Grafana Enterprise SSO: LDAP, SAML, OAuth2 Setup

Configure Grafana Enterprise with comprehensive single sign-on authentication supporting LDAP, SAML, and OAuth2 providers. Set up role-based access control with automated team mapping and user provisioning for enterprise environments.

Prerequisites

Grafana Enterprise license
Active Directory or LDAP server
SAML identity provider access
OAuth2 application credentials
SSL certificates for SAML

What this solves

Grafana Enterprise SSO authentication eliminates the need for separate user credentials by integrating with your existing identity providers. This tutorial configures LDAP authentication with Active Directory, SAML integration with enterprise identity providers, and OAuth2 with Google and GitHub. You'll implement role-based access control with automatic team mapping to streamline user management across your monitoring infrastructure.

Step-by-step installation

Install Grafana Enterprise

Download and install Grafana Enterprise which includes SSO features not available in the open source version.

wget -q -O - https://packages.grafana.com/gpg.key | sudo apt-key add -
echo "deb https://packages.grafana.com/enterprise/deb stable main" | sudo tee -a /etc/apt/sources.list.d/grafana.list
sudo apt update
sudo apt install -y grafana-enterprise

cat > /etc/yum.repos.d/grafana.repo << EOF
[grafana]
name=grafana
baseurl=https://packages.grafana.com/enterprise/rpm
repo_gpgcheck=1
enabled=1
gpgcheck=1
gpgkey=https://packages.grafana.com/gpg.key
EOF
sudo dnf install -y grafana-enterprise

Configure Grafana Enterprise license

Add your Grafana Enterprise license key to enable SSO features.

[enterprise]
license_path = /etc/grafana/license.jwt

Create the license file with your Enterprise license token:

sudo touch /etc/grafana/license.jwt
sudo chown grafana:grafana /etc/grafana/license.jwt
sudo chmod 640 /etc/grafana/license.jwt
echo "your-license-jwt-token-here" | sudo tee /etc/grafana/license.jwt

Configure LDAP authentication

Set up LDAP integration with Active Directory for enterprise user authentication.

[[servers]]
host = "ldap.example.com"
port = 636
use_ssl = true
start_tls = false
ssl_skip_verify = false
bind_dn = "cn=grafana,ou=service-accounts,dc=example,dc=com"
bind_password = "secure-bind-password"
search_filter = "(sAMAccountName=%s)"
search_base_dns = ["ou=users,dc=example,dc=com"]

[servers.attributes]
name = "givenName"
surname = "sn"
username = "sAMAccountName"
member_of = "memberOf"
email = "mail"

[[servers.group_mappings]]
group_dn = "cn=grafana-admins,ou=groups,dc=example,dc=com"
org_role = "Admin"
grafana_admin = true

[[servers.group_mappings]]
group_dn = "cn=grafana-editors,ou=groups,dc=example,dc=com"
org_role = "Editor"

[[servers.group_mappings]]
group_dn = "cn=grafana-viewers,ou=groups,dc=example,dc=com"
org_role = "Viewer"

Enable LDAP authentication in Grafana

Update the main Grafana configuration to enable LDAP authentication.

[auth.ldap]
enabled = true
config_file = /etc/grafana/ldap.toml
allow_sign_up = true
sync_cron = "0 0 1   *"
active_sync_enabled = true

Configure SAML authentication

Set up SAML integration for enterprise identity providers like Okta, Azure AD, or ADFS.

[auth.saml]
enabled = true
certificate_path = /etc/grafana/saml.crt
private_key_path = /etc/grafana/saml.key
idp_metadata_url = https://example.okta.com/app/exampleapp/sso/saml/metadata
max_issue_delay = 90s
metadata_valid_duration = 48h
allow_idp_initiated = true
allow_sign_up = true
auto_login = false
single_logout = true
name_id_format = urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

Generate SAML certificates

Create SSL certificates for SAML authentication security.

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout /etc/grafana/saml.key \
  -out /etc/grafana/saml.crt \
  -subj "/C=US/ST=State/L=City/O=Organization/CN=grafana.example.com"
sudo chown grafana:grafana /etc/grafana/saml.*
sudo chmod 640 /etc/grafana/saml.*

Configure SAML attribute mapping

Map SAML attributes to Grafana user properties for automatic user provisioning.

