grafana.SsoSettings
Explore with Pulumi AI
Manages Grafana SSO Settings for OAuth2 and SAML. Support for SAML is currently in preview, it will be available in Grafana Enterprise starting with v11.1.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as grafana from "@pulumiverse/grafana";
// Configure SSO for GitHub using OAuth2
const githubSsoSettings = new grafana.oss.SsoSettings("github_sso_settings", {
providerName: "github",
oauth2Settings: {
name: "Github",
clientId: "<your GitHub app client id>",
clientSecret: "<your GitHub app client secret>",
allowSignUp: true,
autoLogin: false,
scopes: "user:email,read:org",
teamIds: "150,300",
allowedOrganizations: "[\"My Organization\", \"Octocats\"]",
allowedDomains: "mycompany.com mycompany.org",
},
});
// Configure SSO using generic OAuth2
const genericSsoSettings = new grafana.oss.SsoSettings("generic_sso_settings", {
providerName: "generic_oauth",
oauth2Settings: {
name: "Auth0",
authUrl: "https://<domain>/authorize",
tokenUrl: "https://<domain>/oauth/token",
apiUrl: "https://<domain>/userinfo",
clientId: "<client id>",
clientSecret: "<client secret>",
allowSignUp: true,
autoLogin: false,
scopes: "openid profile email offline_access",
usePkce: true,
useRefreshToken: true,
},
});
// Configure SSO using SAML
const samlSsoSettings = new grafana.oss.SsoSettings("saml_sso_settings", {
providerName: "saml",
samlSettings: {
allowSignUp: true,
certificatePath: "devenv/docker/blocks/auth/saml-enterprise/cert.crt",
privateKeyPath: "devenv/docker/blocks/auth/saml-enterprise/key.pem",
idpMetadataUrl: "https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml",
signatureAlgorithm: "rsa-sha256",
assertionAttributeLogin: "login",
assertionAttributeEmail: "email",
nameIdFormat: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
},
});
import pulumi
import pulumiverse_grafana as grafana
# Configure SSO for GitHub using OAuth2
github_sso_settings = grafana.oss.SsoSettings("github_sso_settings",
provider_name="github",
oauth2_settings={
"name": "Github",
"client_id": "<your GitHub app client id>",
"client_secret": "<your GitHub app client secret>",
"allow_sign_up": True,
"auto_login": False,
"scopes": "user:email,read:org",
"team_ids": "150,300",
"allowed_organizations": "[\"My Organization\", \"Octocats\"]",
"allowed_domains": "mycompany.com mycompany.org",
})
# Configure SSO using generic OAuth2
generic_sso_settings = grafana.oss.SsoSettings("generic_sso_settings",
provider_name="generic_oauth",
oauth2_settings={
"name": "Auth0",
"auth_url": "https://<domain>/authorize",
"token_url": "https://<domain>/oauth/token",
"api_url": "https://<domain>/userinfo",
"client_id": "<client id>",
"client_secret": "<client secret>",
"allow_sign_up": True,
"auto_login": False,
"scopes": "openid profile email offline_access",
"use_pkce": True,
"use_refresh_token": True,
})
# Configure SSO using SAML
saml_sso_settings = grafana.oss.SsoSettings("saml_sso_settings",
provider_name="saml",
saml_settings={
"allow_sign_up": True,
"certificate_path": "devenv/docker/blocks/auth/saml-enterprise/cert.crt",
"private_key_path": "devenv/docker/blocks/auth/saml-enterprise/key.pem",
"idp_metadata_url": "https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml",
"signature_algorithm": "rsa-sha256",
"assertion_attribute_login": "login",
"assertion_attribute_email": "email",
"name_id_format": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
})
package main
import (
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
"github.com/pulumiverse/pulumi-grafana/sdk/go/grafana/oss"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
// Configure SSO for GitHub using OAuth2
_, err := oss.NewSsoSettings(ctx, "github_sso_settings", &oss.SsoSettingsArgs{
ProviderName: pulumi.String("github"),
Oauth2Settings: &oss.SsoSettingsOauth2SettingsArgs{
Name: pulumi.String("Github"),
ClientId: pulumi.String("<your GitHub app client id>"),
ClientSecret: pulumi.String("<your GitHub app client secret>"),
AllowSignUp: pulumi.Bool(true),
AutoLogin: pulumi.Bool(false),
Scopes: pulumi.String("user:email,read:org"),
TeamIds: pulumi.String("150,300"),
AllowedOrganizations: pulumi.String("[\"My Organization\", \"Octocats\"]"),
AllowedDomains: pulumi.String("mycompany.com mycompany.org"),
},
})
if err != nil {
return err
}
// Configure SSO using generic OAuth2
_, err = oss.NewSsoSettings(ctx, "generic_sso_settings", &oss.SsoSettingsArgs{
ProviderName: pulumi.String("generic_oauth"),
Oauth2Settings: &oss.SsoSettingsOauth2SettingsArgs{
Name: pulumi.String("Auth0"),
AuthUrl: pulumi.String("https://<domain>/authorize"),
TokenUrl: pulumi.String("https://<domain>/oauth/token"),
ApiUrl: pulumi.String("https://<domain>/userinfo"),
ClientId: pulumi.String("<client id>"),
ClientSecret: pulumi.String("<client secret>"),
AllowSignUp: pulumi.Bool(true),
AutoLogin: pulumi.Bool(false),
Scopes: pulumi.String("openid profile email offline_access"),
UsePkce: pulumi.Bool(true),
UseRefreshToken: pulumi.Bool(true),
},
})
if err != nil {
return err
}
// Configure SSO using SAML
_, err = oss.NewSsoSettings(ctx, "saml_sso_settings", &oss.SsoSettingsArgs{
ProviderName: pulumi.String("saml"),
SamlSettings: &oss.SsoSettingsSamlSettingsArgs{
AllowSignUp: pulumi.Bool(true),
CertificatePath: pulumi.String("devenv/docker/blocks/auth/saml-enterprise/cert.crt"),
PrivateKeyPath: pulumi.String("devenv/docker/blocks/auth/saml-enterprise/key.pem"),
