Configuration Guides

Configuring SAML SSO with Amazon Managed Grafana and PingOne

Learn how to configure SAML SSO for Amazon Managed Grafana and PingOne.

About this task

Amazon Managed Grafana only supports SP-initiated SSO that is initiated from the Grafana Workspace URL.

Configuring an Amazon Managed Grafana connection

Steps

  1. Set up the Amazon Managed Grafana application in PingOne:

    1. Go to Applications → Application Catalog.

    2. In the Application Catalog, search for Grafana.

    3. Expand the Amazon Managed Grafana entry and click Setup.

    4. Review the instructions to configure SAML with the Amazon Managed Grafana console.

    5. Click Continue to Next Step.

  2. In the ACS URLfield, replace the ${namespace} and ${region} variables with your Grafana namespace and your AWS region.

  3. In the Entity ID field, replace the ${namespace} and ${region} variables with your Grafana namespace and your AWS region.

  4. Click Continue to Next Step.

Mapping Amazon Managed Grafana attributes

About this task

PingOne will automatically populate required SAML attributes.

For Amazon Managed Grafana, the required attributes are:

  • SAML_SUBJECT

  • mail

  • givenName

You must set SAML_SUBJECT to Name ID format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient

Steps

  1. In the Application Attribute field, enter the attribute name as it appears in the application.

  2. In the Identity Bridge Attribute or Literal Value field, choose one of the following.

    Choose from:

    • Enter or select a directory attribute to map to the application attribute.

    • Select As Literal, then enter a literal value to assign to the application attribute.

  3. Optional: To create advanced attribute mappings, click Advanced.

    Screen capture of PingOne SSO Attribute Mapping section with SAML_SUBJECT, mail, and displayName listed as Application Attributes.

  4. Click Continue to Next Step.

Customizing Amazon Managed Grafana boxes

Steps

  1. To change the application icon, click Select Image and upload a local image file.

    The image file must be:

    • PNG, GIF, or JPG format

    • 312 x 52 pixels maximum

    • 2 MB maximum file size

      Images are scaled to 64 X 64 pixels for display.

  2. To change the name of the application displayed on the dock, in the Name field, enter a new name.

  3. To change the description of the application, in the Description field, enter the new description.

  4. To change the category the application is assigned on the dock, in the Category list, select a category.

  5. Click Continue to Next Step.

Assigning Amazon Managed Grafana group access

About this task

The Group Access tab shows every user group that you’ve created.

Steps

  1. To add a group’s access to Amazon Managed Grafana, on the row for that group, click Add.

  2. To remove a group’s access, on the row for that group, click Remove.

  3. After you finish assigning groups, click Continue to Next Step.

Configuring Amazon Managed Grafana SAML

Steps

  1. In PingOne, on the Review Setup tab, either:

    Choose from:

    • Click Download to download the SAML metadata file

    • Copy the PingOne SAML Metadata URL.

  2. Click Finish to add Amazon Managed Grafana to your PingOne dock.

  3. In the AWS Console, go to the Amazon Managed Grafana console.

  4. To import the SAML metadata into Amazon Managed Grafana, either:

    Choose from:

    • Use the PingOne SAML Metadata URL on the Amazon Managed Grafana connection summary page in PingOne.

    • Upload the SAML metadata file.

    Screen capture of the Amazon Managed Grafana SAML page with URL selected as the metadata import method.

Assigning Amazon Managed Grafana administrators

About this task

During authentication to Amazon Managed Grafana, you can optionally assign the Grafana Admin role to users by defining an admin role attribute and populating a PingOne SAML assertion attribute with the expected agreed-upon value.

For the example configuration, in PingOne, the memberOf attribute is mapped to the SAML assertion groups attribute. In Amazon Managed Grafana, the SAML assertion groups attribute is mapped to the Grafana admin role value, as shown in the following image.

Screen capture of Grafana Assertion mapping section.

Steps

  1. In your Amazon Managed Grafana workspace, go to SAML Configuration.

  2. In the Assertion mapping section, in the Assertion attribute role field, enter groups.

  3. Set the Admin role valuesto the PingOne group for Grafana admins.

    The example in step 7 uses GrafanaAdmins@directory. The @directory is appended to any PingOne group name.

  4. Optional: Set the Assertion attribute groupsto the groups and Editor role valuesto the PingOne group for Grafana editors.

  5. Click Save SAML configuration.

  6. In PingOne, go to Amazon Managed Grafana application Attribute Mapping.

  7. Map PingOne’s memberOf attribute to the SAML assertion groups attribute.

    Screen capture of SSO Attribute Mapping section.

    Result:

    Users in the PingOne GrafanaAdmins group are Just-In-Time provisioned during authentication as Grafana admins, and users in the PingOne GrafanaEditorsgroup are Just-In-Time provisioned during authentication as Grafana editors.