[auth.saml]
attribute_name = Name
attribute_login = Login
attribute_email = Email
attribute_groups = Groups
attribute_role = Role
attribute_org = Org
org_mapping = Engineering:1:Editor,Operations:2:Admin
role_values_editor = Editor,Developer
role_values_admin = Admin,Manager
role_values_grafana_admin = SuperAdmin

Configure OAuth2 with Google

Set up Google OAuth2 authentication for users with Google accounts.

[auth.google]
enabled = true
allow_sign_up = true
client_id = your-google-client-id
client_secret = your-google-client-secret
scopes = https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email
auth_url = https://accounts.google.com/o/oauth2/auth
token_url = https://accounts.google.com/o/oauth2/token
api_url = https://www.googleapis.com/oauth2/v1/userinfo
allowed_domains = example.com
hosted_domain = example.com

Configure OAuth2 with GitHub

Enable GitHub OAuth2 authentication for development teams using GitHub.

[auth.github]
enabled = true
allow_sign_up = true
client_id = your-github-client-id
client_secret = your-github-client-secret
scopes = user:email,read:org
auth_url = https://github.com/login/oauth/authorize
token_url = https://github.com/login/oauth/access_token
api_url = https://api.github.com/user
allowed_organizations = your-org-name
team_ids = 123456,789012

Configure role-based access control

Set up advanced RBAC with team mapping and organization management.

[users]
allow_sign_up = false
allow_org_create = false
auto_assign_org = true
auto_assign_org_id = 1
auto_assign_org_role = Viewer
verify_email_enabled = true
login_hint = Use your corporate credentials
default_theme = dark
home_page = /dashboards

[auth]
login_cookie_name = grafana_session
login_maximum_inactive_lifetime_duration = 7d
login_maximum_lifetime_duration = 30d
tokent_rotation_interval_minutes = 10
disable_login_form = false
disable_signout_menu = false
signout_redirect_url = https://sso.example.com/logout
oauth_auto_login = false

Configure team synchronization

Enable automatic team synchronization from external identity providers.

[auth]
team_sync_enabled = true

[auth.ldap]
group_search_filter = "(&(objectClass=group)(member=%s))"
group_search_base_dns = ["ou=groups,dc=example,dc=com"]

[auth.saml]
teams_attribute_name = Teams
teams_attribute_path = Teams

[auth.google]
team_ids = 123456789
allowed_organizations = example-org

[auth.github]
team_ids = 123456,789012
allowed_organizations = example-org

Set file permissions and start Grafana

Secure configuration files and start the Grafana service.

Never use chmod 777. It gives every user on the system full access to your files. Instead, fix ownership with chown and use minimal permissions.

sudo chown -R grafana:grafana /etc/grafana/
sudo chmod 755 /etc/grafana
sudo chmod 644 /etc/grafana/grafana.ini
sudo chmod 640 /etc/grafana/ldap.toml
sudo chmod 640 /etc/grafana/license.jwt
sudo systemctl enable --now grafana-server
sudo systemctl status grafana-server

Configure firewall access

Open the Grafana port for web access while maintaining security.

sudo ufw allow 3000/tcp
sudo ufw status

sudo firewall-cmd --permanent --add-port=3000/tcp
sudo firewall-cmd --reload
sudo firewall-cmd --list-ports

Configure SSO testing and validation

Test LDAP authentication

Validate LDAP connectivity and user authentication.

sudo grafana-cli admin ldap-test --config=/etc/grafana/grafana.ini
sudo grafana-cli admin ldap-sync --config=/etc/grafana/grafana.ini

Configure SAML metadata exchange

Exchange metadata with your SAML identity provider.

curl -s http://localhost:3000/saml/metadata | sudo tee /var/tmp/grafana-saml-metadata.xml
echo "Upload /var/tmp/grafana-saml-metadata.xml to your SAML provider"

Create OAuth2 applications

Note: For Google OAuth2, visit Google Cloud Console and create OAuth2 credentials with redirect URL http://localhost:3000/login/google. For GitHub, go to GitHub Settings > Developer settings > OAuth Apps and create a new OAuth App with callback URL http://localhost:3000/login/github.