IdpMetadataUrl: pulumi.String("https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml"),
SignatureAlgorithm: pulumi.String("rsa-sha256"),
AssertionAttributeLogin: pulumi.String("login"),
AssertionAttributeEmail: pulumi.String("email"),
NameIdFormat: pulumi.String("urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Grafana = Pulumiverse.Grafana;
return await Deployment.RunAsync(() =>
{
// Configure SSO for GitHub using OAuth2
var githubSsoSettings = new Grafana.Oss.SsoSettings("github_sso_settings", new()
{
ProviderName = "github",
Oauth2Settings = new Grafana.Oss.Inputs.SsoSettingsOauth2SettingsArgs
{
Name = "Github",
ClientId = "<your GitHub app client id>",
ClientSecret = "<your GitHub app client secret>",
AllowSignUp = true,
AutoLogin = false,
Scopes = "user:email,read:org",
TeamIds = "150,300",
AllowedOrganizations = "[\"My Organization\", \"Octocats\"]",
AllowedDomains = "mycompany.com mycompany.org",
},
});
// Configure SSO using generic OAuth2
var genericSsoSettings = new Grafana.Oss.SsoSettings("generic_sso_settings", new()
{
ProviderName = "generic_oauth",
Oauth2Settings = new Grafana.Oss.Inputs.SsoSettingsOauth2SettingsArgs
{
Name = "Auth0",
AuthUrl = "https://<domain>/authorize",
TokenUrl = "https://<domain>/oauth/token",
ApiUrl = "https://<domain>/userinfo",
ClientId = "<client id>",
ClientSecret = "<client secret>",
AllowSignUp = true,
AutoLogin = false,
Scopes = "openid profile email offline_access",
UsePkce = true,
UseRefreshToken = true,
},
});
// Configure SSO using SAML
var samlSsoSettings = new Grafana.Oss.SsoSettings("saml_sso_settings", new()
{
ProviderName = "saml",
SamlSettings = new Grafana.Oss.Inputs.SsoSettingsSamlSettingsArgs
{
AllowSignUp = true,
CertificatePath = "devenv/docker/blocks/auth/saml-enterprise/cert.crt",
PrivateKeyPath = "devenv/docker/blocks/auth/saml-enterprise/key.pem",
IdpMetadataUrl = "https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml",
SignatureAlgorithm = "rsa-sha256",
AssertionAttributeLogin = "login",
AssertionAttributeEmail = "email",
NameIdFormat = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.grafana.oss.SsoSettings;
import com.pulumi.grafana.oss.SsoSettingsArgs;
import com.pulumi.grafana.oss.inputs.SsoSettingsOauth2SettingsArgs;
import com.pulumi.grafana.oss.inputs.SsoSettingsSamlSettingsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
// Configure SSO for GitHub using OAuth2
var githubSsoSettings = new SsoSettings("githubSsoSettings", SsoSettingsArgs.builder()
.providerName("github")
.oauth2Settings(SsoSettingsOauth2SettingsArgs.builder()
.name("Github")
.clientId("<your GitHub app client id>")
.clientSecret("<your GitHub app client secret>")
.allowSignUp(true)
.autoLogin(false)
.scopes("user:email,read:org")
.teamIds("150,300")
.allowedOrganizations("[\"My Organization\", \"Octocats\"]")
.allowedDomains("mycompany.com mycompany.org")
.build())
.build());
// Configure SSO using generic OAuth2
var genericSsoSettings = new SsoSettings("genericSsoSettings", SsoSettingsArgs.builder()
.providerName("generic_oauth")
.oauth2Settings(SsoSettingsOauth2SettingsArgs.builder()
.name("Auth0")
.authUrl("https://<domain>/authorize")
.tokenUrl("https://<domain>/oauth/token")
.apiUrl("https://<domain>/userinfo")
.clientId("<client id>")
.clientSecret("<client secret>")
.allowSignUp(true)
.autoLogin(false)
.scopes("openid profile email offline_access")
.usePkce(true)
.useRefreshToken(true)
.build())
.build());
// Configure SSO using SAML
var samlSsoSettings = new SsoSettings("samlSsoSettings", SsoSettingsArgs.builder()
.providerName("saml")
.samlSettings(SsoSettingsSamlSettingsArgs.builder()
.allowSignUp(true)
.certificatePath("devenv/docker/blocks/auth/saml-enterprise/cert.crt")
.privateKeyPath("devenv/docker/blocks/auth/saml-enterprise/key.pem")
.idpMetadataUrl("https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml")
.signatureAlgorithm("rsa-sha256")
.assertionAttributeLogin("login")
.assertionAttributeEmail("email")
.nameIdFormat("urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress")
.build())
.build());
}
}
resources:
# Configure SSO for GitHub using OAuth2
githubSsoSettings:
type: grafana:oss:SsoSettings
name: github_sso_settings
properties:
providerName: github
oauth2Settings:
name: Github
clientId: <your GitHub app client id>
clientSecret: <your GitHub app client secret>
allowSignUp: true
autoLogin: false
scopes: user:email,read:org
teamIds: 150,300
allowedOrganizations: '["My Organization", "Octocats"]'
allowedDomains: mycompany.com mycompany.org
# Configure SSO using generic OAuth2
genericSsoSettings:
type: grafana:oss:SsoSettings
name: generic_sso_settings
properties:
providerName: generic_oauth
oauth2Settings:
name: Auth0
authUrl: https://<domain>/authorize
tokenUrl: https://<domain>/oauth/token
apiUrl: https://<domain>/userinfo
clientId: <client id>
clientSecret: <client secret>
allowSignUp: true
autoLogin: false
scopes: openid profile email offline_access
usePkce: true
useRefreshToken: true
# Configure SSO using SAML
samlSsoSettings:
type: grafana:oss:SsoSettings
name: saml_sso_settings
properties:
providerName: saml
samlSettings:
allowSignUp: true
certificatePath: devenv/docker/blocks/auth/saml-enterprise/cert.crt
privateKeyPath: devenv/docker/blocks/auth/saml-enterprise/key.pem
idpMetadataUrl: https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml
signatureAlgorithm: rsa-sha256
assertionAttributeLogin: login
