This topic contains procedures to configure Amazon Managed Grafana for Single Sign-On (SSO) in
CyberArk Identity
using SAML.
With
CyberArk
as your identity service, your users can have single-sign-on (SSO) access to the Amazon Managed Grafana web applications with SP-initiated SAML SSO (for SSO access directly through the Amazon Managed Grafana web application).
Amazon Managed Grafana SSO supported features
This application template supports SP-initiated single sign-on.
Prerequisites for Amazon Managed Grafana SSO
An AWS account root user.
Access to the Amazon Managed Grafana Workspace for SAML configuration
The following procedure describes the steps in the
Identity Administration portal
needed to configure the Amazon Managed Grafana app template for SSO.
Step 1:
Add the Amazon Managed Grafana web app template.
In the
Identity Administration portal
, select
Apps & Widgets > Web Apps
, then click
Add Web Apps
.
On the
Search
page, enter the application name in the
Search
field and click the search button.
Next to the application name, click
Add
.
On the
Add Web App
page, click
Yes
to confirm.
Click
Close
to exit the Application Catalog.
The application opens to the
Settings
page.
Step 2:
Configure the Settings page.
Set an app name, description, and logo if you want to change them.
Under Advanced, uncheck
Show in user app list
.
Show in user app list is only applicable to IdP-initiated sign in; this application template only supports SP-initiated sign in.
This URL is used later when you configure the SAML integration in the Amazon Managed Grafana workspace.
Assertion Consumer Service (ACS) URL
Matches the service provider reply URL from the Amazon Managed Grafana workspace.
Sign Response or Assertion?
Set to Assertion.
NameID Format
Set to emailAddress.
Verify the following attributes with the Amazon Managed Grafana Workspace attribute name in the Attribute Name column and the
CyberArk
attribute in the Attribute Value column.
Attributes are case-sensitive.
Grant SSO access to Amazon Managed Grafana by assigning permissions to users, groups, or roles.
To grant SSO access to Amazon Managed Grafana admin users, you need to create a role in
CyberArk Identity
with the same name as the admin users' role in Amazon Managed Grafana. When you populate the role membership in
CyberArk Identity
, those users are mapped to the Amazon Managed Grafana admin users' role through the default attribute mappings on the SAML Response page.
On the
Permissions
page, click
Add
.
Select the user(s), group(s), or role(s) that you want to grant permissions to, then click
Add
.
The added object displays on the
Permissions
page with
View, Run,
and
Automatically Deploy
permissions selected by default.
Select the permissions you want and click
Save
.
Default permissions automatically deploy the application to the
User Portal
if the
Show in user app list
option is selected on the
Settings
page. Do not select this option if you intend to use only SP-initiated SSO.
Change the permissions if you want to add additional control or if you prefer not to automatically deploy the application.
Step 6:
Review and save.
Review your settings to confirm your configuration. For example, you might want to verify that you selected the appropriate users, groups, or roles on the Permissions page. Click
Save
when you are satisfied.
The following procedure describes the steps in the Amazon Managed Grafana Workspace needed to configure the Amazon Managed Grafana app template for SSO.
Sign in to the Amazon Managed Grafana Workspace with your AWS account root user.
Click
SAML Configuration
.
Click
Save SAML Configuration
to complete the SSO configuration in Amazon Managed Grafana.
Test the Amazon Managed Grafana SSO configuration
Now that you have finished configuring the application template settings in the
Identity Administration portal
and the Amazon Managed Grafana workspace, Amazon Managed Grafana users can benefit from SP-initiated SSO.
Enter the Amazon Managed Grafana sign in page URL in your browser.
Click
Sign In with SAML
.
If you are already signed in to
CyberArk Identity
, you are redirected to the Amazon Managed Grafana user dashboard.
If you are not signed in to
CyberArk Identity
, you are redirected to
CyberArk Identity
sign in page, and then redirected to the Amazon Managed Grafana user dashboard after successful authentication.
