--- title: Configuring SAML SSO with Amazon Managed Grafana and PingOne description: Learn how to configure SAML SSO for Amazon Managed Grafana and PingOne. component: configuration_guides page_id: configuration_guides:amazon:config_saml_amazonmanagedgrafana_p1 canonical_url: https://docs.pingidentity.com/configuration_guides/amazon/config_saml_amazonmanagedgrafana_p1.html revdate: May 6, 2024 section_ids: about-this-task: About this task configuring-an-amazon-managed-grafana-connection: Configuring an Amazon Managed Grafana connection steps: Steps mapping-amazon-managed-grafana-attributes: Mapping Amazon Managed Grafana attributes about-this-task-2: About this task steps-2: Steps choose-from: Choose from: customizing-amazon-managed-grafana-boxes: Customizing Amazon Managed Grafana boxes steps-3: Steps assigning-amazon-managed-grafana-group-access: Assigning Amazon Managed Grafana group access about-this-task-3: About this task steps-4: Steps configuring-amazon-managed-grafana-saml: Configuring Amazon Managed Grafana SAML steps-5: Steps choose-from-2: Choose from: choose-from-3: Choose from: assigning-amazon-managed-grafana-administrators: Assigning Amazon Managed Grafana administrators about-this-task-4: About this task steps-6: Steps result: Result: --- # Configuring SAML SSO with Amazon Managed Grafana and PingOne Learn how to configure SAML SSO for Amazon Managed Grafana and PingOne. ## About this task | | | | - | ------------------------------------------------------------------------------------------------------- | | | Amazon Managed Grafana only supports SP-initiated SSO that is initiated from the Grafana Workspace URL. | ## Configuring an Amazon Managed Grafana connection ### Steps 1. Set up the Amazon Managed Grafana application in PingOne: 1. Go to **Applications → Application Catalog**. 2. In the **Application Catalog**, search for `Grafana`. 3. Expand the **Amazon Managed Grafana** entry and click **Setup**. 4. Review the instructions to configure SAML with the Amazon Managed Grafana console. 5. Click **Continue to Next Step**. 2. In the **ACS URL**field, replace the `${namespace}` and `${region}` variables with your Grafana namespace and your AWS region. 3. In the **Entity ID** field, replace the `${namespace}` and `${region}` variables with your Grafana namespace and your AWS region. 4. Click **Continue to Next Step**. ## Mapping Amazon Managed Grafana attributes ### About this task PingOne will automatically populate required SAML attributes. For Amazon Managed Grafana, the required attributes are: * `SAML_SUBJECT` * `mail` * `givenName` | | | | - | ---------------------------------------------------------------------------------------------------- | | | You must set `SAML_SUBJECT` to Name ID format: `urn:oasis:names:tc:SAML:2.0:nameid-format:transient` | ### Steps 1. In the **Application Attribute** field, enter the attribute name as it appears in the application. 2. In the **Identity Bridge Attribute or Literal Value** field, choose one of the following. #### Choose from: * Enter or select a directory attribute to map to the application attribute. * Select **As Literal**, then enter a literal value to assign to the application attribute. 3. **Optional:** To create advanced attribute mappings, click **Advanced**. ![Screen capture of PingOne SSO Attribute Mapping section with SAML\_SUBJECT, mail, and displayName listed as Application Attributes.](_images/qmw1638829973125.png) 4. Click **Continue to Next Step**. ## Customizing Amazon Managed Grafana boxes ### Steps 1. To change the application icon, click **Select Image** and upload a local image file. The image file must be: * PNG, GIF, or JPG format * 312 x 52 pixels maximum * 2 MB maximum file size | | | | - | ------------------------------------------------ | | | Images are scaled to 64 X 64 pixels for display. | 2. To change the name of the application displayed on the dock, in the **Name** field, enter a new name. 3. To change the description of the application, in the **Description** field, enter the new description. 4. To change the category the application is assigned on the dock, in the **Category** list, select a category. 5. Click **Continue to Next Step**. ## Assigning Amazon Managed Grafana group access ### About this task The **Group Access** tab shows every user group that you've created. ### Steps 1. To add a group's access to Amazon Managed Grafana, on the row for that group, click **Add**. 2. To remove a group's access, on the row for that group, click **Remove**. 3. After you finish assigning groups, click **Continue to Next Step**. ## Configuring Amazon Managed Grafana SAML ### Steps 1. In PingOne, on the **Review Setup** tab, either: #### Choose from: * Click **Download** to download the SAML metadata file * Copy the PingOne SAML Metadata URL. 2. Click **Finish** to add Amazon Managed Grafana to your PingOne dock. 3. In the AWS Console, go to the Amazon Managed Grafana console. 4. To import the SAML metadata into Amazon Managed Grafana, either: #### Choose from: * Use the PingOne **SAML Metadata URL** on the Amazon Managed Grafana connection summary page in PingOne. * Upload the SAML metadata file. ![Screen capture of the Amazon Managed Grafana SAML page with URL selected as the metadata import method.](_images/ljd1638829896395.png) ## Assigning Amazon Managed Grafana administrators ### About this task During authentication to Amazon Managed Grafana, you can optionally assign the Grafana Admin role to users by defining an admin role attribute and populating a PingOne SAML assertion attribute with the expected agreed-upon value. For the example configuration, in PingOne, the **memberOf** attribute is mapped to the SAML assertion **groups** attribute. In Amazon Managed Grafana, the SAML assertion **groups** attribute is mapped to the Grafana admin role value, as shown in the following image. ![Screen capture of Grafana Assertion mapping section.](_images/tsh1638830072661.png) ### Steps 1. In your Amazon Managed Grafana workspace, go to **SAML Configuration**. 2. In the **Assertion mapping** section, in the **Assertion attribute role** field, enter `groups`. 3. Set the **Admin role values**to the PingOne group for Grafana admins. | | | | - | ---------------------------------------------------------------------------------------------------------- | | | The example in step 7 uses GrafanaAdmins\@directory. The @directory is appended to any PingOne group name. | 4. **Optional:** Set the **Assertion attribute groups**to the **groups** and **Editor role values**to the PingOne group for Grafana editors. 5. Click **Save SAML configuration**. 6. In PingOne, go to **Amazon Managed Grafana application Attribute Mapping**. 7. Map PingOne's **memberOf** attribute to the SAML assertion **groups** attribute. ![Screen capture of SSO Attribute Mapping section.](_images/ytt1638830176983.png) #### Result: Users in the PingOne **GrafanaAdmins** group are Just-In-Time provisioned during authentication as Grafana admins, and users in the PingOne **GrafanaEditors**group are Just-In-Time provisioned during authentication as Grafana editors.