assertionAttributeEmail: email
nameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Create SsoSettings Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new SsoSettings(name: string, args: SsoSettingsArgs, opts?: CustomResourceOptions);
@overload
def SsoSettings(resource_name: str,
args: SsoSettingsArgs,
opts: Optional[ResourceOptions] = None)
@overload
def SsoSettings(resource_name: str,
opts: Optional[ResourceOptions] = None,
oauth2_settings: Optional[SsoSettingsOauth2SettingsArgs] = None,
provider_name: Optional[str] = None,
saml_settings: Optional[SsoSettingsSamlSettingsArgs] = None)
func NewSsoSettings(ctx *Context, name string, args SsoSettingsArgs, opts ...ResourceOption) (*SsoSettings, error)
public SsoSettings(string name, SsoSettingsArgs args, CustomResourceOptions? opts = null)
public SsoSettings(String name, SsoSettingsArgs args)
public SsoSettings(String name, SsoSettingsArgs args, CustomResourceOptions options)
type: grafana:SsoSettings
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args SsoSettingsArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args SsoSettingsArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args SsoSettingsArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args SsoSettingsArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args SsoSettingsArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
SsoSettings Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The SsoSettings resource accepts the following input properties:
- Provider
Name string - The name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml.
- Oauth2Settings
Pulumiverse.
Grafana. Inputs. Sso Settings Oauth2Settings - The OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic*oauth providers.
- Saml
Settings Pulumiverse.Grafana. Inputs. Sso Settings Saml Settings - The SAML settings set. Required for the saml provider.
- Provider
Name string - The name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml.
- Oauth2Settings
Sso
Settings Oauth2Settings Args - The OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic*oauth providers.
- Saml
Settings SsoSettings Saml Settings Args - The SAML settings set. Required for the saml provider.
- provider
Name String - The name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml.
- oauth2Settings
Sso
Settings Oauth2Settings - The OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic*oauth providers.
- saml
Settings SsoSettings Saml Settings - The SAML settings set. Required for the saml provider.
- provider
Name string - The name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml.
- oauth2Settings
Sso
Settings Oauth2Settings - The OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic*oauth providers.
- saml
Settings SsoSettings Saml Settings - The SAML settings set. Required for the saml provider.
- provider_
name str - The name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml.
- oauth2_
settings SsoSettings Oauth2Settings Args - The OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic*oauth providers.
- saml_
settings SsoSettings Saml Settings Args - The SAML settings set. Required for the saml provider.
- provider
Name String - The name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml.
- oauth2Settings Property Map
- The OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic*oauth providers.
- saml
Settings Property Map - The SAML settings set. Required for the saml provider.
Outputs
All input properties are implicitly available as output properties. Additionally, the SsoSettings resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing SsoSettings Resource
Get an existing SsoSettings resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: SsoSettingsState, opts?: CustomResourceOptions): SsoSettings
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
oauth2_settings: Optional[SsoSettingsOauth2SettingsArgs] = None,
provider_name: Optional[str] = None,
saml_settings: Optional[SsoSettingsSamlSettingsArgs] = None) -> SsoSettings
func GetSsoSettings(ctx *Context, name string, id IDInput, state *SsoSettingsState, opts ...ResourceOption) (*SsoSettings, error)
public static SsoSettings Get(string name, Input<string> id, SsoSettingsState? state, CustomResourceOptions? opts = null)
public static SsoSettings get(String name, Output<String> id, SsoSettingsState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Oauth2Settings
Pulumiverse.
Grafana. Inputs. Sso Settings Oauth2Settings - The OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic*oauth providers.
- Provider
Name string - The name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml.
- Saml
Settings Pulumiverse.Grafana. Inputs. Sso Settings Saml Settings - The SAML settings set. Required for the saml provider.
- Oauth2Settings
Sso
Settings Oauth2Settings Args - The OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic*oauth providers.
- Provider
Name string - The name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml.
- Saml
Settings SsoSettings Saml Settings Args - The SAML settings set. Required for the saml provider.
- oauth2Settings
Sso
Settings Oauth2Settings - The OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic*oauth providers.
- provider
Name String - The name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml.
- saml
Settings SsoSettings Saml Settings - The SAML settings set. Required for the saml provider.
