SAML: Add teamsync details and example (#59624)

doc: saml fixes
3 years ago · 6762aaba56
parent 22be025284
commit 6762aaba56
1 changed files with 34 additions and 0 deletions
--- a/docs/sources/setup-grafana/configure-security/configure-authentication/saml/index.md
+++ b/docs/sources/setup-grafana/configure-security/configure-authentication/saml/index.md
@ -278,6 +278,40 @@ By default, new Grafana users using SAML authentication will have an account cre

 To use SAML Team sync, set [`assertion_attribute_groups`]({{< relref "../../../configure-grafana/enterprise-configuration/#assertion-attribute-groups" >}}) to the attribute name where you store user groups. Then Grafana will use attribute values extracted from SAML assertion to add user into the groups with the same name configured on the External group sync tab.

+> **Note:** Teamsync allows you sync users from SAML to Grafana teams. It does not automatically create teams in Grafana. You need to create teams in Grafana before you can use this feature.
+
+Given the following partial SAML assertion:
+
+```xml
+<saml2:Attribute
+    Name="groups"
+    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
+    <saml2:AttributeValue
+        xmlns:xs="http://www.w3.org/2001/XMLSchema"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:type="xs:string">admins_group
+    </saml2:AttributeValue>
+    <saml2:AttributeValue
+        xmlns:xs="http://www.w3.org/2001/XMLSchema"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:type="xs:string">division_1
+    </saml2:AttributeValue>
+</saml2:Attribute>
+```
+
+The configuration would look like this:
+
+```ini
+[auth.saml]
+# ...
+assertion_attribute_groups = groups
+```
+
+The following `External Group ID`s would be valid for input in the desired team's _External group sync_ tab:
+
+- `admins_group`
+- `division_1`
+
 [Learn more about Team Sync]({{< relref "../../configure-team-sync/" >}})

 ### Configure role sync