1. Packages
  2. Grafana Cloud
  3. API Docs
  4. SsoSettings
Grafana v0.7.0 published on Tuesday, Nov 5, 2024 by pulumiverse

grafana.SsoSettings

Explore with Pulumi AI

grafana logo
Grafana v0.7.0 published on Tuesday, Nov 5, 2024 by pulumiverse
    Deprecated: grafana.index/ssosettings.SsoSettings has been deprecated in favor of grafana.oss/ssosettings.SsoSettings

    Manages Grafana SSO Settings for OAuth2 and SAML. Support for SAML is currently in preview, it will be available in Grafana Enterprise starting with v11.1.

    Example Usage

    import * as pulumi from "@pulumi/pulumi";
    import * as grafana from "@pulumiverse/grafana";
    
    // Configure SSO for GitHub using OAuth2
    const githubSsoSettings = new grafana.oss.SsoSettings("github_sso_settings", {
        providerName: "github",
        oauth2Settings: {
            name: "Github",
            clientId: "<your GitHub app client id>",
            clientSecret: "<your GitHub app client secret>",
            allowSignUp: true,
            autoLogin: false,
            scopes: "user:email,read:org",
            teamIds: "150,300",
            allowedOrganizations: "[\"My Organization\", \"Octocats\"]",
            allowedDomains: "mycompany.com mycompany.org",
        },
    });
    // Configure SSO using generic OAuth2
    const genericSsoSettings = new grafana.oss.SsoSettings("generic_sso_settings", {
        providerName: "generic_oauth",
        oauth2Settings: {
            name: "Auth0",
            authUrl: "https://<domain>/authorize",
            tokenUrl: "https://<domain>/oauth/token",
            apiUrl: "https://<domain>/userinfo",
            clientId: "<client id>",
            clientSecret: "<client secret>",
            allowSignUp: true,
            autoLogin: false,
            scopes: "openid profile email offline_access",
            usePkce: true,
            useRefreshToken: true,
        },
    });
    // Configure SSO using SAML
    const samlSsoSettings = new grafana.oss.SsoSettings("saml_sso_settings", {
        providerName: "saml",
        samlSettings: {
            allowSignUp: true,
            certificatePath: "devenv/docker/blocks/auth/saml-enterprise/cert.crt",
            privateKeyPath: "devenv/docker/blocks/auth/saml-enterprise/key.pem",
            idpMetadataUrl: "https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml",
            signatureAlgorithm: "rsa-sha256",
            assertionAttributeLogin: "login",
            assertionAttributeEmail: "email",
            nameIdFormat: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
        },
    });
    
    import pulumi
    import pulumiverse_grafana as grafana
    
    # Configure SSO for GitHub using OAuth2
    github_sso_settings = grafana.oss.SsoSettings("github_sso_settings",
        provider_name="github",
        oauth2_settings={
            "name": "Github",
            "client_id": "<your GitHub app client id>",
            "client_secret": "<your GitHub app client secret>",
            "allow_sign_up": True,
            "auto_login": False,
            "scopes": "user:email,read:org",
            "team_ids": "150,300",
            "allowed_organizations": "[\"My Organization\", \"Octocats\"]",
            "allowed_domains": "mycompany.com mycompany.org",
        })
    # Configure SSO using generic OAuth2
    generic_sso_settings = grafana.oss.SsoSettings("generic_sso_settings",
        provider_name="generic_oauth",
        oauth2_settings={
            "name": "Auth0",
            "auth_url": "https://<domain>/authorize",
            "token_url": "https://<domain>/oauth/token",
            "api_url": "https://<domain>/userinfo",
            "client_id": "<client id>",
            "client_secret": "<client secret>",
            "allow_sign_up": True,
            "auto_login": False,
            "scopes": "openid profile email offline_access",
            "use_pkce": True,
            "use_refresh_token": True,
        })
    # Configure SSO using SAML
    saml_sso_settings = grafana.oss.SsoSettings("saml_sso_settings",
        provider_name="saml",
        saml_settings={
            "allow_sign_up": True,
            "certificate_path": "devenv/docker/blocks/auth/saml-enterprise/cert.crt",
            "private_key_path": "devenv/docker/blocks/auth/saml-enterprise/key.pem",
            "idp_metadata_url": "https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml",
            "signature_algorithm": "rsa-sha256",
            "assertion_attribute_login": "login",
            "assertion_attribute_email": "email",
            "name_id_format": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
        })
    
    package main
    
    import (
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    	"github.com/pulumiverse/pulumi-grafana/sdk/go/grafana/oss"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		// Configure SSO for GitHub using OAuth2
    		_, err := oss.NewSsoSettings(ctx, "github_sso_settings", &oss.SsoSettingsArgs{
    			ProviderName: pulumi.String("github"),
    			Oauth2Settings: &oss.SsoSettingsOauth2SettingsArgs{
    				Name:                 pulumi.String("Github"),
    				ClientId:             pulumi.String("<your GitHub app client id>"),
    				ClientSecret:         pulumi.String("<your GitHub app client secret>"),
    				AllowSignUp:          pulumi.Bool(true),
    				AutoLogin:            pulumi.Bool(false),
    				Scopes:               pulumi.String("user:email,read:org"),
    				TeamIds:              pulumi.String("150,300"),
    				AllowedOrganizations: pulumi.String("[\"My Organization\", \"Octocats\"]"),
    				AllowedDomains:       pulumi.String("mycompany.com mycompany.org"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		// Configure SSO using generic OAuth2
    		_, err = oss.NewSsoSettings(ctx, "generic_sso_settings", &oss.SsoSettingsArgs{
    			ProviderName: pulumi.String("generic_oauth"),
    			Oauth2Settings: &oss.SsoSettingsOauth2SettingsArgs{
    				Name:            pulumi.String("Auth0"),
    				AuthUrl:         pulumi.String("https://<domain>/authorize"),
    				TokenUrl:        pulumi.String("https://<domain>/oauth/token"),
    				ApiUrl:          pulumi.String("https://<domain>/userinfo"),
    				ClientId:        pulumi.String("<client id>"),
    				ClientSecret:    pulumi.String("<client secret>"),
    				AllowSignUp:     pulumi.Bool(true),
    				AutoLogin:       pulumi.Bool(false),
    				Scopes:          pulumi.String("openid profile email offline_access"),
    				UsePkce:         pulumi.Bool(true),
    				UseRefreshToken: pulumi.Bool(true),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		// Configure SSO using SAML
    		_, err = oss.NewSsoSettings(ctx, "saml_sso_settings", &oss.SsoSettingsArgs{
    			ProviderName: pulumi.String("saml"),
    			SamlSettings: &oss.SsoSettingsSamlSettingsArgs{
    				AllowSignUp:             pulumi.Bool(true),
    				CertificatePath:         pulumi.String("devenv/docker/blocks/auth/saml-enterprise/cert.crt"),
    				PrivateKeyPath:          pulumi.String("devenv/docker/blocks/auth/saml-enterprise/key.pem"),
    				IdpMetadataUrl:          pulumi.String("https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml"),
    				SignatureAlgorithm:      pulumi.String("rsa-sha256"),
    				AssertionAttributeLogin: pulumi.String("login"),
    				AssertionAttributeEmail: pulumi.String("email"),
    				NameIdFormat:            pulumi.String("urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Grafana = Pulumiverse.Grafana;
    
    return await Deployment.RunAsync(() => 
    {
        // Configure SSO for GitHub using OAuth2
        var githubSsoSettings = new Grafana.Oss.SsoSettings("github_sso_settings", new()
        {
            ProviderName = "github",
            Oauth2Settings = new Grafana.Oss.Inputs.SsoSettingsOauth2SettingsArgs
            {
                Name = "Github",
                ClientId = "<your GitHub app client id>",
                ClientSecret = "<your GitHub app client secret>",
                AllowSignUp = true,
                AutoLogin = false,
                Scopes = "user:email,read:org",
                TeamIds = "150,300",
                AllowedOrganizations = "[\"My Organization\", \"Octocats\"]",
                AllowedDomains = "mycompany.com mycompany.org",
            },
        });
    
