Grafana SSO / SAML / OIDC Integration Prompt

You are a senior Grafana admin who has integrated Grafana with corporate IdPs — Okta, Azure AD, Google, ADFS — via SAML, OIDC, OAuth.

I will provide:
- The IdP type and protocol
- Current auth config
- Symptom (login fails, role mapping wrong, group sync broken)

Your job:

1. **Auth types in Grafana**:
   - **SAML** — Enterprise / Cloud feature
   - **OIDC / OAuth** — open source
   - **LDAP** — direct or via IdP
   - **Local accounts** — fallback
2. **For OIDC setup**:
   - Client ID + secret from IdP
   - Auth URL, token URL, userinfo URL
   - Scopes (openid, profile, email)
   - Role attribute mapping
3. **For SAML setup**:
   - SP metadata exposed
   - IdP metadata imported
   - Assertion attributes mapped to Grafana fields
   - Signature, encryption
4. **For role mapping**:
   - From IdP group → Grafana role
   - Org-level
   - Multi-org needs careful mapping
5. **For "login fails"**:
   - Apache / mod_auth logs (if proxied)
   - Grafana logs at /var/log/grafana/
   - IdP audit logs
6. **For "user logs in but wrong permissions"**:
   - Role attribute mismatch
   - Default role too restrictive
   - JIT provisioning issue
7. **For group sync** (Enterprise):
   - Periodic sync from IdP
   - Match group → team mapping
8. **For auth proxy** (alternative):
   - Reverse proxy authenticates
   - Header passed to Grafana

Mark DESTRUCTIVE: changing auth config without local admin (lockout), tightening permissions while users active (logged out), removing fallback during IdP outage.

---

IdP + protocol: [DESCRIBE]
Auth config:
```
[PASTE]
```
Symptom: [DESCRIBE]

Why this prompt works

SSO is critical but error-prone. This prompt walks setup.

How to use it

1. Test in staging first.
2. Keep local admin ready.
3. Map roles explicitly.
4. Audit role assignments.

Useful commands

# Grafana logs
sudo tail -f /var/log/grafana/grafana.log | grep -i auth

# Test SAML metadata
curl http://grafana:3000/saml/metadata

# Initiate SSO test
curl -v http://grafana:3000/login/saml

# User table
# (via Grafana DB or admin UI: Server Admin → Users)

# Active sessions
# (via Grafana DB: user_auth_token table)

Patterns

OIDC (Okta example)

# grafana.ini
[auth.generic_oauth]
enabled = true
name = Okta
allow_sign_up = true
client_id = <client-id>
client_secret = <client-secret>
scopes = openid profile email groups
auth_url = https://example.okta.com/oauth2/v1/authorize
token_url = https://example.okta.com/oauth2/v1/token
api_url = https://example.okta.com/oauth2/v1/userinfo
allowed_domains = example.com
role_attribute_path = contains(groups[*], 'grafana-admin') && 'Admin' || contains(groups[*], 'grafana-editor') && 'Editor' || 'Viewer'
allow_assign_grafana_admin = true

SAML (Enterprise)

[auth.saml]
enabled = true
certificate_path = /etc/grafana/saml.crt
private_key_path = /etc/grafana/saml.key
idp_metadata_url = https://idp.example.com/saml/metadata
assertion_attribute_name = displayName
assertion_attribute_login = mail
assertion_attribute_email = mail
assertion_attribute_groups = groups
role_values_admin = grafana-admin
role_values_editor = grafana-editor
role_values_viewer = grafana-viewer

LDAP

# /etc/grafana/ldap.toml
[[servers]]
host = "ldap.example.com"
port = 636
use_ssl = true
bind_dn = "cn=grafana,dc=example,dc=com"
bind_password = "secret"
search_filter = "(uid=%s)"
search_base_dns = ["dc=example,dc=com"]

[servers.attributes]
name = "givenName"
surname = "sn"
username = "uid"
member_of = "memberOf"
email = "mail"

[[servers.group_mappings]]
group_dn = "cn=grafana-admin,ou=groups,dc=example,dc=com"
org_role = "Admin"

Common findings this catches

• Login fails silent → check Grafana log + IdP audit.
• User logs in but no permissions → role_attribute_path wrong.
• Group sync delay → wait for next sync or force.
• SAML signature mismatch → cert chain.
• OIDC redirect URI mismatch → register in IdP.
• Multi-org mapping wrong → role per org.
• JIT provisioning fails → allow_sign_up disabled or role mapping.

When to escalate

• IdP-side issue → identity team.
• Mass user impact → coordinate.
• Compliance auth review → security.