Grafana provides many ways to authenticate users. Some authentication integrations also enable syncing user permissions and org memberships.
The following table shows all supported authentication methods and the features available for them. [Team sync](../configure-team-sync/) and [active sync](enhanced-ldap/#active-ldap-synchronization) are only available in Grafana Enterprise.
The following table shows all supported authentication methods and the features available for them. [Team sync](../configure-team-sync/) and [active sync](ldap/enhanced-ldap/#active-ldap-synchronization) are only available in Grafana Enterprise.
| Authentication method | Multi Org Mapping | Enforce Sync | Role Mapping | Grafana Admin Mapping | Team Sync | Allowed groups | Active Sync | Skip OrgRole mapping | Auto Login | Single Logout |
@ -19,7 +19,7 @@ The LDAP integration in Grafana allows your Grafana users to login with their LD
group memberships and Grafana Organization user roles.
{{% admonition type="note" %}}
[Enhanced LDAP authentication](../enhanced-ldap/) is available in [Grafana Cloud](/docs/grafana-cloud/) and in [Grafana Enterprise](../../../../introduction/grafana-enterprise/).
[Enhanced LDAP authentication](enhanced-ldap/) is available in [Grafana Cloud](/docs/grafana-cloud/) and in [Grafana Enterprise](../../../../introduction/grafana-enterprise/).
{{% /admonition %}}
Refer to [Role-based access control](../../../../administration/roles-and-permissions/access-control/) to understand how you can control access with role-based permissions.
@ -160,7 +160,7 @@ Note that this does not work if you are using the single bind configuration outl
[Grafana Enterprise](../../../../introduction/grafana-enterprise/) users with [enhanced LDAP integration](../enhanced-ldap/) enabled can also see sync status in the debug view. This requires the `ldap.status:read` permission.
[Grafana Enterprise](../../../../introduction/grafana-enterprise/) users with [enhanced LDAP integration](enhanced-ldap/) enabled can also see sync status in the debug view. This requires the `ldap.status:read` permission.
| SCIM | ✅ | ✅ | ⚠️ | Full | Complete user and team lifecycle management with automatic team creation | Requires SAML authentication; uses Role Sync for basic roles | ✅ | ✅ |
| [Team Sync](../configure-team-sync/) | ❌ | ⚠️ | ❌ | Partial | Syncs team memberships to existing teams | Requires manual team creation; no team lifecycle management | ✅ | ✅ |
| [Active LDAP Sync](../configure-authentication/enhanced-ldap/) | ✅ | ❌ | ❌ | Full | Background synchronization of LDAP users | Limited to LDAP environments | ✅ | ❌ |
| [Active LDAP Sync](../configure-authentication/ldap/enhanced-ldap/) | ✅ | ❌ | ❌ | Full | Background synchronization of LDAP users | Limited to LDAP environments | ✅ | ❌ |
| [Role Sync](../configure-authentication/saml#configure-role-sync) | ❌ | ❌ | ✅ | Full | Full automation of basic role assignment | Limited to basic roles only | ✅ | ✅ |
| [Org Mapping](../configure-authentication/saml#configure-organization-mapping) | ❌ | ❌ | ⚠️ | Full | Full automation of basic role assignment per organization | Limited to basic roles only; on-premises only | ⚠️ | ❌ |
Vardan Torosyan
4 months ago