        // Configure SSO using generic OAuth2
        var genericSsoSettings = new Grafana.Oss.SsoSettings("generic_sso_settings", new()
        {
            ProviderName = "generic_oauth",
            Oauth2Settings = new Grafana.Oss.Inputs.SsoSettingsOauth2SettingsArgs
            {
                Name = "Auth0",
                AuthUrl = "https://<domain>/authorize",
                TokenUrl = "https://<domain>/oauth/token",
                ApiUrl = "https://<domain>/userinfo",
                ClientId = "<client id>",
                ClientSecret = "<client secret>",
                AllowSignUp = true,
                AutoLogin = false,
                Scopes = "openid profile email offline_access",
                UsePkce = true,
                UseRefreshToken = true,
            },
        });
    
        // Configure SSO using SAML
        var samlSsoSettings = new Grafana.Oss.SsoSettings("saml_sso_settings", new()
        {
            ProviderName = "saml",
            SamlSettings = new Grafana.Oss.Inputs.SsoSettingsSamlSettingsArgs
            {
                AllowSignUp = true,
                CertificatePath = "devenv/docker/blocks/auth/saml-enterprise/cert.crt",
                PrivateKeyPath = "devenv/docker/blocks/auth/saml-enterprise/key.pem",
                IdpMetadataUrl = "https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml",
                SignatureAlgorithm = "rsa-sha256",
                AssertionAttributeLogin = "login",
                AssertionAttributeEmail = "email",
                NameIdFormat = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.grafana.oss.SsoSettings;
    import com.pulumi.grafana.oss.SsoSettingsArgs;
    import com.pulumi.grafana.oss.inputs.SsoSettingsOauth2SettingsArgs;
    import com.pulumi.grafana.oss.inputs.SsoSettingsSamlSettingsArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            // Configure SSO for GitHub using OAuth2
            var githubSsoSettings = new SsoSettings("githubSsoSettings", SsoSettingsArgs.builder()
                .providerName("github")
                .oauth2Settings(SsoSettingsOauth2SettingsArgs.builder()
                    .name("Github")
                    .clientId("<your GitHub app client id>")
                    .clientSecret("<your GitHub app client secret>")
                    .allowSignUp(true)
                    .autoLogin(false)
                    .scopes("user:email,read:org")
                    .teamIds("150,300")
                    .allowedOrganizations("[\"My Organization\", \"Octocats\"]")
                    .allowedDomains("mycompany.com mycompany.org")
                    .build())
                .build());
    
            // Configure SSO using generic OAuth2
            var genericSsoSettings = new SsoSettings("genericSsoSettings", SsoSettingsArgs.builder()
                .providerName("generic_oauth")
                .oauth2Settings(SsoSettingsOauth2SettingsArgs.builder()
                    .name("Auth0")
                    .authUrl("https://<domain>/authorize")
                    .tokenUrl("https://<domain>/oauth/token")
                    .apiUrl("https://<domain>/userinfo")
                    .clientId("<client id>")
                    .clientSecret("<client secret>")
                    .allowSignUp(true)
                    .autoLogin(false)
                    .scopes("openid profile email offline_access")
                    .usePkce(true)
                    .useRefreshToken(true)
                    .build())
                .build());
    
            // Configure SSO using SAML
            var samlSsoSettings = new SsoSettings("samlSsoSettings", SsoSettingsArgs.builder()
                .providerName("saml")
                .samlSettings(SsoSettingsSamlSettingsArgs.builder()
                    .allowSignUp(true)
                    .certificatePath("devenv/docker/blocks/auth/saml-enterprise/cert.crt")
                    .privateKeyPath("devenv/docker/blocks/auth/saml-enterprise/key.pem")
                    .idpMetadataUrl("https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml")
                    .signatureAlgorithm("rsa-sha256")
                    .assertionAttributeLogin("login")
                    .assertionAttributeEmail("email")
                    .nameIdFormat("urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress")
                    .build())
                .build());
    
        }
    }
    
    resources:
      # Configure SSO for GitHub using OAuth2
      githubSsoSettings:
        type: grafana:oss:SsoSettings
        name: github_sso_settings
        properties:
          providerName: github
          oauth2Settings:
            name: Github
            clientId: <your GitHub app client id>
            clientSecret: <your GitHub app client secret>
            allowSignUp: true
            autoLogin: false
            scopes: user:email,read:org
            teamIds: 150,300
            allowedOrganizations: '["My Organization", "Octocats"]'
            allowedDomains: mycompany.com mycompany.org
      # Configure SSO using generic OAuth2
      genericSsoSettings:
        type: grafana:oss:SsoSettings
        name: generic_sso_settings
        properties:
          providerName: generic_oauth
          oauth2Settings:
            name: Auth0
            authUrl: https://<domain>/authorize
            tokenUrl: https://<domain>/oauth/token
            apiUrl: https://<domain>/userinfo
            clientId: <client id>
            clientSecret: <client secret>
            allowSignUp: true
            autoLogin: false
            scopes: openid profile email offline_access
            usePkce: true
            useRefreshToken: true
      # Configure SSO using SAML
      samlSsoSettings:
        type: grafana:oss:SsoSettings
        name: saml_sso_settings
        properties:
          providerName: saml
          samlSettings:
            allowSignUp: true
            certificatePath: devenv/docker/blocks/auth/saml-enterprise/cert.crt
            privateKeyPath: devenv/docker/blocks/auth/saml-enterprise/key.pem
            idpMetadataUrl: https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml
            signatureAlgorithm: rsa-sha256
            assertionAttributeLogin: login
            assertionAttributeEmail: email
            nameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
    

    Create SsoSettings Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new SsoSettings(name: string, args: SsoSettingsArgs, opts?: CustomResourceOptions);
    @overload
    def SsoSettings(resource_name: str,
                    args: SsoSettingsArgs,
                    opts: Optional[ResourceOptions] = None)
    
    @overload
    def SsoSettings(resource_name: str,
                    opts: Optional[ResourceOptions] = None,
                    oauth2_settings: Optional[SsoSettingsOauth2SettingsArgs] = None,
                    provider_name: Optional[str] = None,
                    saml_settings: Optional[SsoSettingsSamlSettingsArgs] = None)
    func NewSsoSettings(ctx *Context, name string, args SsoSettingsArgs, opts ...ResourceOption) (*SsoSettings, error)
    public SsoSettings(string name, SsoSettingsArgs args, CustomResourceOptions? opts = null)
    public SsoSettings(String name, SsoSettingsArgs args)
    public SsoSettings(String name, SsoSettingsArgs args, CustomResourceOptions options)
    
    type: grafana:SsoSettings
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args SsoSettingsArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args SsoSettingsArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args SsoSettingsArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args SsoSettingsArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args SsoSettingsArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    SsoSettings Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The SsoSettings resource accepts the following input properties:

    ProviderName string
    The name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml.
    Oauth2Settings Pulumiverse.Grafana.Inputs.SsoSettingsOauth2Settings
    The OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic*oauth providers.
    SamlSettings Pulumiverse.Grafana.Inputs.SsoSettingsSamlSettings
    The SAML settings set. Required for the saml provider.
    ProviderName string
    The name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml.
    Oauth2Settings SsoSettingsOauth2SettingsArgs
    The OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic*oauth providers.
    SamlSettings SsoSettingsSamlSettingsArgs
    The SAML settings set. Required for the saml provider.
    providerName String
    The name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml.
    oauth2Settings SsoSettingsOauth2Settings
    The OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic*oauth providers.
    samlSettings SsoSettingsSamlSettings
    The SAML settings set. Required for the saml provider.
    providerName string
    The name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml.
    oauth2Settings SsoSettingsOauth2Settings
    The OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic*oauth providers.
    samlSettings SsoSettingsSamlSettings
    The SAML settings set. Required for the saml provider.
    provider_name str
    The name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml.
    oauth2_settings SsoSettingsOauth2SettingsArgs
    The OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic*oauth providers.
    saml_settings SsoSettingsSamlSettingsArgs
    The SAML settings set. Required for the saml provider.
    providerName String
    The name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml.
    oauth2Settings Property Map
    The OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic*oauth providers.
    samlSettings Property Map
    The SAML settings set. Required for the saml provider.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the SsoSettings resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    Id string
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.
    id string
    The provider-assigned unique ID for this managed resource.
    id str
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.

