choose Applications and then choose Applications.
  3. Choose Browse App Catalog and search for Amazon Managed Grafana
  4. Choose the application and then choose Add and Done.

Configure the Okta application

  1. Go to the Sign On tab and choose Edit at the top.
  2. Under Advanced Sign-on Settings enter your Workspace name and AWS Region in the Name Space and Region fields respectively. Your Amazon Managed Grafana name format is: <workspace name>.grafana-workspace.<region>.amazonaws.com.
  3. Choose Save to save the configuration.
  4. Under SAML 2.0 copy the URL for Identity Provider metadata, you will need it later on the Amazon Grafana SAML configuration page.
  5. On the Assignments tab, choose the People and Groups you want to use this application.

Configure Amazon Managed Grafana SAML with Okta

  1. Go to your Amazon Managed Grafana workspace, under Security Assertion Markup Language (SAML) choose Complete Setup.
  2. Under Import the metadata, paste the Okta URL you copied from identity provider metadata.
  3. Under Assertion mapping, ensure that the check box for “I want to opt-out of assigning admins to my workspace” is cleared and not selected.
  4. Under Assertion attribute role for admin, enter the Assertion attribute role and Admin role values to match the attribute name and value you had previously configured under Attribute Statements in your Okta application . For admin flow, see Step 3: Configure the SAML setup on Amazon Managed Grafana for admins and viewers.
  5. (Optional) if you changed the default attributes in your Okta application, expand Additional settings and set the new attribute names. By default, the Okta displayName attribute will be passed to the name attribute. The Okta mail attribute will be passed to the email and login attributes.
  6. Choose Save SAML Configuration.

For more information, please review Okta documentation.

Ping Identity (PingOne)

  1. Sign in to the PingOne console as an admin.
  2. Choose Applications, choose Add Application, and then choose Search Application Catalog.
  3. Search for and choose the Amazon Managed Grafana SAML application, and then choose Setup.

Configure the PingOne application

  1. On the SAML configuration page, for SAML settings, in Assertion Consumer Service (ACS), paste your service provider reply URL from the Amazon Managed Grafana workspace.
  2. In Entity ID, paste your service provider identifier URL from the Amazon Managed Grafana workspace.
  3. Confirm that Sign Assertion is selected and Encrypt Assertion is cleared.
  4. Choose Continue to Next Step.
  5. In SSO Attribute Mapping, make sure these attributes are mapped.
    • In Application Attribute, the Amazon Managed Grafana attribute (case sensitive).
    • In Identity Bridge Attribute, the PingOne attribute.
    • mail set to Email (Work).
    • displayName set to Display Name.
    • SAML_SUBJECT set with Email (Work). For this attribute, choose Advanced. For Name ID Format to send to SP, enter urn:oasis:names:tc:SAML:2.0:nameid-format:transient, and then choose Save.
    • Add any other attributes, that are required as part of your workflow to configure Admin, Editor or Viewer role for an Amazon Managed Grafana user.
  6. Choose Continue to Next Step.
  7. In Group Access, choose which groups to assign this application to, and then choose Continue to Next Step.
  8. In Review Setup, copy the SAML Metadata URL, which starts with https://admin-api.pingone.com/latest/metadata/. You will use it in the Amazon Managed Grafana workspace SAML configuration.
  9. Choose Finish.

Configure Amazon Managed Grafana SAML with PingOne

  1. Go to your Amazon Managed Grafana workspace, under Security Assertion Markup Language (SAML) choose Complete Setup.
  2. Under Import the metadata, paste the PingOne URL you copied from SAML metadata URL.
  3. Under Assertion mapping, ensure that the check box for “I want to opt-out of assigning admins to my workspace” is cleared and not selected.
  4. Under Assertion attribute role for admin, enter the Assertion attribute role and Admin role values to match the attribute name and value you had previously configured under SSO Attribute Mapping in your PingOne application . For admin flow, see Step 3: Configure the SAML setup on Amazon Managed Grafana for admins and viewers.
  5. (Optional) If you changed the default attributes in your PingOne application, expand Additional settings and set the new attribute names. By default, the PingOne displayName attribute will be passed to the name attribute. The PingOne mail attribute will be passed to the email and login attributes.
  6. Choose Save SAML Configuration.

