During authentication to Amazon Managed Grafana, you can optionally assign the Grafana Admin role to users by defining an admin role attribute and populating a PingOne SAML assertion attribute with the expected agreed-upon value.

For the example configuration, in PingOne, the memberOf attribute is mapped to the SAML assertion groups attribute. In Amazon Managed Grafana, the SAML assertion groups attribute is mapped to the Grafana admin role value, as shown in the following image.Screen capture of Grafana Assertion mapping section.

  1. In your Amazon Managed Grafana workspace, go to SAML Configuration.
  2. In the Assertion mapping section, in the Assertion attribute role field, enter groups.
  3. Set the Admin role values to the PingOne group for Grafana admins.
    Note:

    The example in step 7 uses GrafanaAdmins@directory. The @directory is appended to any PingOne group name.

  4. Optional: Set the Assertion attribute groupsto the groups and Editor role values to the PingOne group for Grafana editors.
  5. Click Save SAML configuration.
  6. In PingOne, go to Amazon Managed Grafana application Attribute Mapping.
  7. Map PingOne's memberOf attribute to the SAML assertion groups attribute.
    Screen capture of PingOne SSO Attribute Mapping section.

    Users in the PingOne GrafanaAdmins group are Just-In-Time provisioned during authentication as Grafana admins, and users in the PingOne GrafanaEditors group are Just-In-Time provisioned during authentication as Grafana editors.