What is the exact procedure to setup ADFS authentication?

Grafana Authentication
1

I am looking for a precise enough guide on how to configure ADFS login (service provider (SP) initiated logins) to Grafana. I have a Prometheus-Loki-Grafana instance running in K8s and Grafana can be accessed at https://grafana.prod.mydomain/login

I have read the docs here but I’m left with questions on the exact steps :

  1. Where is the config file to be edited for k8s installations? The docs have /usr/local/etc/grafana/grafana.ini and two other paths:
  $WORKING_DIR/conf/defaults.ini
 /etc/grafana/grafana.ini

2.Are these the correct variables to setup or Im missing something else :

  • enabled
  • allow_sign_up
  • idp_metadata, idp_metadata_path, or idp_metadata_url
  • private_key or private_key_path
  1. idp_metadata, idp_metadata_path, or idp_metadata_url – Where/How do I get this ?
  2. private_key or private_key_path – Where/How do I get this?
  3. This docs state that “For the SAML integration to work correctly, you need to make the IdP aware of the SP”. My understanding is that this means establishing a “handshake” between SP (Grafana) and IdP (ADFS) but I’m not sure about where I get the values for :

/saml/metadata endpoint

/saml/acs endpoint

  1. How do I test that the config is working?
  2. Where do I test from ? Grafana ? ADFS? Or both?
  3. What do I need to setup from ADFS side?

.

2

@edtshuma SAML authentication is a Grafana Enterprise feature. If you have an Enterprise license, you are also eligible to open a support ticket from your account portal in grafana.com. I would suggest that to get help from a support engineer for configuring this.

If you have Grafana Enterprise, this might be helpful for creating the configMap to the grafana.ini file:

To test the config is working you can attempt to log in to grafana (you can configure multiple authentication types, so enabling SAML will not lock you out of the other ones).

You can also enable debug logging edit the configuration file grafana.ini to view more detailed messages about the connection attempts and any errors that need to be resolved.

[log]
# Either "console", "file", "syslog". Default is console and file
# Use space to separate multiple modes, e.g. "console file"
mode = console file

# Either "debug", "info", "warn", "error", "critical", default is "info"
level = debug

Then restart grafana for the setting to go into effect.