Verify your setup

Test all SSO authentication methods and verify user provisioning works correctly.

sudo systemctl status grafana-server
curl -I http://localhost:3000/login
sudo tail -f /var/log/grafana/grafana.log

Access Grafana at http://localhost:3000 and test each authentication method. Check that users are automatically assigned to correct teams and organizations based on their group memberships.

sudo grafana-cli admin ldap-test
sudo journalctl -u grafana-server -f

Common issues

Symptom	Cause	Fix
LDAP authentication fails	Incorrect bind credentials or search filter	Test with `sudo grafana-cli admin ldap-test` and check bind_dn/bind_password
SAML metadata errors	Certificate mismatch or expired certificates	Regenerate certificates and update IdP metadata
OAuth2 redirect mismatch	Incorrect callback URLs in OAuth2 app configuration	Update redirect URLs to match Grafana server URL
Users not assigned to teams	Group mapping configuration incorrect	Check group_dn values and team synchronization settings
Permission denied on config files	Incorrect file ownership or permissions	Run `sudo chown grafana:grafana /etc/grafana/*` and `chmod 640`

Next steps

Automated install script

Run this to automate the entire setup

install.sh

#!/usr/bin/env bash
set -euo pipefail

# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'

# Configuration
GRAFANA_VERSION="${GRAFANA_VERSION:-latest}"
DOMAIN="${1:-localhost}"
GRAFANA_PORT="${GRAFANA_PORT:-3000}"
LDAP_SERVER="${2:-}"
SAML_METADATA_URL="${3:-}"
OAUTH_CLIENT_ID="${4:-}"
OAUTH_CLIENT_SECRET="${5:-}"

# Usage message
usage() {
    echo "Usage: $0 [domain] [ldap_server] [saml_metadata_url] [oauth_client_id] [oauth_client_secret]"
    echo "Example: $0 grafana.company.com ldap://ad.company.com:389 https://idp.company.com/metadata client_id client_secret"
    exit 1
}

# Print colored output
log() {
    local color=$1
    shift
    echo -e "${color}$*${NC}"
}

# Error handling and cleanup
cleanup() {
    log $RED "Installation failed. Cleaning up..."
    if systemctl is-active --quiet grafana-server 2>/dev/null; then
        systemctl stop grafana-server || true
    fi
}
trap cleanup ERR

# Check prerequisites
check_prerequisites() {
    log $BLUE "[1/10] Checking prerequisites..."
    
    if [[ $EUID -ne 0 ]]; then
        log $RED "This script must be run as root"
        exit 1
    fi
    
    # Check for required tools
    for cmd in curl wget systemctl; do
        if ! command -v $cmd &> /dev/null; then
            log $RED "Required command not found: $cmd"
            exit 1
        fi
    done
    
    log $GREEN "Prerequisites check passed"
}

# Detect distribution
detect_distro() {
    log $BLUE "[2/10] Detecting distribution..."
    
    if [ -f /etc/os-release ]; then
        . /etc/os-release
        case "$ID" in
            ubuntu|debian)
                PKG_MGR="apt"
                PKG_INSTALL="apt install -y"
                PKG_UPDATE="apt update"
                FIREWALL_CMD="ufw"
                ;;
            almalinux|rocky|centos|rhel|ol)
                PKG_MGR="dnf"
                PKG_INSTALL="dnf install -y"
                PKG_UPDATE="dnf update -y"
                FIREWALL_CMD="firewall-cmd"
                ;;
            fedora)
                PKG_MGR="dnf"
                PKG_INSTALL="dnf install -y"
                PKG_UPDATE="dnf update -y"
                FIREWALL_CMD="firewall-cmd"
                ;;
            amzn)
                PKG_MGR="yum"
                PKG_INSTALL="yum install -y"
                PKG_UPDATE="yum update -y"
                FIREWALL_CMD="iptables"
                ;;
            *)
                log $RED "Unsupported distribution: $ID"
                exit 1
                ;;
        esac
    else
        log $RED "Cannot detect distribution"
        exit 1
    fi
    
    log $GREEN "Detected: $PRETTY_NAME (Package manager: $PKG_MGR)"
}

# Install dependencies
install_dependencies() {
    log $BLUE "[3/10] Installing dependencies..."
    
    $PKG_UPDATE
    
    case "$PKG_MGR" in
        apt)
            $PKG_INSTALL curl wget gnupg2 software-properties-common
            ;;
        dnf|yum)
            $PKG_INSTALL curl wget gnupg2
            ;;
    esac
    