    Look up Existing SsoSettings Resource

    Get an existing SsoSettings resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: SsoSettingsState, opts?: CustomResourceOptions): SsoSettings
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            oauth2_settings: Optional[SsoSettingsOauth2SettingsArgs] = None,
            provider_name: Optional[str] = None,
            saml_settings: Optional[SsoSettingsSamlSettingsArgs] = None) -> SsoSettings
    func GetSsoSettings(ctx *Context, name string, id IDInput, state *SsoSettingsState, opts ...ResourceOption) (*SsoSettings, error)
    public static SsoSettings Get(string name, Input<string> id, SsoSettingsState? state, CustomResourceOptions? opts = null)
    public static SsoSettings get(String name, Output<String> id, SsoSettingsState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    Oauth2Settings Pulumiverse.Grafana.Inputs.SsoSettingsOauth2Settings
    The OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic*oauth providers.
    ProviderName string
    The name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml.
    SamlSettings Pulumiverse.Grafana.Inputs.SsoSettingsSamlSettings
    The SAML settings set. Required for the saml provider.
    Oauth2Settings SsoSettingsOauth2SettingsArgs
    The OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic*oauth providers.
    ProviderName string
    The name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml.
    SamlSettings SsoSettingsSamlSettingsArgs
    The SAML settings set. Required for the saml provider.
    oauth2Settings SsoSettingsOauth2Settings
    The OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic*oauth providers.
    providerName String
    The name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml.
    samlSettings SsoSettingsSamlSettings
    The SAML settings set. Required for the saml provider.
    oauth2Settings SsoSettingsOauth2Settings
    The OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic*oauth providers.
    providerName string
    The name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml.
    samlSettings SsoSettingsSamlSettings
    The SAML settings set. Required for the saml provider.
    oauth2_settings SsoSettingsOauth2SettingsArgs
    The OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic*oauth providers.
    provider_name str
    The name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml.
    saml_settings SsoSettingsSamlSettingsArgs
    The SAML settings set. Required for the saml provider.
    oauth2Settings Property Map
    The OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic*oauth providers.
    providerName String
    The name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml.
    samlSettings Property Map
    The SAML settings set. Required for the saml provider.

