SAML Auth with LDAP

sushi121123 · November 21, 2024, 7:37pm

I currently have my keycloak configured for SAML on grafana. The issue im running into is the log in is different when i log in with saml and when i log in with keycloak SAML. i have a general idea of what the issue is but i could be totally wrong. When i log in with keycloak it shows it is the same account in the users tab but the orgin changed to SAML and the Role changes from admin to viewer. How do i make it so LDAP and SAML keep the same roles. my current set up is:
{auth.proxy]
enabled = true
header_name = X-Forwarded-User
header_property = username
auto_sign_up = true
roles_header = X-Forwarded-Roles

[auth.saml]
enabled = true
**key stuf **
roles_values_none = none
assertion_attribute_role = role
role_values_viewer = Viewer
role_values_Editor = Editor
roles_values_Admin = Admin
assertion_attribute_role = role
assertion_attribute_name = name
assertion_attribute_login = username
assertion_attribute_email = email
assertion_attribute_groups = groups

in key cloak i have the Name scope assigned to username becuase assigning it to last name or first name it prompts for the name when they try to log in with SAML

jangaraj · November 21, 2024, 7:54pm

Make sure you have different username/email in your SAML/LDAP identities.

sushi121123 · November 21, 2024, 10:20pm

when logged in with LDAP i click on profile and the username is different than the one with SAML. The username for LDAP for some reason is the displayName for the user in AD. the username for the SAML account is the SamAccount name in AD. the emails are exactly the same. after some playing around i did notice something, originally account roles were set in grafana it self and now the functionality has been taken away entirely and gives the error Accounts are managed by auth provider. after a new user is created it now sets them to viewer and cannot be changed. after some research is seems i need to set up roles in AD. where do i define this in AD and grafana?

sushi121123 · November 21, 2024, 10:43pm

i managed to get LDAP roles to sync with LDAP. But SAML is not syncing at all. still defaulting to Viewer and not using the ldap roles

sushi121123 · November 21, 2024, 10:59pm

after checking logs i get a level: error msg= “Proxy request failed” err= dial tcp" connect: connection refused.

this happens after connecting with SAM

Topic		Replies	Views
Link SAML keycloak to AD roles Authentication ldap , saml	0	10	November 22, 2024
Grafana role mapping for Keycloak SAML auth Authentication saml , keycloak	11	142	October 30, 2024
SAML - Grafana role with IDP group linking Configuration saml , keycloak	6	22	December 24, 2024
Configure SAML auth in Grafana Authentication templating	0	553	October 11, 2022
Active Directory: email AND username login? Grafana ldap	0	47	September 24, 2024

SAML Auth with LDAP

Related topics