I currently have my keycloak configured for SAML on grafana. i have logs of me having a session with grafana saying i did authenticate but i keep going to the log in screen.
Im using Linux, and using version 11.1.0
Currently my Auth.saml looks like this:
assertion_attribute_name = name
assertion_attribute_login = username
assertion_attribute_email = email
assertion_aatribute_groups = groups
currently the issue im getting is i log in with saml and it kicks me back to the log in screen. i have cookie_secure set to false
i have cookie_samesite = none
i have allow_embedding = true
when i have these settings applied it works with chrome but on firefox i get failed to determine the state of the SSO redirect
if cookies_secure = true i get a failed to determine the state of the SSO redirect
if cookie_samesite = anyhting else i get the failed to determine the state of the SSO redirect
in keycloak i have the roles mapped like this:
Name: username
Mapper Type: User Attribute
User Attribute: username
SAML Attribute Name: username
SAML Attribute NameFormat: Basic
Aggregate attribute values: OFF
Name: email
Mapper Type: User Attribute
User Attribute: email
SAML Attribute Name: email
SAML Attribute NameFormat: Basic
Aggregate attribute values: OFF
Name: groups
Mapper Type: Group list
User Attribute: groups
SAML Attribute Name: groups
SAML Attribute NameFormat: Basic
Single Group Attribute: ON
Full group path: OFF
i dont have that authentication Tab on mine. i have total admin access but neither me or my coworkers have that tab. we have been doing that stuff in the config file from my understanding with this: assertion_attribute_name = name
assertion_attribute_login = username
assertion_attribute_email = email
assertion_aatribute_groups = groups
But my point was to use UI, but to understand that you have to configure Role mapping. You configured only group mapping. But GROUP is not the same as ROLE.
assertion_attribute_groups = Group
assertion_attribute_role = role
role_values_viewer = external
role_values_editor = editor, developer
role_values_admin = admin, operator
role_values_grafana_admin = superadmin
keycloak i added role list with the role mapper with the role attribute name being: role
still no success
if the roles values need to be more specific where can i find these and do i need to assign those in keycloak or does the Role list already do that
That’s not debugging. Always check if you have what you configured. For example you configured assertion_attribute_groups = Group, so check if you have Group in the SAML response. Both sides (Grafana saml config and SAML response) must be matching, so verify that. Please format your snippets for readability and provide always details what you configured, debug logs, errors, … - problem description “still no success” doesn’t help to solve your problem at all.
listed an issue of it failing to map name, which i ended up mapping in keycloak. now after updating the logs and reading /var/log/grafana its not updating and for some reason i cannot log into chrome at all now with ldap. but on fire fox is does work with ldap (saml is still broken).
i also noticed something, when trying saml on any other browser besides chrome i get a “Failed to determine the state of the SSO redirect”
after changing cookie_samesite = lax and cookie_secure = true i can now log into chrome and edge with ldap. but now im getting the "Failed to determine the state of the SSO redirect” on all browsers
You are mixing setups, e.g. saml with ldap. You didn’t provide any logs, how your saml response looks like - there can be billions things what can be wrong and based on your input there is no way to help you, sorry.
i got it to work thank you. turns out i was putting first name in to the name attribute but it kept coming in blank. i changed it to username and works great. thank you for the help