    Supporting Types

    SsoSettingsOauth2Settings, SsoSettingsOauth2SettingsArgs

    ClientId string
    The client Id of your OAuth2 app.
    AllowAssignGrafanaAdmin bool
    If enabled, it will automatically sync the Grafana server administrator role.
    AllowSignUp bool
    If not enabled, only existing Grafana users can log in using OAuth.
    AllowedDomains string
    List of comma- or space-separated domains. The user should belong to at least one domain to log in.
    AllowedGroups string
    List of comma- or space-separated groups. The user should be a member of at least one group to log in. For Generic OAuth, if you configure allowedgroups, you must also configure groupsattribute_path.
    AllowedOrganizations string
    List of comma- or space-separated organizations. The user should be a member of at least one organization to log in.
    ApiUrl string
    The user information endpoint of your OAuth2 provider. Required for okta and generic_oauth providers.
    AuthStyle string
    It determines how clientid and clientsecret are sent to Oauth2 provider. Possible values are AutoDetect, InParams, InHeader. Default is AutoDetect.
    AuthUrl string
    The authorization endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.
    AutoLogin bool
    Log in automatically, skipping the login screen.
    ClientSecret string
    The client secret of your OAuth2 app.
    Custom Dictionary<string, string>
    Custom fields to configure for OAuth2 such as the forceusegraph_api field.
    DefineAllowedGroups bool
    Define allowed groups.
    DefineAllowedTeamsIds bool
    Define allowed teams ids.
    EmailAttributeName string
    Name of the key to use for user email lookup within the attributes map of OAuth2 ID token. Only applicable to Generic OAuth.
    EmailAttributePath string
    JMESPath expression to use for user email lookup from the user information. Only applicable to Generic OAuth.
    EmptyScopes bool
    If enabled, no scopes will be sent to the OAuth2 provider.
    Enabled bool
    Define whether this configuration is enabled for the specified provider. Defaults to true.
    GroupsAttributePath string
    JMESPath expression to use for user group lookup. If you configure allowedgroups, you must also configure groupsattribute_path.
    IdTokenAttributeName string
    The name of the key used to extract the ID token from the returned OAuth2 token. Only applicable to Generic OAuth.
    LoginAttributePath string
    JMESPath expression to use for user login lookup from the user ID token. Only applicable to Generic OAuth.
    Name string
    Helpful if you use more than one identity providers or SSO protocols.
    NameAttributePath string
    JMESPath expression to use for user name lookup from the user ID token. This name will be used as the user’s display name. Only applicable to Generic OAuth.
    RoleAttributePath string
    JMESPath expression to use for Grafana role lookup.
    RoleAttributeStrict bool
    If enabled, denies user login if the Grafana role cannot be extracted using Role attribute path.
    Scopes string
    List of comma- or space-separated OAuth2 scopes.
    SignoutRedirectUrl string
    The URL to redirect the user to after signing out from Grafana.
    SkipOrgRoleSync bool
    Prevent synchronizing users’ organization roles from your IdP.
    TeamIds string
    String list of Team Ids. If set, the user must be a member of one of the given teams to log in. If you configure teamids, you must also configure teamsurl and teamidsattribute_path.
    TeamIdsAttributePath string
    The JMESPath expression to use for Grafana Team Id lookup within the results returned by the teams_url endpoint. Only applicable to Generic OAuth.
    TeamsUrl string
    The URL used to query for Team Ids. If not set, the default value is /teams. If you configure teamsurl, you must also configure teamidsattributepath. Only applicable to Generic OAuth.
    TlsClientCa string
    The path to the trusted certificate authority list. Is not applicable on Grafana Cloud.
    TlsClientCert string
    The path to the certificate. Is not applicable on Grafana Cloud.
    TlsClientKey string
    The path to the key. Is not applicable on Grafana Cloud.
    TlsSkipVerifyInsecure bool
    If enabled, the client accepts any certificate presented by the server and any host name in that certificate. You should only use this for testing, because this mode leaves SSL/TLS susceptible to man-in-the-middle attacks.
    TokenUrl string
    The token endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.
    UsePkce bool
    If enabled, Grafana will use Proof Key for Code Exchange (PKCE) with the OAuth2 Authorization Code Grant.
    UseRefreshToken bool
    If enabled, Grafana will fetch a new access token using the refresh token provided by the OAuth2 provider.
    ClientId string
    The client Id of your OAuth2 app.
    AllowAssignGrafanaAdmin bool
    If enabled, it will automatically sync the Grafana server administrator role.
    AllowSignUp bool
    If not enabled, only existing Grafana users can log in using OAuth.
    AllowedDomains string
    List of comma- or space-separated domains. The user should belong to at least one domain to log in.
    AllowedGroups string
    List of comma- or space-separated groups. The user should be a member of at least one group to log in. For Generic OAuth, if you configure allowedgroups, you must also configure groupsattribute_path.
    AllowedOrganizations string
    List of comma- or space-separated organizations. The user should be a member of at least one organization to log in.
    ApiUrl string
    The user information endpoint of your OAuth2 provider. Required for okta and generic_oauth providers.
    AuthStyle string
    It determines how clientid and clientsecret are sent to Oauth2 provider. Possible values are AutoDetect, InParams, InHeader. Default is AutoDetect.
    AuthUrl string
    The authorization endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.
    AutoLogin bool
    Log in automatically, skipping the login screen.
    ClientSecret string
    The client secret of your OAuth2 app.
    Custom map[string]string
    Custom fields to configure for OAuth2 such as the forceusegraph_api field.
    DefineAllowedGroups bool
    Define allowed groups.
    DefineAllowedTeamsIds bool
    Define allowed teams ids.
    EmailAttributeName string
    Name of the key to use for user email lookup within the attributes map of OAuth2 ID token. Only applicable to Generic OAuth.
    EmailAttributePath string
    JMESPath expression to use for user email lookup from the user information. Only applicable to Generic OAuth.
    EmptyScopes bool
    If enabled, no scopes will be sent to the OAuth2 provider.
    Enabled bool
    Define whether this configuration is enabled for the specified provider. Defaults to true.
    GroupsAttributePath string
    JMESPath expression to use for user group lookup. If you configure allowedgroups, you must also configure groupsattribute_path.
    IdTokenAttributeName string
    The name of the key used to extract the ID token from the returned OAuth2 token. Only applicable to Generic OAuth.
    LoginAttributePath string
    JMESPath expression to use for user login lookup from the user ID token. Only applicable to Generic OAuth.
    Name string
    Helpful if you use more than one identity providers or SSO protocols.
    NameAttributePath string
    JMESPath expression to use for user name lookup from the user ID token. This name will be used as the user’s display name. Only applicable to Generic OAuth.
    RoleAttributePath string
    JMESPath expression to use for Grafana role lookup.
    RoleAttributeStrict bool
    If enabled, denies user login if the Grafana role cannot be extracted using Role attribute path.
    Scopes string
    List of comma- or space-separated OAuth2 scopes.
    SignoutRedirectUrl string
    The URL to redirect the user to after signing out from Grafana.
    SkipOrgRoleSync bool
    Prevent synchronizing users’ organization roles from your IdP.
    TeamIds string
    String list of Team Ids. If set, the user must be a member of one of the given teams to log in. If you configure teamids, you must also configure teamsurl and teamidsattribute_path.
    TeamIdsAttributePath string
    The JMESPath expression to use for Grafana Team Id lookup within the results returned by the teams_url endpoint. Only applicable to Generic OAuth.
    TeamsUrl string
    The URL used to query for Team Ids. If not set, the default value is /teams. If you configure teamsurl, you must also configure teamidsattributepath. Only applicable to Generic OAuth.
    TlsClientCa string
    The path to the trusted certificate authority list. Is not applicable on Grafana Cloud.
    TlsClientCert string
    The path to the certificate. Is not applicable on Grafana Cloud.
    TlsClientKey string
    The path to the key. Is not applicable on Grafana Cloud.
    TlsSkipVerifyInsecure bool
    If enabled, the client accepts any certificate presented by the server and any host name in that certificate. You should only use this for testing, because this mode leaves SSL/TLS susceptible to man-in-the-middle attacks.
    TokenUrl string
    The token endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.
    UsePkce bool
    If enabled, Grafana will use Proof Key for Code Exchange (PKCE) with the OAuth2 Authorization Code Grant.
    UseRefreshToken bool
    If enabled, Grafana will fetch a new access token using the refresh token provided by the OAuth2 provider.
