Amazon Managed Grafana - Entra ID SAML Group Attribute
Recently I was tasked with investigating the process of integrating Entra ID with Amazon Managed Grafana through SAML. While this wasn't a challenging task, I did run into a few issues that I thought would be worth documenting for others.
Currently, the documentation on both the Entra ID and Amazon Managed Grafana sides lacks any practical examples of how to configure the SAML integration. More specifically, the number one use case I expect to see is configuring group-based access control to Grafana. This is a common use case, and I was surprised that there was no documentation on how to do this.
The existing guides that exist for configuring Amazon Managed Grafana with SAML are pretty good - so I won't be covering the entire process here. For reference:
- Tutorial: Microsoft Entra single sign-on (SSO) integration with Amazon Managed Grafana
- Amazon Managed Grafana supports direct SAML integration with identity providers
Once you have followed one of the guides above, you will probably notice that I mean by the lack of documentation/instructions on configuring an attribute for groups - and you are good to move on to the next steps, where I will cover how to do it!
Find the Entra ID Enterprise Application you created when configuring the SAML integration with Amazon Managed Grafana. In the Enterprise Application, click
Single sign-on to see an
Attributes & Claims section.
By default, when creating the Enterprise Application in Entra ID, the following attributes are created:
We will add a new attribute called
groups, which will pass a list of Entra ID groups to Amazon Managed Grafana. Click
Edit and then
Add a group claim:
When asked for which groups associated with the user should be returned, select Groups assigned to the application
Also, confirm that the source attribute has Group ID selected.
Under Advanced options, make sure to select Customize the name of the group claim and enter
groups as the name.
Now that we have created the
groups attribute, we must assign some groups to the Enterprise Application. This is done by clicking
Users and groups and then
Select the groups that you want to assign - in my case, I am assigning the
grafana-editor groups - take note of the
Object ID for each group, as we will need this later.
Finally, we need to modify the SAML configuration in Amazon Managed Grafana to tell it to look for the
groups attribute we created in Entra ID.
For the Assertion attribute role, change the value to
groups to match the attribute's name we created in Entra ID.
Also, provide the Entra ID
Object ID for the group(s) you want to assign Admin permissions to.
Open Additional settings - optional and specify the Entra ID
Object ID for the group(s) to which you want to assign Editor permissions in the Editor role values field.
That's it! You should now be able to log in to Amazon Managed Grafana using Entra ID and automatically assign your users to the correct group based on their Entra ID group membership.