SSO (JumpCloud)

First, we need to set up the basic SSO between JumpCloud and Grafana. This will allow you to log into the Grafana service as a “viewer” but won’t provide “editor” or “admin” rights.

AWS Grafana Managed Service

Starting with the Grafana service, we have to create a new workspace and start to configure it.

Create a new workspace - https://us-east-1.console.aws.amazon.com/grafana/home?region=us-east-1#/workspaces
Click the “SAML Configuration” button
Make note of the IdP URLs
1. Service provider identifier (Entity ID)
2. Service provider reply URL (Assertion consumer service URL)
3. Service provider login URL
Update the assertions:
1. Assertion attribute name: displayName
2. Assertion attribute login: mail
3. Assertion attribute email: mail
4. Login validity duration (in minutes): 1440 - or whatever you want

JumpCloud Console

Next we move to the JumpCloud console and configure it using the values from the AWS Grafana setup.

Create a new SSO application in JumpCloud
Name it “Grafana” and choose a logo / color
Use the following values:
1. IdP Entity ID : JumpCloud
2. SP Entity ID : Use the “Entity ID” URL from AWS Grafana (ends in “metadata”): https://g-zzzzzzz.grafana-workspace.us-east-1.amazonaws.com/saml/metadata
3. ACS URL : Use the “Assertion consumer service URL” URL from AWS Grafana (ends in “acs”): https://g-zzzzzzzzzz.grafana-workspace.us-east-1.amazonaws.com/saml/acs
4. SAMLSubject NameID : email
5. SAMLSubject NameID Format : urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
6. Signature Algorithm : RSA-SHA256
7. Sign Assertion : < checked >
8. Default Relay State : < blank >
9. Login URL: Use the “Service provider login URL” from AWS Grafana (ends in “login/saml”): https://g-zzzzzzzzzz.grafana-workspace.us-east-1.amazonaws.com/login/saml
10. Declare Redirect Endpoint : < checked >
11. IDP URL : https://sso.jumpcloud.com/saml2/grafana
12. Attributes :
  1. Service Provider Attribute Name : displayName ; JumpCloud Attribute Name : displayname
  2. Service Provider Attribute Name : mail ; JumpCloud Attribute Name : email
Save the changes
Export the “metadata” XML file for the next step

AWS Grafana Managed Service

Go back to the Grafana console and finish up.

Import the “metadata” XML file from JumpCloud
Save the changes

Permissions

In order to access Grafana as an “editor” or an “admin” we need to do a couple of extra steps.

JumpCloud Console

We’re going to create some user groups to indicate Grafana editors and administrators. Or you could use already existing groups.

Create 2 User Groups named “Grafana Admins” & “Grafana Editors”
Update the “Users” section:
1. In each group, add a Custom Attribute:
  1. Attribute Name: Grafana
  2. Attribute Value: Admin or Editor - depending on the role of these users
Update the “Applications” section:
1. Bind the group to the “Grafana” application
Update the other aspects of the user group however you want to; add users, device groups, etc.

We also need to update the Grafana SSO application slightly to add a new attribute.

Open the Grafana SSO application and chose the “SSO” panel.
Under “Attributes” add a new attribute with these values:
1. Service Provider Attribute Name : Grafana
2. JumpCloud Attribute Name : Grafana

AWS Grafana Managed Service

Finally, we need to tell Grafana how to recognize “admins” and “editors”.

Choose your workspace and open the SAML configuration
Under “Map assertion attributes”:
1. Assertion attribute role : Grafana
2. Admin role values : Admin
Under “Additional settings - optional”:
1. Editor role values : Editor
Save the config and you’re done.