    clientId String
    The client Id of your OAuth2 app.
    allowAssignGrafanaAdmin Boolean
    If enabled, it will automatically sync the Grafana server administrator role.
    allowSignUp Boolean
    If not enabled, only existing Grafana users can log in using OAuth.
    allowedDomains String
    List of comma- or space-separated domains. The user should belong to at least one domain to log in.
    allowedGroups String
    List of comma- or space-separated groups. The user should be a member of at least one group to log in. For Generic OAuth, if you configure allowedgroups, you must also configure groupsattribute_path.
    allowedOrganizations String
    List of comma- or space-separated organizations. The user should be a member of at least one organization to log in.
    apiUrl String
    The user information endpoint of your OAuth2 provider. Required for okta and generic_oauth providers.
    authStyle String
    It determines how clientid and clientsecret are sent to Oauth2 provider. Possible values are AutoDetect, InParams, InHeader. Default is AutoDetect.
    authUrl String
    The authorization endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.
    autoLogin Boolean
    Log in automatically, skipping the login screen.
    clientSecret String
    The client secret of your OAuth2 app.
    custom Map<String,String>
    Custom fields to configure for OAuth2 such as the forceusegraph_api field.
    defineAllowedGroups Boolean
    Define allowed groups.
    defineAllowedTeamsIds Boolean
    Define allowed teams ids.
    emailAttributeName String
    Name of the key to use for user email lookup within the attributes map of OAuth2 ID token. Only applicable to Generic OAuth.
    emailAttributePath String
    JMESPath expression to use for user email lookup from the user information. Only applicable to Generic OAuth.
    emptyScopes Boolean
    If enabled, no scopes will be sent to the OAuth2 provider.
    enabled Boolean
    Define whether this configuration is enabled for the specified provider. Defaults to true.
    groupsAttributePath String
    JMESPath expression to use for user group lookup. If you configure allowedgroups, you must also configure groupsattribute_path.
    idTokenAttributeName String
    The name of the key used to extract the ID token from the returned OAuth2 token. Only applicable to Generic OAuth.
    loginAttributePath String
    JMESPath expression to use for user login lookup from the user ID token. Only applicable to Generic OAuth.
    name String
    Helpful if you use more than one identity providers or SSO protocols.
    nameAttributePath String
    JMESPath expression to use for user name lookup from the user ID token. This name will be used as the user’s display name. Only applicable to Generic OAuth.
    roleAttributePath String
    JMESPath expression to use for Grafana role lookup.
    roleAttributeStrict Boolean
    If enabled, denies user login if the Grafana role cannot be extracted using Role attribute path.
    scopes String
    List of comma- or space-separated OAuth2 scopes.
    signoutRedirectUrl String
    The URL to redirect the user to after signing out from Grafana.
    skipOrgRoleSync Boolean
    Prevent synchronizing users’ organization roles from your IdP.
    teamIds String
    String list of Team Ids. If set, the user must be a member of one of the given teams to log in. If you configure teamids, you must also configure teamsurl and teamidsattribute_path.
    teamIdsAttributePath String
    The JMESPath expression to use for Grafana Team Id lookup within the results returned by the teams_url endpoint. Only applicable to Generic OAuth.
    teamsUrl String
    The URL used to query for Team Ids. If not set, the default value is /teams. If you configure teamsurl, you must also configure teamidsattributepath. Only applicable to Generic OAuth.
    tlsClientCa String
    The path to the trusted certificate authority list. Is not applicable on Grafana Cloud.
    tlsClientCert String
    The path to the certificate. Is not applicable on Grafana Cloud.
    tlsClientKey String
    The path to the key. Is not applicable on Grafana Cloud.
    tlsSkipVerifyInsecure Boolean
    If enabled, the client accepts any certificate presented by the server and any host name in that certificate. You should only use this for testing, because this mode leaves SSL/TLS susceptible to man-in-the-middle attacks.
    tokenUrl String
    The token endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.
    usePkce Boolean
    If enabled, Grafana will use Proof Key for Code Exchange (PKCE) with the OAuth2 Authorization Code Grant.
    useRefreshToken Boolean
    If enabled, Grafana will fetch a new access token using the refresh token provided by the OAuth2 provider.
    clientId string
    The client Id of your OAuth2 app.
    allowAssignGrafanaAdmin boolean
    If enabled, it will automatically sync the Grafana server administrator role.
    allowSignUp boolean
    If not enabled, only existing Grafana users can log in using OAuth.
    allowedDomains string
    List of comma- or space-separated domains. The user should belong to at least one domain to log in.
    allowedGroups string
    List of comma- or space-separated groups. The user should be a member of at least one group to log in. For Generic OAuth, if you configure allowedgroups, you must also configure groupsattribute_path.
    allowedOrganizations string
    List of comma- or space-separated organizations. The user should be a member of at least one organization to log in.
    apiUrl string
    The user information endpoint of your OAuth2 provider. Required for okta and generic_oauth providers.
    authStyle string
    It determines how clientid and clientsecret are sent to Oauth2 provider. Possible values are AutoDetect, InParams, InHeader. Default is AutoDetect.
    authUrl string
    The authorization endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.
    autoLogin boolean
    Log in automatically, skipping the login screen.
    clientSecret string
    The client secret of your OAuth2 app.
    custom {[key: string]: string}
    Custom fields to configure for OAuth2 such as the forceusegraph_api field.
    defineAllowedGroups boolean
    Define allowed groups.
    defineAllowedTeamsIds boolean
    Define allowed teams ids.
    emailAttributeName string
    Name of the key to use for user email lookup within the attributes map of OAuth2 ID token. Only applicable to Generic OAuth.
    emailAttributePath string
    JMESPath expression to use for user email lookup from the user information. Only applicable to Generic OAuth.
    emptyScopes boolean
    If enabled, no scopes will be sent to the OAuth2 provider.
    enabled boolean
    Define whether this configuration is enabled for the specified provider. Defaults to true.
    groupsAttributePath string
    JMESPath expression to use for user group lookup. If you configure allowedgroups, you must also configure groupsattribute_path.
    idTokenAttributeName string
    The name of the key used to extract the ID token from the returned OAuth2 token. Only applicable to Generic OAuth.
    loginAttributePath string
    JMESPath expression to use for user login lookup from the user ID token. Only applicable to Generic OAuth.
    name string
    Helpful if you use more than one identity providers or SSO protocols.
    nameAttributePath string
    JMESPath expression to use for user name lookup from the user ID token. This name will be used as the user’s display name. Only applicable to Generic OAuth.
    roleAttributePath string
    JMESPath expression to use for Grafana role lookup.
    roleAttributeStrict boolean
    If enabled, denies user login if the Grafana role cannot be extracted using Role attribute path.
    scopes string
    List of comma- or space-separated OAuth2 scopes.
    signoutRedirectUrl string
    The URL to redirect the user to after signing out from Grafana.
    skipOrgRoleSync boolean
    Prevent synchronizing users’ organization roles from your IdP.
    teamIds string
    String list of Team Ids. If set, the user must be a member of one of the given teams to log in. If you configure teamids, you must also configure teamsurl and teamidsattribute_path.
    teamIdsAttributePath string
    The JMESPath expression to use for Grafana Team Id lookup within the results returned by the teams_url endpoint. Only applicable to Generic OAuth.
    teamsUrl string
    The URL used to query for Team Ids. If not set, the default value is /teams. If you configure teamsurl, you must also configure teamidsattributepath. Only applicable to Generic OAuth.
    tlsClientCa string
    The path to the trusted certificate authority list. Is not applicable on Grafana Cloud.
    tlsClientCert string
    The path to the certificate. Is not applicable on Grafana Cloud.
    tlsClientKey string
    The path to the key. Is not applicable on Grafana Cloud.
    tlsSkipVerifyInsecure boolean
    If enabled, the client accepts any certificate presented by the server and any host name in that certificate. You should only use this for testing, because this mode leaves SSL/TLS susceptible to man-in-the-middle attacks.
    tokenUrl string
    The token endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.
    usePkce boolean
    If enabled, Grafana will use Proof Key for Code Exchange (PKCE) with the OAuth2 Authorization Code Grant.
    useRefreshToken boolean
    If enabled, Grafana will fetch a new access token using the refresh token provided by the OAuth2 provider.