- oauth2Settings
Sso
Settings Oauth2Settings - The OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic*oauth providers.
- provider
Name string - The name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml.
- saml
Settings SsoSettings Saml Settings - The SAML settings set. Required for the saml provider.
- oauth2_
settings SsoSettings Oauth2Settings Args - The OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic*oauth providers.
- provider_
name str - The name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml.
- saml_
settings SsoSettings Saml Settings Args - The SAML settings set. Required for the saml provider.
- oauth2Settings Property Map
- The OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic*oauth providers.
- provider
Name String - The name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml.
- saml
Settings Property Map - The SAML settings set. Required for the saml provider.
Supporting Types
SsoSettingsOauth2Settings, SsoSettingsOauth2SettingsArgs
- Client
Id string - The client Id of your OAuth2 app.
- Allow
Assign boolGrafana Admin - If enabled, it will automatically sync the Grafana server administrator role.
- Allow
Sign boolUp - If not enabled, only existing Grafana users can log in using OAuth.
- Allowed
Domains string - List of comma- or space-separated domains. The user should belong to at least one domain to log in.
- Allowed
Groups string - List of comma- or space-separated groups. The user should be a member of at least one group to log in. For Generic OAuth, if you configure allowedgroups, you must also configure groupsattribute_path.
- Allowed
Organizations string - List of comma- or space-separated organizations. The user should be a member of at least one organization to log in.
- Api
Url string - The user information endpoint of your OAuth2 provider. Required for okta and generic_oauth providers.
- Auth
Style string - It determines how clientid and clientsecret are sent to Oauth2 provider. Possible values are AutoDetect, InParams, InHeader. Default is AutoDetect.
- Auth
Url string - The authorization endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.
- Auto
Login bool - Log in automatically, skipping the login screen.
- Client
Secret string - The client secret of your OAuth2 app.
- Custom Dictionary<string, string>
- Custom fields to configure for OAuth2 such as the forceusegraph_api field.
- Define
Allowed boolGroups - Define allowed groups.
- Define
Allowed boolTeams Ids - Define allowed teams ids.
- Email
Attribute stringName - Name of the key to use for user email lookup within the attributes map of OAuth2 ID token. Only applicable to Generic OAuth.
- Email
Attribute stringPath - JMESPath expression to use for user email lookup from the user information. Only applicable to Generic OAuth.
- Empty
Scopes bool - If enabled, no scopes will be sent to the OAuth2 provider.
- Enabled bool
- Define whether this configuration is enabled for the specified provider. Defaults to
true
. - Groups
Attribute stringPath - JMESPath expression to use for user group lookup. If you configure allowedgroups, you must also configure groupsattribute_path.
- Id
Token stringAttribute Name - The name of the key used to extract the ID token from the returned OAuth2 token. Only applicable to Generic OAuth.
- Login
Attribute stringPath - JMESPath expression to use for user login lookup from the user ID token. Only applicable to Generic OAuth.
- Name string
- Helpful if you use more than one identity providers or SSO protocols.
- Name
Attribute stringPath - JMESPath expression to use for user name lookup from the user ID token. This name will be used as the user’s display name. Only applicable to Generic OAuth.
- Role
Attribute stringPath - JMESPath expression to use for Grafana role lookup.
- Role
Attribute boolStrict - If enabled, denies user login if the Grafana role cannot be extracted using Role attribute path.
- Scopes string
- List of comma- or space-separated OAuth2 scopes.
- Signout
Redirect stringUrl - The URL to redirect the user to after signing out from Grafana.
- Skip
Org boolRole Sync - Prevent synchronizing users’ organization roles from your IdP.
- Team
Ids string - String list of Team Ids. If set, the user must be a member of one of the given teams to log in. If you configure teamids, you must also configure teamsurl and teamidsattribute_path.
- Team
Ids stringAttribute Path - The JMESPath expression to use for Grafana Team Id lookup within the results returned by the teams_url endpoint. Only applicable to Generic OAuth.
- Teams
Url string - The URL used to query for Team Ids. If not set, the default value is /teams. If you configure teamsurl, you must also configure teamidsattributepath. Only applicable to Generic OAuth.
- Tls
Client stringCa - The path to the trusted certificate authority list. Is not applicable on Grafana Cloud.
- Tls
Client stringCert - The path to the certificate. Is not applicable on Grafana Cloud.
- Tls
Client stringKey - The path to the key. Is not applicable on Grafana Cloud.
- Tls
Skip boolVerify Insecure - If enabled, the client accepts any certificate presented by the server and any host name in that certificate. You should only use this for testing, because this mode leaves SSL/TLS susceptible to man-in-the-middle attacks.
- Token
Url string - The token endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.
- Use
Pkce bool - If enabled, Grafana will use Proof Key for Code Exchange (PKCE) with the OAuth2 Authorization Code Grant.
- Use
Refresh boolToken - If enabled, Grafana will fetch a new access token using the refresh token provided by the OAuth2 provider.
- Client
Id string - The client Id of your OAuth2 app.
- Allow
Assign boolGrafana Admin - If enabled, it will automatically sync the Grafana server administrator role.
- Allow
Sign boolUp - If not enabled, only existing Grafana users can log in using OAuth.
- Allowed
Domains string - List of comma- or space-separated domains. The user should belong to at least one domain to log in.
- Allowed
Groups string - List of comma- or space-separated groups. The user should be a member of at least one group to log in. For Generic OAuth, if you configure allowedgroups, you must also configure groupsattribute_path.
- Allowed
Organizations string - List of comma- or space-separated organizations. The user should be a member of at least one organization to log in.