For more information, please review Ping Identity documentation.

Step 3: Configure the SAML setup on Amazon Managed Grafana for admins and viewers

Amazon Managed Grafana uses just-in-time (JIT) provisioning, which means that the first time a user is authenticated with Amazon Managed Grafana, the user is created in the Amazon Managed Grafana directory.

The creation of users relies on the SAML assertion and JIT, rather than manual configuration. This means that you can pass an attribute from your IdP to identify users as admins.

In this example, we assume that the attribute Department is configured in your IdP and value sde is populated for every relevant user and group. Hence in Figure 4, inside Amazon Managed Grafana console for Assertion attribute role, we enter Department. For Admin role values, we enter sde to identify the admin users.

  1. To configure the SAML setup, in the Amazon Managed Grafana console, choose SAML Configuration.
  2. Import the metadata by providing the issuer URL you copied earlier from your IdP portal (From Configure the IdP application section).
  3. To grant an admin role to this user, you can pass the same role name (Department) and role value (sde). If you pass in a different value or no value, the user will be granted the viewer role.

The Assertion mapping section displays fields to enter the assertion attribute role and values for configuring admin users.

Figure 4: Amazon Managed Grafana workspace assertion attributes for admin users

  1. Choose Save SAML configuration.

Step 4: Access the Amazon Managed Grafana workspace

You can access your Amazon Managed Grafana workspace in one of two ways.

Option 1:

Sign in to your identity provider’s user portal and choose the Amazon Managed Grafana application tile. You will be redirected to your Amazon Managed Grafana workspace. In this example, because the assertion attribute for the admin role matched, the user will be signed in to Amazon Managed Grafana as an admin.

The AMG workspace environment. The Configuration menu displays Data Sources, Users, Teams, Plugins, Preferences, and API Keys tabs.

Figure 5: Amazon Managed Grafana workspace for admins

Option 2:

Go to your Amazon Managed Grafana workspace and choose Grafana workspace URL. You will be redirected to the following page:

Figure 6: Amazon Managed Grafana redirection page for SAML authentication

Choose Sign in with SAML. You will be redirected to your identity provider’s user portal. Sign in with your identity provider credentials. You will be redirected to your Amazon Managed Grafana workspace. In this example, because the assertion attribute for the admin role matched, the user will be signed in to Amazon Managed Grafana as an admin.

Cleaning up

Based on your use-case and processes, if you are required to delete your un-used workspaces or identities in your IdP:

  1. Delete your un-used Amazon Managed Grafana workspaces by referring to Amazon Managed Grafana documentation.
  2. Delete or remove the Amazon Managed Grafana application configuration from your IdP portal. For this, refer to your specific IdP instructions for deleting the configuration.

Conclusion

In this blog post, we walked through the steps required to integrate your identity provider with Amazon Managed Grafana . We also explained how to assign users and appropriate roles through your identity provider so that your users can seamlessly authenticate into the Amazon Managed Grafana environment to visualize and monitor your workloads and logs. Administrators now have a single source of truth to manage their users. Users no longer need to manage another identity and password to sign in to their AWS accounts and applications.

About the author

Sunil Ramachandra

Sunil Ramachandra

Sunil is a Senior Technical Account Manager at AWS. As a principal technical advisor and ‘voice of the customer’ he helps organizations ranging from start-ups to Fortune 500 enterprises to innovate and operate their workloads on AWS. Sunil is passionate about building AWS integrations that enable Independent Software Vendors (ISVs). When not helping customers, Sunil enjoys spending time with his family, running, meditating and watching movies or originals on Prime Video.

Roy Rodan

Roy Rodan

Roy is a Senior Partner Solutions Architect at AWS focused on security and identity solutions. As part of his role he helps customers and partners build new secured products on AWS, he helps simplifying the identity and security world for AWS customers.