    client_id str
    The client Id of your OAuth2 app.
    allow_assign_grafana_admin bool
    If enabled, it will automatically sync the Grafana server administrator role.
    allow_sign_up bool
    If not enabled, only existing Grafana users can log in using OAuth.
    allowed_domains str
    List of comma- or space-separated domains. The user should belong to at least one domain to log in.
    allowed_groups str
    List of comma- or space-separated groups. The user should be a member of at least one group to log in. For Generic OAuth, if you configure allowedgroups, you must also configure groupsattribute_path.
    allowed_organizations str
    List of comma- or space-separated organizations. The user should be a member of at least one organization to log in.
    api_url str
    The user information endpoint of your OAuth2 provider. Required for okta and generic_oauth providers.
    auth_style str
    It determines how clientid and clientsecret are sent to Oauth2 provider. Possible values are AutoDetect, InParams, InHeader. Default is AutoDetect.
    auth_url str
    The authorization endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.
    auto_login bool
    Log in automatically, skipping the login screen.
    client_secret str
    The client secret of your OAuth2 app.
    custom Mapping[str, str]
    Custom fields to configure for OAuth2 such as the forceusegraph_api field.
    define_allowed_groups bool
    Define allowed groups.
    define_allowed_teams_ids bool
    Define allowed teams ids.
    email_attribute_name str
    Name of the key to use for user email lookup within the attributes map of OAuth2 ID token. Only applicable to Generic OAuth.
    email_attribute_path str
    JMESPath expression to use for user email lookup from the user information. Only applicable to Generic OAuth.
    empty_scopes bool
    If enabled, no scopes will be sent to the OAuth2 provider.
    enabled bool
    Define whether this configuration is enabled for the specified provider. Defaults to true.
    groups_attribute_path str
    JMESPath expression to use for user group lookup. If you configure allowedgroups, you must also configure groupsattribute_path.
    id_token_attribute_name str
    The name of the key used to extract the ID token from the returned OAuth2 token. Only applicable to Generic OAuth.
    login_attribute_path str
    JMESPath expression to use for user login lookup from the user ID token. Only applicable to Generic OAuth.
    name str
    Helpful if you use more than one identity providers or SSO protocols.
    name_attribute_path str
    JMESPath expression to use for user name lookup from the user ID token. This name will be used as the user’s display name. Only applicable to Generic OAuth.
    role_attribute_path str
    JMESPath expression to use for Grafana role lookup.
    role_attribute_strict bool
    If enabled, denies user login if the Grafana role cannot be extracted using Role attribute path.
    scopes str
    List of comma- or space-separated OAuth2 scopes.
    signout_redirect_url str
    The URL to redirect the user to after signing out from Grafana.
    skip_org_role_sync bool
    Prevent synchronizing users’ organization roles from your IdP.
    team_ids str
    String list of Team Ids. If set, the user must be a member of one of the given teams to log in. If you configure teamids, you must also configure teamsurl and teamidsattribute_path.
    team_ids_attribute_path str
    The JMESPath expression to use for Grafana Team Id lookup within the results returned by the teams_url endpoint. Only applicable to Generic OAuth.
    teams_url str
    The URL used to query for Team Ids. If not set, the default value is /teams. If you configure teamsurl, you must also configure teamidsattributepath. Only applicable to Generic OAuth.
    tls_client_ca str
    The path to the trusted certificate authority list. Is not applicable on Grafana Cloud.
    tls_client_cert str
    The path to the certificate. Is not applicable on Grafana Cloud.
    tls_client_key str
    The path to the key. Is not applicable on Grafana Cloud.
    tls_skip_verify_insecure bool
    If enabled, the client accepts any certificate presented by the server and any host name in that certificate. You should only use this for testing, because this mode leaves SSL/TLS susceptible to man-in-the-middle attacks.
    token_url str
    The token endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.
    use_pkce bool
    If enabled, Grafana will use Proof Key for Code Exchange (PKCE) with the OAuth2 Authorization Code Grant.
    use_refresh_token bool
    If enabled, Grafana will fetch a new access token using the refresh token provided by the OAuth2 provider.
    clientId String
    The client Id of your OAuth2 app.
    allowAssignGrafanaAdmin Boolean
    If enabled, it will automatically sync the Grafana server administrator role.
    allowSignUp Boolean
    If not enabled, only existing Grafana users can log in using OAuth.
    allowedDomains String
    List of comma- or space-separated domains. The user should belong to at least one domain to log in.
    allowedGroups String
    List of comma- or space-separated groups. The user should be a member of at least one group to log in. For Generic OAuth, if you configure allowedgroups, you must also configure groupsattribute_path.
    allowedOrganizations String
    List of comma- or space-separated organizations. The user should be a member of at least one organization to log in.
    apiUrl String
    The user information endpoint of your OAuth2 provider. Required for okta and generic_oauth providers.
    authStyle String
    It determines how clientid and clientsecret are sent to Oauth2 provider. Possible values are AutoDetect, InParams, InHeader. Default is AutoDetect.
    authUrl String
    The authorization endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.
    autoLogin Boolean
    Log in automatically, skipping the login screen.
    clientSecret String
    The client secret of your OAuth2 app.
    custom Map<String>
    Custom fields to configure for OAuth2 such as the forceusegraph_api field.
    defineAllowedGroups Boolean
    Define allowed groups.
    defineAllowedTeamsIds Boolean
    Define allowed teams ids.
    emailAttributeName String
    Name of the key to use for user email lookup within the attributes map of OAuth2 ID token. Only applicable to Generic OAuth.
    emailAttributePath String
    JMESPath expression to use for user email lookup from the user information. Only applicable to Generic OAuth.
    emptyScopes Boolean
    If enabled, no scopes will be sent to the OAuth2 provider.
    enabled Boolean
    Define whether this configuration is enabled for the specified provider. Defaults to true.
    groupsAttributePath String
    JMESPath expression to use for user group lookup. If you configure allowedgroups, you must also configure groupsattribute_path.
    idTokenAttributeName String
    The name of the key used to extract the ID token from the returned OAuth2 token. Only applicable to Generic OAuth.
    loginAttributePath String
    JMESPath expression to use for user login lookup from the user ID token. Only applicable to Generic OAuth.
    name String
    Helpful if you use more than one identity providers or SSO protocols.
    nameAttributePath String
    JMESPath expression to use for user name lookup from the user ID token. This name will be used as the user’s display name. Only applicable to Generic OAuth.
    roleAttributePath String
    JMESPath expression to use for Grafana role lookup.
    roleAttributeStrict Boolean
    If enabled, denies user login if the Grafana role cannot be extracted using Role attribute path.
    scopes String
    List of comma- or space-separated OAuth2 scopes.
    signoutRedirectUrl String
    The URL to redirect the user to after signing out from Grafana.
    skipOrgRoleSync Boolean
    Prevent synchronizing users’ organization roles from your IdP.
    teamIds String
    String list of Team Ids. If set, the user must be a member of one of the given teams to log in. If you configure teamids, you must also configure teamsurl and teamidsattribute_path.
    teamIdsAttributePath String
    The JMESPath expression to use for Grafana Team Id lookup within the results returned by the teams_url endpoint. Only applicable to Generic OAuth.
    teamsUrl String
    The URL used to query for Team Ids. If not set, the default value is /teams. If you configure teamsurl, you must also configure teamidsattributepath. Only applicable to Generic OAuth.
    tlsClientCa String
    The path to the trusted certificate authority list. Is not applicable on Grafana Cloud.
    tlsClientCert String
    The path to the certificate. Is not applicable on Grafana Cloud.
    tlsClientKey String
    The path to the key. Is not applicable on Grafana Cloud.
    tlsSkipVerifyInsecure Boolean
    If enabled, the client accepts any certificate presented by the server and any host name in that certificate. You should only use this for testing, because this mode leaves SSL/TLS susceptible to man-in-the-middle attacks.
    tokenUrl String
    The token endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.
    usePkce Boolean
    If enabled, Grafana will use Proof Key for Code Exchange (PKCE) with the OAuth2 Authorization Code Grant.
    useRefreshToken Boolean
    If enabled, Grafana will fetch a new access token using the refresh token provided by the OAuth2 provider.

