apitech
/
grafana
mirror of https://github.com/grafana/grafana
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

SAML: add referemce to azure ad limitations (#87571)

Browse Source 
* update the url for Azure AD limitations

* add warnings of using Azure AD with SAML
pull/87629/head
linoman 1 year ago committed by GitHub
parent 329f4b1243
commit 926ee0f62e
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 10 additions and 1 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 9
      docs/sources/setup-grafana/configure-security/configure-authentication/saml/index.md
  2. 2
      pkg/login/social/connectors/azuread_oauth.go

9
docs/sources/setup-grafana/configure-security/configure-authentication/saml/index.md
Unescape View File

@ -58,6 +58,15 @@ In terms of initiation, Grafana supports:
By default, SP-initiated requests are enabled. For instructions on how to enable IdP-initiated logins, see [IdP-initiated Single Sign-On (SSO)]({{< relref "#idp-initiated-single-sign-on-sso" >}}). By default, SP-initiated requests are enabled. For instructions on how to enable IdP-initiated logins, see [IdP-initiated Single Sign-On (SSO)]({{< relref "#idp-initiated-single-sign-on-sso" >}}).
{{% admonition type="warning" %}}
It is possible to setup Grafana with SAML authentication using Azure AD. However, Azure AD limits the number of groups that can be sent in the SAML assertion to 150. If you have more than 150 groups, Azure AD provides a link to retrieve the groups that only works for OIDC/OAuth workflows. At the moment it is not possible to use this link with SAML authentication in Grafana.
It is preferable to take this into consideration when setting up SAML authentication with Azure AD. We encourage the use of [Azure AD OAuth integration]({{< relref "../azuread" >}}) instead of SAML if you have more than 150 groups.
- [Azure AD SAML limitations](https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference#groups-overage-claim)
{{% /admonition %}}
### Edit SAML options in the Grafana config file ### Edit SAML options in the Grafana config file
1. In the `[auth.saml]` section in the Grafana configuration file, set [`enabled`]({{< relref "../../../configure-grafana/enterprise-configuration#enabled" >}}) to `true`. 1. In the `[auth.saml]` section in the Grafana configuration file, set [`enabled`]({{< relref "../../../configure-grafana/enterprise-configuration#enabled" >}}) to `true`.

2
pkg/login/social/connectors/azuread_oauth.go
Unescape View File

@ -410,7 +410,7 @@ func (s *SocialAzureAD) groupsGraphAPIURL(claims *azureClaims, token *oauth2.Tok
// If no endpoint was specified or if the endpoints provided in _claim_source is pointing to the deprecated // If no endpoint was specified or if the endpoints provided in _claim_source is pointing to the deprecated
// "graph.windows.net" api, use an handcrafted url to graph.microsoft.com // "graph.windows.net" api, use an handcrafted url to graph.microsoft.com
// See https://docs.microsoft.com/en-us/graph/migrate-azure-ad-graph-overview // See https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference#groups-overage-claim
if endpoint == "" || strings.Contains(endpoint, "graph.windows.net") { if endpoint == "" || strings.Contains(endpoint, "graph.windows.net") {
tenantID := claims.TenantID tenantID := claims.TenantID
// If tenantID wasn't found in the id_token, parse access token // If tenantID wasn't found in the id_token, parse access token

Write Preview
Loading…
Cancel
Save