Creating a SAML application in Yandex Identity Hub for integration with Grafana Cloud
Note
This feature is at the Preview stage.
Grafana Cloud is a managed cloud monitoring and observability platform that brings together Grafana, Prometheus, Loki, and other tools for data visualization and analysis. Grafana Cloud supports SAML authentication to provide secure SSO for your organization's users.
To authenticate your organization's users to Grafana Cloud via SAML SSO, create a SAML app in Identity Hub and configure it appropriately both in Identity Hub and Grafana Cloud.
SAML apps can be managed by users with the organization-manager.samlApplications.admin role or higher.
For the users of your organization to be able to access Grafana Cloud:
- Create a Grafana Cloud account.
- Create an app.
- Set up the integration.
- Make sure the application works correctly.
Create a Grafana Cloud account
If you do not have a Grafana Cloud account, create one:
- Go to the Grafana Cloud sign up page.
- Fill out the registration form:
- Enter your email address.
- Create a secure password.
- Click Create my account.
- Verify your new account by following the instructions sent to the email address you provided.
- Select a name for your organization; this name will be part of your instance's URL, e.g.,
your-org. - Once logged in, make sure you have administrator permissions to configure SAML in Grafana Cloud.
Note
To configure SAML in Grafana Cloud, you need organization administrator permissions. If you do not have the required permissions, contact your organization's administrator in Grafana Cloud.
Create an app
- Log in to Yandex Identity Hub.
- In the left-hand panel, select Apps.
- In the top-right corner, click Create application and in the window that opens:
-
Select the SAML (Security Assertion Markup Language) single sign-on method.
-
In the Name field, specify a name for your new app:
grafana-cloud-app. -
Optionally, in the Description field, enter a description for the new app.
-
Optionally, add labels:
- Click Add label.
- Enter a label in
key: valueformat. - Press Enter.
-
Click Create application.
-
Set up integration
To integrate Grafana Cloud with the SAML app you created in Identity Hub, complete the setup both on the Grafana Cloud side and in Identity Hub.
Set up the SAML application in Grafana Cloud
- To configure SAML authentication in Grafana Cloud, in the left-hand panel, navigate to Administration and then to Authentication.
- In the main window, select SAML.
Then complete the steps below:
General settings
Make sure to enable the Allow signup option to automatically create users in Grafana Cloud when they log in via SSO. If this option is disabled, only users who already have a Grafana Cloud account will be able to log in.
Signing requests
Configure a certificate to sign outgoing requests.
Tip
Yandex Identity Hub does not currently support request signature verification, so we recommend you leave the Sign requests option disabled.
Connecting Grafana to the IdP
Configure a link between Grafana Cloud and Identity Hub:
-
Under Configure IdP using Grafana metadata, copy and save the endpoint addresses for receiving metadata (Metadata URL) and sending user authentication requests (Assertion Consumer Service URL). You will need the latter in later steps when setting up integration in Identity Hub.
-
Configure the endpoint address to receive metadata from Identity Hub:
- Log in to Yandex Identity Hub.
- In the left-hand panel, select Apps and then, the SAML app.
- On the Overview tab, under Identity provider (IdP) configuration, copy the Metadata URL field value.
- Return to Grafana Cloud and under Finish configuring Grafana using IdP data, paste the copied address into the Metadata URL field.
Mapping user attributes
Set up mapping between user object fields in Grafana Cloud and Identity Hub:
-
Under Assertion attributes mappings, specify:
- Name attribute:
fullname - Login attribute:
login - Email attribute:
emailaddress
- Name attribute:
-
If you want Grafana Cloud users to get one of the basic roles (Viewer, Editor, Admin) when they log in, add the user group attribute. To do this, select
groupsin the Role attribute field.Note
If you do not configure role mapping, all users will log in with the default
Viewerrole.Next, under Role mapping, specify the names of the groups whose users will receive the appropriate roles. Here is an example:
- Under Viewer:
grafana-viewer - Under Editor:
grafana-editor - Under Admin:
grafana-admin
You will need to create the groups when setting up the app in Identity Hub.
- Under Viewer:
-
Below, in the Name identifier format field, select
Email address.To view and configure user attribute names in Identity Hub, use the Attributes tab in your application.
-
Save the settings by clicking Save and enable.
Set up the SAML application in Yandex Identity Hub
Set up service provider endpoints
- Log in to Yandex Identity Hub.
- In the left-hand panel, select Apps and then, the SAML app.
- At the top right, click Edit and in the window that opens:
- In the **SP EntityID ** field, paste the endpoint address you copied from the Metadata URL field in the third step when setting up the integration in Grafana Cloud.
- In the ACS URL field, paste the endpoint address you copied from the Assertion Consumer Service URL field in the third step of setting up the integration in Grafana Cloud.
- Click Save.
Configure user attributes
Warning
For integration with Grafana Cloud, users need the login attribute.
If users do not have the login attribute, add it:
-
Log in to Yandex Identity Hub.
-
In the left-hand panel, select Apps and select the desired app.
-
Navigate to the Attributes tab.
-
In the top-right corner, click Add attribute and in the window that opens:
- In the Attribute name field, enter
login. - In the Value field, select
SubjectClaims.preferred_username. - Click Add.
- In the Attribute name field, enter
If you have configured role mapping in Grafana Cloud, add the user group attribute. To do this:
- In the top-right corner, click Add group attribute and in the window that opens.
- In the Transmitted groups field, select
Assigned groups only. - Click Add.
For more information about configuring attributes, see Configure user and group attributes.
Add a user
For your organization's users to be able to authenticate in Grafana Cloud with Identity Hub's SAML app, you need to explicitly add these users and/or user groups to the SAML application.
Note
Users and groups added to a SAML application can be managed by a user with the organization-manager.samlApplications.userAdmin role or higher.
-
If you have configured role mapping in Grafana Cloud, create the groups as needed:
Cloud Center UI- Log in to Yandex Identity Hub.
- In the left-hand panel, select Groups.
- In the top-right corner of the page, click Create group.
- Enter a name, e.g.,
grafana-viewer. - Click Create group.
- Add users to the group:
- Navigate to the Members tab.
- Click Add member.
- In the window that opens, select the required users.
- Click Save.
Similarly, create the
grafana-editorandgrafana-admingroups. -
Add users to the application:
Cloud Center UI- Log in to Yandex Identity Hub.
- In the left-hand panel, select Apps and select the required app.
- Navigate to the Users and groups tab.
- Click Add users.
- In the window that opens, select the required user or user group.
- Click Add.
Make sure your application works correctly
To make sure both your SAML app and Grafana Cloud integration work correctly, authenticate to Grafana Cloud as one of the users you added to the app. To do this:
- In your browser, navigate to the address of your Grafana Cloud instance, e.g.,
https://your-org.grafana.net. - If you were logged in to Grafana Cloud, log out.
- On the Grafana Cloud sign in page, click Sign in with SAML.
- On the Yandex Cloud sign in page, enter the user email and password. The user or group they belong to must be added to the application.
- Make sure you are logged in to Grafana Cloud.
- If you have configured role mapping, go to the user profile in Grafana Cloud and make sure the appropriate role is displayed under Organization.