    SsoSettingsSamlSettings, SsoSettingsSamlSettingsArgs

    AllowIdpInitiated bool
    Whether SAML IdP-initiated login is allowed.
    AllowSignUp bool
    Whether to allow new Grafana user creation through SAML login. If set to false, then only existing Grafana users can log in with SAML.
    AllowedOrganizations string
    List of comma- or space-separated organizations. User should be a member of at least one organization to log in.
    AssertionAttributeEmail string
    Friendly name or name of the attribute within the SAML assertion to use as the user email.
    AssertionAttributeGroups string
    Friendly name or name of the attribute within the SAML assertion to use as the user groups.
    AssertionAttributeLogin string
    Friendly name or name of the attribute within the SAML assertion to use as the user login handle.
    AssertionAttributeName string
    Friendly name or name of the attribute within the SAML assertion to use as the user name. Alternatively, this can be a template with variables that match the names of attributes within the SAML assertion.
    AssertionAttributeOrg string
    Friendly name or name of the attribute within the SAML assertion to use as the user organization.
    AssertionAttributeRole string
    Friendly name or name of the attribute within the SAML assertion to use as the user roles.
    AutoLogin bool
    Whether SAML auto login is enabled.
    Certificate string
    Base64-encoded string for the SP X.509 certificate.
    CertificatePath string
    Path for the SP X.509 certificate.
    Enabled bool
    Define whether this configuration is enabled for SAML. Defaults to true.
    IdpMetadata string
    Base64-encoded string for the IdP SAML metadata XML.
    IdpMetadataPath string
    Path for the IdP SAML metadata XML.
    IdpMetadataUrl string
    URL for the IdP SAML metadata XML.
    MaxIssueDelay string
    Duration, since the IdP issued a response and the SP is allowed to process it. For example: 90s, 1h.
    MetadataValidDuration string
    Duration, for how long the SP metadata is valid. For example: 48h, 5d.
    Name string
    Name used to refer to the SAML authentication.
    NameIdFormat string
    The Name ID Format to request within the SAML assertion. Defaults to urn:oasis:names:tc:SAML:2.0:nameid-format:transient
    OrgMapping string
    List of comma- or space-separated Organization:OrgId:Role mappings. Organization can be * meaning “All users”. Role is optional and can have the following values: Viewer, Editor or Admin.
    PrivateKey string
    Base64-encoded string for the SP private key.
    PrivateKeyPath string
    Path for the SP private key.
    RelayState string
    Relay state for IdP-initiated login. Should match relay state configured in IdP.
    RoleValuesAdmin string
    List of comma- or space-separated roles which will be mapped into the Admin role.
    RoleValuesEditor string
    List of comma- or space-separated roles which will be mapped into the Editor role.
    RoleValuesGrafanaAdmin string
    List of comma- or space-separated roles which will be mapped into the Grafana Admin (Super Admin) role.
    RoleValuesNone string
    List of comma- or space-separated roles which will be mapped into the None role.
    RoleValuesViewer string
    List of comma- or space-separated roles which will be mapped into the Viewer role.
    SignatureAlgorithm string
    Signature algorithm used for signing requests to the IdP. Supported values are rsa-sha1, rsa-sha256, rsa-sha512.
    SingleLogout bool
    Whether SAML Single Logout is enabled.
    SkipOrgRoleSync bool
    Prevent synchronizing users’ organization roles from your IdP.
    AllowIdpInitiated bool
    Whether SAML IdP-initiated login is allowed.
    AllowSignUp bool
    Whether to allow new Grafana user creation through SAML login. If set to false, then only existing Grafana users can log in with SAML.
    AllowedOrganizations string
    List of comma- or space-separated organizations. User should be a member of at least one organization to log in.
    AssertionAttributeEmail string
    Friendly name or name of the attribute within the SAML assertion to use as the user email.
    AssertionAttributeGroups string
    Friendly name or name of the attribute within the SAML assertion to use as the user groups.
    AssertionAttributeLogin string
    Friendly name or name of the attribute within the SAML assertion to use as the user login handle.
    AssertionAttributeName string
    Friendly name or name of the attribute within the SAML assertion to use as the user name. Alternatively, this can be a template with variables that match the names of attributes within the SAML assertion.
    AssertionAttributeOrg string
    Friendly name or name of the attribute within the SAML assertion to use as the user organization.
    AssertionAttributeRole string
    Friendly name or name of the attribute within the SAML assertion to use as the user roles.
    AutoLogin bool
    Whether SAML auto login is enabled.
    Certificate string
    Base64-encoded string for the SP X.509 certificate.
    CertificatePath string
    Path for the SP X.509 certificate.
    Enabled bool
    Define whether this configuration is enabled for SAML. Defaults to true.
    IdpMetadata string
    Base64-encoded string for the IdP SAML metadata XML.
    IdpMetadataPath string
    Path for the IdP SAML metadata XML.
    IdpMetadataUrl string
    URL for the IdP SAML metadata XML.
    MaxIssueDelay string
    Duration, since the IdP issued a response and the SP is allowed to process it. For example: 90s, 1h.
    MetadataValidDuration string
    Duration, for how long the SP metadata is valid. For example: 48h, 5d.
    Name string
    Name used to refer to the SAML authentication.
    NameIdFormat string
    The Name ID Format to request within the SAML assertion. Defaults to urn:oasis:names:tc:SAML:2.0:nameid-format:transient
    OrgMapping string
    List of comma- or space-separated Organization:OrgId:Role mappings. Organization can be * meaning “All users”. Role is optional and can have the following values: Viewer, Editor or Admin.
    PrivateKey string
    Base64-encoded string for the SP private key.
    PrivateKeyPath string
    Path for the SP private key.
    RelayState string
    Relay state for IdP-initiated login. Should match relay state configured in IdP.
    RoleValuesAdmin string
    List of comma- or space-separated roles which will be mapped into the Admin role.
    RoleValuesEditor string
    List of comma- or space-separated roles which will be mapped into the Editor role.
    RoleValuesGrafanaAdmin string
    List of comma- or space-separated roles which will be mapped into the Grafana Admin (Super Admin) role.
    RoleValuesNone string
    List of comma- or space-separated roles which will be mapped into the None role.
    RoleValuesViewer string
    List of comma- or space-separated roles which will be mapped into the Viewer role.
    SignatureAlgorithm string
    Signature algorithm used for signing requests to the IdP. Supported values are rsa-sha1, rsa-sha256, rsa-sha512.
    SingleLogout bool
    Whether SAML Single Logout is enabled.
    SkipOrgRoleSync bool
    Prevent synchronizing users’ organization roles from your IdP.
    allowIdpInitiated Boolean
    Whether SAML IdP-initiated login is allowed.
    allowSignUp Boolean
    Whether to allow new Grafana user creation through SAML login. If set to false, then only existing Grafana users can log in with SAML.
    allowedOrganizations String
    List of comma- or space-separated organizations. User should be a member of at least one organization to log in.
    assertionAttributeEmail String
    Friendly name or name of the attribute within the SAML assertion to use as the user email.
    assertionAttributeGroups String
    Friendly name or name of the attribute within the SAML assertion to use as the user groups.
    assertionAttributeLogin String
    Friendly name or name of the attribute within the SAML assertion to use as the user login handle.
    assertionAttributeName String
    Friendly name or name of the attribute within the SAML assertion to use as the user name. Alternatively, this can be a template with variables that match the names of attributes within the SAML assertion.
    assertionAttributeOrg String
    Friendly name or name of the attribute within the SAML assertion to use as the user organization.
    assertionAttributeRole String
    Friendly name or name of the attribute within the SAML assertion to use as the user roles.
    autoLogin Boolean
    Whether SAML auto login is enabled.
    certificate String
    Base64-encoded string for the SP X.509 certificate.
    certificatePath String
    Path for the SP X.509 certificate.
    enabled Boolean
    Define whether this configuration is enabled for SAML. Defaults to true.
    idpMetadata String
    Base64-encoded string for the IdP SAML metadata XML.
    idpMetadataPath String
    Path for the IdP SAML metadata XML.
    idpMetadataUrl String
    URL for the IdP SAML metadata XML.
    maxIssueDelay String
    Duration, since the IdP issued a response and the SP is allowed to process it. For example: 90s, 1h.
    metadataValidDuration String
    Duration, for how long the SP metadata is valid. For example: 48h, 5d.
    name String
    Name used to refer to the SAML authentication.
    nameIdFormat String
    The Name ID Format to request within the SAML assertion. Defaults to urn:oasis:names:tc:SAML:2.0:nameid-format:transient
    orgMapping String
    List of comma- or space-separated Organization:OrgId:Role mappings. Organization can be * meaning “All users”. Role is optional and can have the following values: Viewer, Editor or Admin.
    privateKey String
    Base64-encoded string for the SP private key.
    privateKeyPath String
    Path for the SP private key.
    relayState String
    Relay state for IdP-initiated login. Should match relay state configured in IdP.
    roleValuesAdmin String
    List of comma- or space-separated roles which will be mapped into the Admin role.
    roleValuesEditor String
    List of comma- or space-separated roles which will be mapped into the Editor role.
    roleValuesGrafanaAdmin String
    List of comma- or space-separated roles which will be mapped into the Grafana Admin (Super Admin) role.
    roleValuesNone String
    List of comma- or space-separated roles which will be mapped into the None role.
    roleValuesViewer String
    List of comma- or space-separated roles which will be mapped into the Viewer role.
    signatureAlgorithm String
    Signature algorithm used for signing requests to the IdP. Supported values are rsa-sha1, rsa-sha256, rsa-sha512.
    singleLogout Boolean
    Whether SAML Single Logout is enabled.
    skipOrgRoleSync Boolean
    Prevent synchronizing users’ organization roles from your IdP.
    allowIdpInitiated boolean
    Whether SAML IdP-initiated login is allowed.
    allowSignUp boolean
    Whether to allow new Grafana user creation through SAML login. If set to false, then only existing Grafana users can log in with SAML.