- Api
Url string - The user information endpoint of your OAuth2 provider. Required for okta and generic_oauth providers.
- Auth
Style string - It determines how clientid and clientsecret are sent to Oauth2 provider. Possible values are AutoDetect, InParams, InHeader. Default is AutoDetect.
- Auth
Url string - The authorization endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.
- Auto
Login bool - Log in automatically, skipping the login screen.
- Client
Secret string - The client secret of your OAuth2 app.
- Custom map[string]string
- Custom fields to configure for OAuth2 such as the forceusegraph_api field.
- Define
Allowed boolGroups - Define allowed groups.
- Define
Allowed boolTeams Ids - Define allowed teams ids.
- Email
Attribute stringName - Name of the key to use for user email lookup within the attributes map of OAuth2 ID token. Only applicable to Generic OAuth.
- Email
Attribute stringPath - JMESPath expression to use for user email lookup from the user information. Only applicable to Generic OAuth.
- Empty
Scopes bool - If enabled, no scopes will be sent to the OAuth2 provider.
- Enabled bool
- Define whether this configuration is enabled for the specified provider. Defaults to
true
. - Groups
Attribute stringPath - JMESPath expression to use for user group lookup. If you configure allowedgroups, you must also configure groupsattribute_path.
- Id
Token stringAttribute Name - The name of the key used to extract the ID token from the returned OAuth2 token. Only applicable to Generic OAuth.
- Login
Attribute stringPath - JMESPath expression to use for user login lookup from the user ID token. Only applicable to Generic OAuth.
- Name string
- Helpful if you use more than one identity providers or SSO protocols.
- Name
Attribute stringPath - JMESPath expression to use for user name lookup from the user ID token. This name will be used as the user’s display name. Only applicable to Generic OAuth.
- Role
Attribute stringPath - JMESPath expression to use for Grafana role lookup.
- Role
Attribute boolStrict - If enabled, denies user login if the Grafana role cannot be extracted using Role attribute path.
- Scopes string
- List of comma- or space-separated OAuth2 scopes.
- Signout
Redirect stringUrl - The URL to redirect the user to after signing out from Grafana.
- Skip
Org boolRole Sync - Prevent synchronizing users’ organization roles from your IdP.
- Team
Ids string - String list of Team Ids. If set, the user must be a member of one of the given teams to log in. If you configure teamids, you must also configure teamsurl and teamidsattribute_path.
- Team
Ids stringAttribute Path - The JMESPath expression to use for Grafana Team Id lookup within the results returned by the teams_url endpoint. Only applicable to Generic OAuth.
- Teams
Url string - The URL used to query for Team Ids. If not set, the default value is /teams. If you configure teamsurl, you must also configure teamidsattributepath. Only applicable to Generic OAuth.
- Tls
Client stringCa - The path to the trusted certificate authority list. Is not applicable on Grafana Cloud.
- Tls
Client stringCert - The path to the certificate. Is not applicable on Grafana Cloud.
- Tls
Client stringKey - The path to the key. Is not applicable on Grafana Cloud.
- Tls
Skip boolVerify Insecure - If enabled, the client accepts any certificate presented by the server and any host name in that certificate. You should only use this for testing, because this mode leaves SSL/TLS susceptible to man-in-the-middle attacks.
- Token
Url string - The token endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.
- Use
Pkce bool - If enabled, Grafana will use Proof Key for Code Exchange (PKCE) with the OAuth2 Authorization Code Grant.
- Use
Refresh boolToken - If enabled, Grafana will fetch a new access token using the refresh token provided by the OAuth2 provider.
- client
Id String - The client Id of your OAuth2 app.
- allow
Assign BooleanGrafana Admin - If enabled, it will automatically sync the Grafana server administrator role.
- allow
Sign BooleanUp - If not enabled, only existing Grafana users can log in using OAuth.
- allowed
Domains String - List of comma- or space-separated domains. The user should belong to at least one domain to log in.
- allowed
Groups String - List of comma- or space-separated groups. The user should be a member of at least one group to log in. For Generic OAuth, if you configure allowedgroups, you must also configure groupsattribute_path.
- allowed
Organizations String - List of comma- or space-separated organizations. The user should be a member of at least one organization to log in.
- api
Url String - The user information endpoint of your OAuth2 provider. Required for okta and generic_oauth providers.
- auth
Style String - It determines how clientid and clientsecret are sent to Oauth2 provider. Possible values are AutoDetect, InParams, InHeader. Default is AutoDetect.
- auth
Url String - The authorization endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.
- auto
Login Boolean - Log in automatically, skipping the login screen.
- client
Secret String - The client secret of your OAuth2 app.
- custom Map<String,String>
- Custom fields to configure for OAuth2 such as the forceusegraph_api field.
- define
Allowed BooleanGroups - Define allowed groups.
- define
Allowed BooleanTeams Ids - Define allowed teams ids.
- email
Attribute StringName - Name of the key to use for user email lookup within the attributes map of OAuth2 ID token. Only applicable to Generic OAuth.
- email
Attribute StringPath - JMESPath expression to use for user email lookup from the user information. Only applicable to Generic OAuth.
- empty
Scopes Boolean - If enabled, no scopes will be sent to the OAuth2 provider.
- enabled Boolean
- Define whether this configuration is enabled for the specified provider. Defaults to
true
. - groups
Attribute StringPath - JMESPath expression to use for user group lookup. If you configure allowedgroups, you must also configure groupsattribute_path.