    log $GREEN "Dependencies installed"
}

# Install Grafana Enterprise
install_grafana_enterprise() {
    log $BLUE "[4/10] Installing Grafana Enterprise..."
    
    case "$PKG_MGR" in
        apt)
            wget -q -O - https://packages.grafana.com/gpg.key | apt-key add -
            echo "deb https://packages.grafana.com/enterprise/deb stable main" > /etc/apt/sources.list.d/grafana.list
            $PKG_UPDATE
            $PKG_INSTALL grafana-enterprise
            ;;
        dnf|yum)
            cat > /etc/yum.repos.d/grafana.repo << EOF
[grafana]
name=grafana
baseurl=https://packages.grafana.com/enterprise/rpm
repo_gpgcheck=1
enabled=1
gpgcheck=1
gpgkey=https://packages.grafana.com/gpg.key
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
EOF
            $PKG_INSTALL grafana-enterprise
            ;;
    esac
    
    log $GREEN "Grafana Enterprise installed"
}

# Configure LDAP authentication
configure_ldap() {
    log $BLUE "[5/10] Configuring LDAP authentication..."
    
    if [[ -z "$LDAP_SERVER" ]]; then
        log $YELLOW "LDAP server not specified, skipping LDAP configuration"
        return
    fi
    
    cat > /etc/grafana/ldap.toml << EOF
[[servers]]
host = "$LDAP_SERVER"
port = 389
use_ssl = false
start_tls = false
ssl_skip_verify = false
bind_dn = "cn=admin,dc=company,dc=com"
bind_password = 'grafana'
search_filter = "(cn=%s)"
search_base_dns = ["dc=company,dc=com"]
group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
group_search_base_dns = ["ou=groups,dc=company,dc=com"]

[servers.attributes]
name = "givenName"
surname = "sn"
username = "cn"
member_of = "memberOf"
email =  "email"

[[servers.group_mappings]]
group_dn = "cn=admins,ou=groups,dc=company,dc=com"
org_role = "Admin"

[[servers.group_mappings]]
group_dn = "cn=users,ou=groups,dc=company,dc=com"
org_role = "Editor"
EOF
    
    chown grafana:grafana /etc/grafana/ldap.toml
    chmod 640 /etc/grafana/ldap.toml
    
    log $GREEN "LDAP configuration created"
}

# Configure Grafana main configuration
configure_grafana() {
    log $BLUE "[6/10] Configuring Grafana settings..."
    
    # Backup original config
    cp /etc/grafana/grafana.ini /etc/grafana/grafana.ini.backup
    
    cat >> /etc/grafana/grafana.ini << EOF

# Custom SSO Configuration
[server]
domain = $DOMAIN
root_url = http://$DOMAIN:$GRAFANA_PORT/

[auth.ldap]
enabled = true
config_file = /etc/grafana/ldap.toml
allow_sign_up = true

[auth.github]
enabled = ${OAUTH_CLIENT_ID:+true}
allow_sign_up = true
client_id = ${OAUTH_CLIENT_ID:-}
client_secret = ${OAUTH_CLIENT_SECRET:-}
scopes = user:email,read:org
auth_url = https://github.com/login/oauth/authorize
token_url = https://github.com/login/oauth/access_token
api_url = https://api.github.com/user
allowed_organizations = 

[auth.google]
enabled = false
allow_sign_up = true
client_id = 
client_secret = 
scopes = https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email
auth_url = https://accounts.google.com/o/oauth2/auth
token_url = https://accounts.google.com/o/oauth2/token
api_url = https://www.googleapis.com/oauth2/v1/userinfo

[auth.saml]
enabled = ${SAML_METADATA_URL:+true}
certificate_path = /etc/grafana/saml.crt
private_key_path = /etc/grafana/saml.key
metadata_url = ${SAML_METADATA_URL:-}
max_issue_delay = 90s
metadata_valid_duration = 48h
allow_idp_initiated = true
EOF
    
    chown grafana:grafana /etc/grafana/grafana.ini
    chmod 640 /etc/grafana/grafana.ini
    
    log $GREEN "Grafana configuration updated"
}

# Generate SAML certificates
generate_saml_certs() {
    log $BLUE "[7/10] Generating SAML certificates..."
    
    if [[ -z "$SAML_METADATA_URL" ]]; then
        log $YELLOW "SAML metadata URL not specified, skipping SAML certificate generation"
        return
    fi
    