    allowedOrganizations string
    List of comma- or space-separated organizations. User should be a member of at least one organization to log in.
    assertionAttributeEmail string
    Friendly name or name of the attribute within the SAML assertion to use as the user email.
    assertionAttributeGroups string
    Friendly name or name of the attribute within the SAML assertion to use as the user groups.
    assertionAttributeLogin string
    Friendly name or name of the attribute within the SAML assertion to use as the user login handle.
    assertionAttributeName string
    Friendly name or name of the attribute within the SAML assertion to use as the user name. Alternatively, this can be a template with variables that match the names of attributes within the SAML assertion.
    assertionAttributeOrg string
    Friendly name or name of the attribute within the SAML assertion to use as the user organization.
    assertionAttributeRole string
    Friendly name or name of the attribute within the SAML assertion to use as the user roles.
    autoLogin boolean
    Whether SAML auto login is enabled.
    certificate string
    Base64-encoded string for the SP X.509 certificate.
    certificatePath string
    Path for the SP X.509 certificate.
    enabled boolean
    Define whether this configuration is enabled for SAML. Defaults to true.
    idpMetadata string
    Base64-encoded string for the IdP SAML metadata XML.
    idpMetadataPath string
    Path for the IdP SAML metadata XML.
    idpMetadataUrl string
    URL for the IdP SAML metadata XML.
    maxIssueDelay string
    Duration, since the IdP issued a response and the SP is allowed to process it. For example: 90s, 1h.
    metadataValidDuration string
    Duration, for how long the SP metadata is valid. For example: 48h, 5d.
    name string
    Name used to refer to the SAML authentication.
    nameIdFormat string
    The Name ID Format to request within the SAML assertion. Defaults to urn:oasis:names:tc:SAML:2.0:nameid-format:transient
    orgMapping string
    List of comma- or space-separated Organization:OrgId:Role mappings. Organization can be * meaning “All users”. Role is optional and can have the following values: Viewer, Editor or Admin.
    privateKey string
    Base64-encoded string for the SP private key.
    privateKeyPath string
    Path for the SP private key.
    relayState string
    Relay state for IdP-initiated login. Should match relay state configured in IdP.
    roleValuesAdmin string
    List of comma- or space-separated roles which will be mapped into the Admin role.
    roleValuesEditor string
    List of comma- or space-separated roles which will be mapped into the Editor role.
    roleValuesGrafanaAdmin string
    List of comma- or space-separated roles which will be mapped into the Grafana Admin (Super Admin) role.
    roleValuesNone string
    List of comma- or space-separated roles which will be mapped into the None role.
    roleValuesViewer string
    List of comma- or space-separated roles which will be mapped into the Viewer role.
    signatureAlgorithm string
    Signature algorithm used for signing requests to the IdP. Supported values are rsa-sha1, rsa-sha256, rsa-sha512.
    singleLogout boolean
    Whether SAML Single Logout is enabled.
    skipOrgRoleSync boolean
    Prevent synchronizing users’ organization roles from your IdP.
    allow_idp_initiated bool
    Whether SAML IdP-initiated login is allowed.
    allow_sign_up bool
    Whether to allow new Grafana user creation through SAML login. If set to false, then only existing Grafana users can log in with SAML.
    allowed_organizations str
    List of comma- or space-separated organizations. User should be a member of at least one organization to log in.
    assertion_attribute_email str
    Friendly name or name of the attribute within the SAML assertion to use as the user email.
    assertion_attribute_groups str
    Friendly name or name of the attribute within the SAML assertion to use as the user groups.
    assertion_attribute_login str
    Friendly name or name of the attribute within the SAML assertion to use as the user login handle.
    assertion_attribute_name str
    Friendly name or name of the attribute within the SAML assertion to use as the user name. Alternatively, this can be a template with variables that match the names of attributes within the SAML assertion.
    assertion_attribute_org str
    Friendly name or name of the attribute within the SAML assertion to use as the user organization.
    assertion_attribute_role str
    Friendly name or name of the attribute within the SAML assertion to use as the user roles.
    auto_login bool
    Whether SAML auto login is enabled.
    certificate str
    Base64-encoded string for the SP X.509 certificate.
    certificate_path str
    Path for the SP X.509 certificate.
    enabled bool
    Define whether this configuration is enabled for SAML. Defaults to true.
    idp_metadata str
    Base64-encoded string for the IdP SAML metadata XML.
    idp_metadata_path str
    Path for the IdP SAML metadata XML.
    idp_metadata_url str
    URL for the IdP SAML metadata XML.
    max_issue_delay str
    Duration, since the IdP issued a response and the SP is allowed to process it. For example: 90s, 1h.
    metadata_valid_duration str
    Duration, for how long the SP metadata is valid. For example: 48h, 5d.
    name str
    Name used to refer to the SAML authentication.
    name_id_format str
    The Name ID Format to request within the SAML assertion. Defaults to urn:oasis:names:tc:SAML:2.0:nameid-format:transient
    org_mapping str
    List of comma- or space-separated Organization:OrgId:Role mappings. Organization can be * meaning “All users”. Role is optional and can have the following values: Viewer, Editor or Admin.
    private_key str
    Base64-encoded string for the SP private key.
    private_key_path str
    Path for the SP private key.
    relay_state str
    Relay state for IdP-initiated login. Should match relay state configured in IdP.
    role_values_admin str
    List of comma- or space-separated roles which will be mapped into the Admin role.
    role_values_editor str
    List of comma- or space-separated roles which will be mapped into the Editor role.
    role_values_grafana_admin str
    List of comma- or space-separated roles which will be mapped into the Grafana Admin (Super Admin) role.
    role_values_none str
    List of comma- or space-separated roles which will be mapped into the None role.
    role_values_viewer str
    List of comma- or space-separated roles which will be mapped into the Viewer role.
    signature_algorithm str
    Signature algorithm used for signing requests to the IdP. Supported values are rsa-sha1, rsa-sha256, rsa-sha512.
    single_logout bool
    Whether SAML Single Logout is enabled.
    skip_org_role_sync bool
    Prevent synchronizing users’ organization roles from your IdP.
    allowIdpInitiated Boolean
    Whether SAML IdP-initiated login is allowed.
    allowSignUp Boolean
    Whether to allow new Grafana user creation through SAML login. If set to false, then only existing Grafana users can log in with SAML.
    allowedOrganizations String
    List of comma- or space-separated organizations. User should be a member of at least one organization to log in.
    assertionAttributeEmail String
    Friendly name or name of the attribute within the SAML assertion to use as the user email.
    assertionAttributeGroups String
    Friendly name or name of the attribute within the SAML assertion to use as the user groups.
    assertionAttributeLogin String
    Friendly name or name of the attribute within the SAML assertion to use as the user login handle.
    assertionAttributeName String
    Friendly name or name of the attribute within the SAML assertion to use as the user name. Alternatively, this can be a template with variables that match the names of attributes within the SAML assertion.
    assertionAttributeOrg String
    Friendly name or name of the attribute within the SAML assertion to use as the user organization.
    assertionAttributeRole String
    Friendly name or name of the attribute within the SAML assertion to use as the user roles.
    autoLogin Boolean
    Whether SAML auto login is enabled.
    certificate String
    Base64-encoded string for the SP X.509 certificate.
    certificatePath String
    Path for the SP X.509 certificate.
    enabled Boolean
    Define whether this configuration is enabled for SAML. Defaults to true.
    idpMetadata String
    Base64-encoded string for the IdP SAML metadata XML.
    idpMetadataPath String
    Path for the IdP SAML metadata XML.
    idpMetadataUrl String
    URL for the IdP SAML metadata XML.
    maxIssueDelay String
    Duration, since the IdP issued a response and the SP is allowed to process it. For example: 90s, 1h.
    metadataValidDuration String
    Duration, for how long the SP metadata is valid. For example: 48h, 5d.
    name String
    Name used to refer to the SAML authentication.
    nameIdFormat String
    The Name ID Format to request within the SAML assertion. Defaults to urn:oasis:names:tc:SAML:2.0:nameid-format:transient
    orgMapping String
    List of comma- or space-separated Organization:OrgId:Role mappings. Organization can be * meaning “All users”. Role is optional and can have the following values: Viewer, Editor or Admin.
    privateKey String
    Base64-encoded string for the SP private key.
    privateKeyPath String
    Path for the SP private key.
    relayState String
    Relay state for IdP-initiated login. Should match relay state configured in IdP.
    roleValuesAdmin String
    List of comma- or space-separated roles which will be mapped into the Admin role.
    roleValuesEditor String
    List of comma- or space-separated roles which will be mapped into the Editor role.
    roleValuesGrafanaAdmin String
    List of comma- or space-separated roles which will be mapped into the Grafana Admin (Super Admin) role.
    roleValuesNone String
    List of comma- or space-separated roles which will be mapped into the None role.
    roleValuesViewer String
    List of comma- or space-separated roles which will be mapped into the Viewer role.
    signatureAlgorithm String
    Signature algorithm used for signing requests to the IdP. Supported values are rsa-sha1, rsa-sha256, rsa-sha512.
    singleLogout Boolean
    Whether SAML Single Logout is enabled.
    skipOrgRoleSync Boolean
    Prevent synchronizing users’ organization roles from your IdP.

    Import

    $ pulumi import grafana:index/ssoSettings:SsoSettings name "{{ provider }}"
    
    $ pulumi import grafana:index/ssoSettings:SsoSettings name "{{ orgID }}:{{ provider }}"
    

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    grafana pulumiverse/pulumi-grafana
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the grafana Terraform Provider.
    grafana logo
    Grafana v0.7.0 published on Tuesday, Nov 5, 2024 by pulumiverse