- id
Token StringAttribute Name - The name of the key used to extract the ID token from the returned OAuth2 token. Only applicable to Generic OAuth.
- login
Attribute StringPath - JMESPath expression to use for user login lookup from the user ID token. Only applicable to Generic OAuth.
- name String
- Helpful if you use more than one identity providers or SSO protocols.
- name
Attribute StringPath - JMESPath expression to use for user name lookup from the user ID token. This name will be used as the user’s display name. Only applicable to Generic OAuth.
- role
Attribute StringPath - JMESPath expression to use for Grafana role lookup.
- role
Attribute BooleanStrict - If enabled, denies user login if the Grafana role cannot be extracted using Role attribute path.
- scopes String
- List of comma- or space-separated OAuth2 scopes.
- signout
Redirect StringUrl - The URL to redirect the user to after signing out from Grafana.
- skip
Org BooleanRole Sync - Prevent synchronizing users’ organization roles from your IdP.
- team
Ids String - String list of Team Ids. If set, the user must be a member of one of the given teams to log in. If you configure teamids, you must also configure teamsurl and teamidsattribute_path.
- team
Ids StringAttribute Path - The JMESPath expression to use for Grafana Team Id lookup within the results returned by the teams_url endpoint. Only applicable to Generic OAuth.
- teams
Url String - The URL used to query for Team Ids. If not set, the default value is /teams. If you configure teamsurl, you must also configure teamidsattributepath. Only applicable to Generic OAuth.
- tls
Client StringCa - The path to the trusted certificate authority list. Is not applicable on Grafana Cloud.
- tls
Client StringCert - The path to the certificate. Is not applicable on Grafana Cloud.
- tls
Client StringKey - The path to the key. Is not applicable on Grafana Cloud.
- tls
Skip BooleanVerify Insecure - If enabled, the client accepts any certificate presented by the server and any host name in that certificate. You should only use this for testing, because this mode leaves SSL/TLS susceptible to man-in-the-middle attacks.
- token
Url String - The token endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.
- use
Pkce Boolean - If enabled, Grafana will use Proof Key for Code Exchange (PKCE) with the OAuth2 Authorization Code Grant.
- use
Refresh BooleanToken - If enabled, Grafana will fetch a new access token using the refresh token provided by the OAuth2 provider.
- client
Id string - The client Id of your OAuth2 app.
- allow
Assign booleanGrafana Admin - If enabled, it will automatically sync the Grafana server administrator role.
- allow
Sign booleanUp - If not enabled, only existing Grafana users can log in using OAuth.
- allowed
Domains string - List of comma- or space-separated domains. The user should belong to at least one domain to log in.
- allowed
Groups string - List of comma- or space-separated groups. The user should be a member of at least one group to log in. For Generic OAuth, if you configure allowedgroups, you must also configure groupsattribute_path.
- allowed
Organizations string - List of comma- or space-separated organizations. The user should be a member of at least one organization to log in.
- api
Url string - The user information endpoint of your OAuth2 provider. Required for okta and generic_oauth providers.
- auth
Style string - It determines how clientid and clientsecret are sent to Oauth2 provider. Possible values are AutoDetect, InParams, InHeader. Default is AutoDetect.
- auth
Url string - The authorization endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.
- auto
Login boolean - Log in automatically, skipping the login screen.
- client
Secret string - The client secret of your OAuth2 app.
- custom {[key: string]: string}
- Custom fields to configure for OAuth2 such as the forceusegraph_api field.
- define
Allowed booleanGroups - Define allowed groups.
- define
Allowed booleanTeams Ids - Define allowed teams ids.
- email
Attribute stringName - Name of the key to use for user email lookup within the attributes map of OAuth2 ID token. Only applicable to Generic OAuth.
- email
Attribute stringPath - JMESPath expression to use for user email lookup from the user information. Only applicable to Generic OAuth.
- empty
Scopes boolean - If enabled, no scopes will be sent to the OAuth2 provider.
- enabled boolean
- Define whether this configuration is enabled for the specified provider. Defaults to
true
. - groups
Attribute stringPath - JMESPath expression to use for user group lookup. If you configure allowedgroups, you must also configure groupsattribute_path.
- id
Token stringAttribute Name - The name of the key used to extract the ID token from the returned OAuth2 token. Only applicable to Generic OAuth.
- login
Attribute stringPath - JMESPath expression to use for user login lookup from the user ID token. Only applicable to Generic OAuth.
- name string
- Helpful if you use more than one identity providers or SSO protocols.
- name
Attribute stringPath - JMESPath expression to use for user name lookup from the user ID token. This name will be used as the user’s display name. Only applicable to Generic OAuth.
- role
Attribute stringPath - JMESPath expression to use for Grafana role lookup.
- role
Attribute booleanStrict - If enabled, denies user login if the Grafana role cannot be extracted using Role attribute path.
- scopes string
- List of comma- or space-separated OAuth2 scopes.
- signout
Redirect stringUrl - The URL to redirect the user to after signing out from Grafana.
- skip
Org booleanRole Sync - Prevent synchronizing users’ organization roles from your IdP.
- team
Ids string - String list of Team Ids. If set, the user must be a member of one of the given teams to log in. If you configure teamids, you must also configure teamsurl and teamidsattribute_path.
- team
Ids stringAttribute Path - The JMESPath expression to use for Grafana Team Id lookup within the results returned by the teams_url endpoint. Only applicable to Generic OAuth.
- teams
Url string - The URL used to query for Team Ids. If not set, the default value is /teams. If you configure teamsurl, you must also configure teamidsattributepath. Only applicable to Generic OAuth.