    openssl req -x509 -newkey rsa:4096 -keyout /etc/grafana/saml.key -out /etc/grafana/saml.crt -days 365 -nodes -subj "/CN=$DOMAIN"
    
    chown grafana:grafana /etc/grafana/saml.key /etc/grafana/saml.crt
    chmod 600 /etc/grafana/saml.key
    chmod 644 /etc/grafana/saml.crt
    
    log $GREEN "SAML certificates generated"
}

# Configure firewall
configure_firewall() {
    log $BLUE "[8/10] Configuring firewall..."
    
    case "$FIREWALL_CMD" in
        ufw)
            if command -v ufw &> /dev/null; then
                ufw allow $GRAFANA_PORT/tcp
                log $GREEN "UFW rule added for port $GRAFANA_PORT"
            fi
            ;;
        firewall-cmd)
            if command -v firewall-cmd &> /dev/null && systemctl is-active --quiet firewalld; then
                firewall-cmd --permanent --add-port=$GRAFANA_PORT/tcp
                firewall-cmd --reload
                log $GREEN "Firewalld rule added for port $GRAFANA_PORT"
            fi
            ;;
    esac
}

# Start and enable Grafana
start_grafana() {
    log $BLUE "[9/10] Starting Grafana Enterprise..."
    
    systemctl daemon-reload
    systemctl enable grafana-server
    systemctl start grafana-server
    
    # Wait for Grafana to start
    sleep 5
    
    log $GREEN "Grafana Enterprise started and enabled"
}

# Verify installation
verify_installation() {
    log $BLUE "[10/10] Verifying installation..."
    
    # Check service status
    if ! systemctl is-active --quiet grafana-server; then
        log $RED "Grafana service is not running"
        return 1
    fi
    
    # Check if port is listening
    if ! netstat -tuln 2>/dev/null | grep -q ":$GRAFANA_PORT "; then
        if ! ss -tuln 2>/dev/null | grep -q ":$GRAFANA_PORT "; then
            log $RED "Grafana is not listening on port $GRAFANA_PORT"
            return 1
        fi
    fi
    
    # Test HTTP response
    sleep 3
    if curl -sSf http://localhost:$GRAFANA_PORT/api/health > /dev/null 2>&1; then
        log $GREEN "Grafana health check passed"
    else
        log $YELLOW "Grafana health check failed, but service is running"
    fi
    
    # Test LDAP if configured
    if [[ -n "$LDAP_SERVER" ]]; then
        if grafana-cli admin ldap-test > /dev/null 2>&1; then
            log $GREEN "LDAP test passed"
        else
            log $YELLOW "LDAP test failed - check configuration"
        fi
    fi
    
    log $GREEN "Installation verification completed"
}

# Print completion message
print_completion() {
    log $GREEN "
========================================
Grafana Enterprise SSO Setup Complete!
========================================

Access URL: http://$DOMAIN:$GRAFANA_PORT
Default credentials: admin/admin (change on first login)

Configuration files:
- Main config: /etc/grafana/grafana.ini
- LDAP config: /etc/grafana/ldap.toml
- SAML certs: /etc/grafana/saml.crt, /etc/grafana/saml.key

Service management:
- Status: systemctl status grafana-server
- Logs: journalctl -u grafana-server -f
- LDAP test: grafana-cli admin ldap-test

Next steps:
1. Change default admin password
2. Configure OAuth2 applications in GitHub/Google
3. Test all authentication methods
4. Set up team mappings and permissions
"

    if [[ -n "$LDAP_SERVER" ]]; then
        log $YELLOW "Remember to update LDAP bind credentials in /etc/grafana/ldap.toml"
    fi
    
    if [[ -n "$SAML_METADATA_URL" ]]; then
        log $YELLOW "Upload SAML certificate to your identity provider: /etc/grafana/saml.crt"
    fi
}

# Main execution
main() {
    check_prerequisites
    detect_distro
    install_dependencies
    install_grafana_enterprise
    configure_ldap
    configure_grafana
    generate_saml_certs
    configure_firewall
    start_grafana
    verify_installation
    print_completion
}

# Run main function
main "$@"

Review the script before running. Execute with: bash install.sh

#grafana-enterprise #sso #ldap #saml #oauth2

Set up Grafana Enterprise SSO authentication with LDAP, SAML, and OAuth2 integration