DEV Community

Yevhen Tienkaiev
Yevhen Tienkaiev

Posted on • Updated on

Configure Grafana Cloud SAML to work with JumpCloud

JumpCloud SAML

Display Label: Grafana Cloud

IdP Entity ID: JumpCloud
SP Entity ID: https://bla.grafana.net/saml/metadata
ACS URL: https://bla.grafana.net/saml/acs
SAMLSubject NameID: email
SAMLSubject NameID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Signature Algorithm: RSA-SHA256
Sign Assertion: < checked >
Default Relay State: https://bla.grafana.net/
Login URL: https://bla.grafana.net/login
Declare Redirect Endpoint:  < checked >
IDP URL: https://sso.jumpcloud.com/saml2/bla1

User Attributes:
Service Provider Attribute Name: displayName ; JumpCloud Attribute Name: fullname
Service Provider Attribute Name: mail ; JumpCloud Attribute Name: email
Service Provider Attribute Name: username ; JumpCloud Attribute Name: username

GROUP ATTRIBUTES:
Include group attribute: group
Enter fullscreen mode Exit fullscreen mode

Generate certificate

Use official guide

Grafana Cloud SAML

General settings
Display name for this SAML 2.0 integration: JumpCloud
Allow signup: < checked >
Auto login: < checked >
Single logout: < unchecked >
Identity provider initiated login: < checked >
Relay state *: https://bla.grafana.net/
Max issue delay: 90s
Metadata valid duration: 48h

Key and certificate
Signing and encryption key and certificate (required): Base64-encoded content
Private key: < upload key.pem file from step Generate certificate>
Certificate: < upload cert.pem file from step Generate certificate >
Sign requests: < checked >
Signature algorithm: RSA-SHA256 (default)

Connect Grafana with Identity Provider
IdP's metadata: URL for metadata ; Copy Metadata URL from JumpCloud

User mapping
Name attribute: displayName
Login attribute: username
Email attribute: mail
Groups attribute: < blank >
Role attribute: group
Org attribute: < blank >

Role mapping
Editor: developers
Admin: admins
Skip organization role sync: < unchecked >
Allowed organizations: < blank >
Name identifier format: Email address

Test and enable
Hit button "Save and Enable"
Enter fullscreen mode Exit fullscreen mode

Nuances

  • Make sure that displayName has text as Grafana SAML not accept empty value. This means that in JumpCloud you should have fullname set
  • Example on how added multiple roles:
role_values_admin = DevOps,Admins
role_values_editor = Build,"Extra Engineering"
Enter fullscreen mode Exit fullscreen mode
  • IDP URL should be unique for all applications on your JumpCloud account

Top comments (0)