- tls
Client stringCa - The path to the trusted certificate authority list. Is not applicable on Grafana Cloud.
- tls
Client stringCert - The path to the certificate. Is not applicable on Grafana Cloud.
- tls
Client stringKey - The path to the key. Is not applicable on Grafana Cloud.
- tls
Skip booleanVerify Insecure - If enabled, the client accepts any certificate presented by the server and any host name in that certificate. You should only use this for testing, because this mode leaves SSL/TLS susceptible to man-in-the-middle attacks.
- token
Url string - The token endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.
- use
Pkce boolean - If enabled, Grafana will use Proof Key for Code Exchange (PKCE) with the OAuth2 Authorization Code Grant.
- use
Refresh booleanToken - If enabled, Grafana will fetch a new access token using the refresh token provided by the OAuth2 provider.
- client_
id str - The client Id of your OAuth2 app.
- allow_
assign_ boolgrafana_ admin - If enabled, it will automatically sync the Grafana server administrator role.
- allow_
sign_ boolup - If not enabled, only existing Grafana users can log in using OAuth.
- allowed_
domains str - List of comma- or space-separated domains. The user should belong to at least one domain to log in.
- allowed_
groups str - List of comma- or space-separated groups. The user should be a member of at least one group to log in. For Generic OAuth, if you configure allowedgroups, you must also configure groupsattribute_path.
- allowed_
organizations str - List of comma- or space-separated organizations. The user should be a member of at least one organization to log in.
- api_
url str - The user information endpoint of your OAuth2 provider. Required for okta and generic_oauth providers.
- auth_
style str - It determines how clientid and clientsecret are sent to Oauth2 provider. Possible values are AutoDetect, InParams, InHeader. Default is AutoDetect.
- auth_
url str - The authorization endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.
- auto_
login bool - Log in automatically, skipping the login screen.
- client_
secret str - The client secret of your OAuth2 app.
- custom Mapping[str, str]
- Custom fields to configure for OAuth2 such as the forceusegraph_api field.
- define_
allowed_ boolgroups - Define allowed groups.
- define_
allowed_ boolteams_ ids - Define allowed teams ids.
- email_
attribute_ strname - Name of the key to use for user email lookup within the attributes map of OAuth2 ID token. Only applicable to Generic OAuth.
- email_
attribute_ strpath - JMESPath expression to use for user email lookup from the user information. Only applicable to Generic OAuth.
- empty_
scopes bool - If enabled, no scopes will be sent to the OAuth2 provider.
- enabled bool
- Define whether this configuration is enabled for the specified provider. Defaults to
true
. - groups_
attribute_ strpath - JMESPath expression to use for user group lookup. If you configure allowedgroups, you must also configure groupsattribute_path.
- id_
token_ strattribute_ name - The name of the key used to extract the ID token from the returned OAuth2 token. Only applicable to Generic OAuth.
- login_
attribute_ strpath - JMESPath expression to use for user login lookup from the user ID token. Only applicable to Generic OAuth.
- name str
- Helpful if you use more than one identity providers or SSO protocols.
- name_
attribute_ strpath - JMESPath expression to use for user name lookup from the user ID token. This name will be used as the user’s display name. Only applicable to Generic OAuth.
- role_
attribute_ strpath - JMESPath expression to use for Grafana role lookup.
- role_
attribute_ boolstrict - If enabled, denies user login if the Grafana role cannot be extracted using Role attribute path.
- scopes str
- List of comma- or space-separated OAuth2 scopes.
- signout_
redirect_ strurl - The URL to redirect the user to after signing out from Grafana.
- skip_
org_ boolrole_ sync - Prevent synchronizing users’ organization roles from your IdP.
- team_
ids str - String list of Team Ids. If set, the user must be a member of one of the given teams to log in. If you configure teamids, you must also configure teamsurl and teamidsattribute_path.
- team_
ids_ strattribute_ path - The JMESPath expression to use for Grafana Team Id lookup within the results returned by the teams_url endpoint. Only applicable to Generic OAuth.
- teams_
url str - The URL used to query for Team Ids. If not set, the default value is /teams. If you configure teamsurl, you must also configure teamidsattributepath. Only applicable to Generic OAuth.
- tls_
client_ strca - The path to the trusted certificate authority list. Is not applicable on Grafana Cloud.
- tls_
client_ strcert - The path to the certificate. Is not applicable on Grafana Cloud.
- tls_
client_ strkey - The path to the key. Is not applicable on Grafana Cloud.
- tls_
skip_ boolverify_ insecure - If enabled, the client accepts any certificate presented by the server and any host name in that certificate. You should only use this for testing, because this mode leaves SSL/TLS susceptible to man-in-the-middle attacks.
- token_
url str - The token endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.
- use_
pkce bool - If enabled, Grafana will use Proof Key for Code Exchange (PKCE) with the OAuth2 Authorization Code Grant.
- use_
refresh_ booltoken - If enabled, Grafana will fetch a new access token using the refresh token provided by the OAuth2 provider.
- client
Id String - The client Id of your OAuth2 app.
- allow
Assign BooleanGrafana Admin - If enabled, it will automatically sync the Grafana server administrator role.
- allow
Sign BooleanUp - If not enabled, only existing Grafana users can log in using OAuth.
- allowed
Domains String - List of comma- or space-separated domains. The user should belong to at least one domain to log in.
- allowed
Groups String - List of comma- or space-separated groups. The user should be a member of at least one group to log in. For Generic OAuth, if you configure allowedgroups, you must also configure groupsattribute_path.
