How do I grant administrator access to SAML authenticated users in my Amazon Managed Grafana workspace?
Users can successfully log in to my Amazon Managed Grafana workspace through SAML authentication. However, they don't have administrator access.
Short description
When you activate an Amazon Managed Grafana workspace with SAML authentication, the attribute assertion mappings between the service and Identity Provider (IdP) application must match. A mismatch prevents users from receiving the correct privileges. In this case, all users with access to the application connect as viewers.
Resolution
Use the browser developer tools to identify the attributes that are sent by SAML assertion
1. In the top-right corner your browser, choose the menu. Then, choose the developer tools for your browser:
Firefox: Choose More tools, Web Developer Tools.
Chrome: Choose Developer Tools.
2. In the developer tools menu, choose the Network panel.
3. In the same browser tab, navigate to your Amazon Managed Grafana workspace URL.
4. Choose Sign in with SAML. Enter your credentials, and then sign in to the IdP login page.
5. Find the Assertion Consumer Service (ACS) URL in the Network logs of the developer tools pane.
Tip: Search for an acs file name, POST method, and 302 status.
6. In the request details, choose the tab Request (Firefox) or Payload (Chrome). Then, copy the content from SAML Response.
7. The captured SAML response is base64-encoded. To decode it, use a base64 decoding tool to extract the XML tagged response.
Note: Because the SAML response might contain sensitive security data, it's a best practice that you don't use an online base64 decoder.
Built-in option for Windows systems (PowerShell)
PS C:\> [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("PD94bWwgdmVyc2lvbj0iMS4wIj8+PGV4YW1wbGU+PG1lc3NhZ2U+VGhpcyBpcyBqdXN0IGFuIGV4YW1wbGUgb2YgYmFzZTY0LWVuY29kZWQgWE1MIGZpbGUuIFJlcGxhY2UgaXQgYnkgdGhlIGFjdHVhbCBTQU1MIFJlc3BvbnNlIGVuY29kZWQgeW91IGdvdCBmcm9tIHRoZSBicm93c2VyIGRldmVsb3BlciB0b29sczwvbWVzc2FnZT48L2V4YW1wbGU+Cg=="))
Built-in option for macOS and Linux systems
$ echo "PD94bWwgdmVyc2lvbj0iMS4wIj8+PGV4YW1wbGU+PG1lc3NhZ2U+VGhpcyBpcyBqdXN0IGFuIGV4YW1wbGUgb2YgYmFzZTY0LWVuY29kZWQgWE1MIGZpbGUuIFJlcGxhY2UgaXQgYnkgdGhlIGFjdHVhbCBTQU1MIFJlc3BvbnNlIGVuY29kZWQgeW91IGdvdCBmcm9tIHRoZSBicm93c2VyIGRldmVsb3BlciB0b29sczwvbWVzc2FnZT48L2V4YW1wbGU+Cg==" |base64 -d |xmllint --pretty 1 -
You receive an output that's similar to the following message:
<?xml version="1.0"?> <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="https://g-0123456789.grafana-workspace.us-east-1.amazonaws.com/saml/acs" ID="ID_76eb61f5-fb11-4f8b-bd7d-418f8a17156c" InResponseTo="id-ce1f5b28b091d0ebac109b5f34f125a18b7f94a5" IssueInstant="2023-04-28T10:19:57.780Z" Version="2.0"> <saml:Issuer>https://idp.example.com/saml</saml:Issuer> <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"> REDACTED </dsig:Signature> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> <saml:Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="ID_a1234b56-789c-1234-d567-8e1234f56789" IssueInstant="2023-04-28T10:19:57.780Z" Version="2.0"> <saml:Issuer>https://idp.example.com/saml</saml:Issuer> <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"> <dsig:SignedInfo> <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <dsig:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <dsig:Reference URI="#ID_a1234b56-789c-1234-d567-8e1234f56789"> <dsig:Transforms> <dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </dsig:Transforms> <dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <dsig:DigestValue>REDACTED</dsig:DigestValue> </dsig:Reference> </dsig:SignedInfo> <dsig:SignatureValue>REDACTED</dsig:SignatureValue> <dsig:KeyInfo> REDACTED </dsig:KeyInfo> </dsig:Signature> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">G-bd98f293-922c-4f70-a8c3-bc973a75d600</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData InResponseTo="id-ce1f5b28b091d0ebac109b5f34f125a18b7f94a5" NotOnOrAfter="2023-04-28T10:24:55.780Z" Recipient="https://g-0123456789.grafana-workspace.us-east-1.amazonaws.com/saml/acs"/> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotBefore="2023-04-28T10:19:55.780Z" NotOnOrAfter="2023-04-28T10:20:55.780Z"> <saml:AudienceRestriction> <saml:Audience>https://g-0123456789.grafana-workspace.us-east-1.amazonaws.com/saml/metadata</saml:Audience> </saml:AudienceRestriction> <saml:OneTimeUse/> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2023-04-28T10:19:57.780Z" SessionIndex="a678db73-aaf9-4d34-8016-4deea551aaac::15728029-bd04-4e00-8ca6-acb338fde6fe" SessionNotOnOrAfter="2023-04-28T20:19:57.780Z"> <saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> <saml:AttributeStatement> <saml:Attribute FriendlyName="Role" Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Admin</saml:AttributeValue> </saml:Attribute> <saml:Attribute FriendlyName="mail" Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user@example.com</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="displayName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">User</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> </samlp:Response>
8. Note the attribute names and values under saml:AttributeStatement. You need these values for a later step.
Map attributes in Amazon Managed Grafana SAML configuration
1. Open the Amazon Managed Grafana Console.
2. In the left navigation pane, choose All workspaces.
3. Select the workspace that you want to configure SAML authentication for.
4. In the Authentication tab, choose SAML configuration.
5. Under Step 3: Map assertion attributes, enter the following information:
Assertion attribute role: Enter the SAML attribute Name or FriendlyName that's listed under AttributeStatement. In the previous SAML response example, this attribute is Role.
Admin role values: This is a list of role names, separated by commas, that you grant to the admin role. This list is in the AttributeValue that's mapped directly under the attribute Name or FriendlyName role. In the previous SAML response example, this value is Admin.
6. To complete the configuration, choose Save SAML configuration.
Related information
Using SAML with your Amazon Managed Grafana workspace
How to view a SAML response in your browser for troubleshooting
Relevant content
- asked 2 years agolg...
- asked 2 years agolg...
- asked 7 months agolg...
- asked 2 months agolg...
- AWS OFFICIALUpdated 21 days ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 22 days ago