cancel
Showing results for 
Search instead for 
Did you mean: 

Using JC SSO to authenticate to AWS Grafana

RNHurt
Novitiate III

I figured out how to get JumpCloud SSO working with AWS Grafana managed service, and thought I would make a post outlining the steps I went through to get it working.  This is just worked for me.  I'm open to suggestions for improvements.

 

SSO (JumpCloud)

First, we need to set up the basic SSO between JumpCloud and Grafana. This will allow you to log into the Grafana service as a “viewer” but won’t provide “editor” or “admin” rights.

AWS Grafana Managed Service

Starting with the Grafana service, we have to create a new workspace and start to configure it.

  1. Create a new workspace - https://us-east-1.console.aws.amazon.com/grafana/home?region=us-east-1#/workspaces
  2. Click the “SAML Configuration” button
  3. Make note of the IdP URLs
    1. Service provider identifier (Entity ID)
    2. Service provider reply URL (Assertion consumer service URL)
    3. Service provider login URL
  4. Update the assertions:
    1. Assertion attribute name: displayName
    2. Assertion attribute login: mail
    3. Assertion attribute email: mail
    4. Login validity duration (in minutes): 1440 - or whatever you want

JumpCloud Console

Next we move to the JumpCloud console and configure it using the values from the AWS Grafana setup.

  1. Create a new SSO application in JumpCloud
  2. Name it “Grafana” and choose a logo / color
  3. Use the following values:
    1. IdP Entity ID: JumpCloud
    2. SP Entity ID: Use the “Entity ID” URL from AWS Grafana (ends in “metadata”): https://g-zzzzzzz.grafana-workspace.us-east-1.amazonaws.com/saml/metadata
    3. ACS URL: Use the “Assertion consumer service URL” URL from AWS Grafana (ends in “acs”): https://g-zzzzzzzzzz.grafana-workspace.us-east-1.amazonaws.com/saml/acs
    4. SAMLSubject NameID: email
    5. SAMLSubject NameID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
    6. Signature Algorithm: RSA-SHA256
    7. Sign Assertion: < checked >
    8. Default Relay State: < blank >
    9. Login URL: Use the “Service provider login URL” from AWS Grafana (ends in “login/saml”): https://g-zzzzzzzzzz.grafana-workspace.us-east-1.amazonaws.com/login/saml
    10. Declare Redirect Endpoint:  < checked >
    11. IDP URL: https://sso.jumpcloud.com/saml2/grafana
    12. Attributes:
      1. Service Provider Attribute Name: displayName ; JumpCloud Attribute Name: displayname
      2. Service Provider Attribute Name: mail ; JumpCloud Attribute Name: email
  4. Save the changes
  5. Export the “metadata” XML file for the next step

AWS Grafana Managed Service

Go back to the Grafana console and finish up.

  1. Import the “metadata” XML file from JumpCloud
  2. Save the changes

Permissions

In order to access Grafana as an “editor” or an “admin” we need to do a couple of extra steps.

JumpCloud Console

We’re going to create some user groups to indicate Grafana editors and administrators. Or you could use already existing groups.

  1. Create 2 User Groups named “Grafana Admins” & “Grafana Editors”
  2. Update the “Users” section:
    1. In each group, add a Custom Attribute:

      1. Attribute Name: Grafana
      2. Attribute Value: Admin or Editor - depending on the role of these users
  3. Update the “Applications” section:
    1. Bind the group to the “Grafana” application
  4. Update the other aspects of the user group however you want to; add users, device groups, etc.

We also need to update the Grafana SSO application slightly to add a new attribute.

  1. Open the Grafana SSO application and chose the “SSO” panel.
  2. Under “Attributes” add a new attribute with these values:

    1. Service Provider Attribute Name: Grafana
    2. JumpCloud Attribute Name: Grafana

AWS Grafana Managed Service

Finally, we need to tell Grafana how to recognize “admins” and “editors”.

  1. Choose your workspace and open the SAML configuration
  2. Under “Map assertion attributes”:
    1. Assertion attribute role: Grafana
    2. Admin role values: Admin
  3. Under “Additional settings - optional”:
    1. Editor role values: Editor

  4. Save the config and you’re done.
1 REPLY 1

BScott
Community Manager Community Manager
Community Manager

Thank you for sharing this, @RNHurt!

Like someone's post? Give them a kudo!
Did someone's answer help you? Please mark it as a solution.