- allowed
Organizations String - List of comma- or space-separated organizations. The user should be a member of at least one organization to log in.
- api
Url String - The user information endpoint of your OAuth2 provider. Required for okta and generic_oauth providers.
- auth
Style String - It determines how clientid and clientsecret are sent to Oauth2 provider. Possible values are AutoDetect, InParams, InHeader. Default is AutoDetect.
- auth
Url String - The authorization endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.
- auto
Login Boolean - Log in automatically, skipping the login screen.
- client
Secret String - The client secret of your OAuth2 app.
- custom Map<String>
- Custom fields to configure for OAuth2 such as the forceusegraph_api field.
- define
Allowed BooleanGroups - Define allowed groups.
- define
Allowed BooleanTeams Ids - Define allowed teams ids.
- email
Attribute StringName - Name of the key to use for user email lookup within the attributes map of OAuth2 ID token. Only applicable to Generic OAuth.
- email
Attribute StringPath - JMESPath expression to use for user email lookup from the user information. Only applicable to Generic OAuth.
- empty
Scopes Boolean - If enabled, no scopes will be sent to the OAuth2 provider.
- enabled Boolean
- Define whether this configuration is enabled for the specified provider. Defaults to
true
. - groups
Attribute StringPath - JMESPath expression to use for user group lookup. If you configure allowedgroups, you must also configure groupsattribute_path.
- id
Token StringAttribute Name - The name of the key used to extract the ID token from the returned OAuth2 token. Only applicable to Generic OAuth.
- login
Attribute StringPath - JMESPath expression to use for user login lookup from the user ID token. Only applicable to Generic OAuth.
- name String
- Helpful if you use more than one identity providers or SSO protocols.
- name
Attribute StringPath - JMESPath expression to use for user name lookup from the user ID token. This name will be used as the user’s display name. Only applicable to Generic OAuth.
- role
Attribute StringPath - JMESPath expression to use for Grafana role lookup.
- role
Attribute BooleanStrict - If enabled, denies user login if the Grafana role cannot be extracted using Role attribute path.
- scopes String
- List of comma- or space-separated OAuth2 scopes.
- signout
Redirect StringUrl - The URL to redirect the user to after signing out from Grafana.
- skip
Org BooleanRole Sync - Prevent synchronizing users’ organization roles from your IdP.
- team
Ids String - String list of Team Ids. If set, the user must be a member of one of the given teams to log in. If you configure teamids, you must also configure teamsurl and teamidsattribute_path.
- team
Ids StringAttribute Path - The JMESPath expression to use for Grafana Team Id lookup within the results returned by the teams_url endpoint. Only applicable to Generic OAuth.
- teams
Url String - The URL used to query for Team Ids. If not set, the default value is /teams. If you configure teamsurl, you must also configure teamidsattributepath. Only applicable to Generic OAuth.
- tls
Client StringCa - The path to the trusted certificate authority list. Is not applicable on Grafana Cloud.
- tls
Client StringCert - The path to the certificate. Is not applicable on Grafana Cloud.
- tls
Client StringKey - The path to the key. Is not applicable on Grafana Cloud.
- tls
Skip BooleanVerify Insecure - If enabled, the client accepts any certificate presented by the server and any host name in that certificate. You should only use this for testing, because this mode leaves SSL/TLS susceptible to man-in-the-middle attacks.
- token
Url String - The token endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.
- use
Pkce Boolean - If enabled, Grafana will use Proof Key for Code Exchange (PKCE) with the OAuth2 Authorization Code Grant.
- use
Refresh BooleanToken - If enabled, Grafana will fetch a new access token using the refresh token provided by the OAuth2 provider.
SsoSettingsSamlSettings, SsoSettingsSamlSettingsArgs
- Allow
Idp boolInitiated - Whether SAML IdP-initiated login is allowed.
- Allow
Sign boolUp - Whether to allow new Grafana user creation through SAML login. If set to false, then only existing Grafana users can log in with SAML.
- Allowed
Organizations string - List of comma- or space-separated organizations. User should be a member of at least one organization to log in.
- Assertion
Attribute stringEmail - Friendly name or name of the attribute within the SAML assertion to use as the user email.
- Assertion
Attribute stringGroups - Friendly name or name of the attribute within the SAML assertion to use as the user groups.
- Assertion
Attribute stringLogin - Friendly name or name of the attribute within the SAML assertion to use as the user login handle.
- Assertion
Attribute stringName - Friendly name or name of the attribute within the SAML assertion to use as the user name. Alternatively, this can be a template with variables that match the names of attributes within the SAML assertion.
- Assertion
Attribute stringOrg - Friendly name or name of the attribute within the SAML assertion to use as the user organization.
- Assertion
Attribute stringRole - Friendly name or name of the attribute within the SAML assertion to use as the user roles.
- Auto
Login bool - Whether SAML auto login is enabled.
- Certificate string
- Base64-encoded string for the SP X.509 certificate.
- Certificate
Path string - Path for the SP X.509 certificate.
- Enabled bool
- Define whether this configuration is enabled for SAML. Defaults to
true
. - Idp
Metadata string - Base64-encoded string for the IdP SAML metadata XML.
- Idp
Metadata stringPath - Path for the IdP SAML metadata XML.
- Idp
Metadata stringUrl - URL for the IdP SAML metadata XML.
- Max
Issue stringDelay - Duration, since the IdP issued a response and the SP is allowed to process it. For example: 90s, 1h.
- Metadata
Valid stringDuration - Duration, for how long the SP metadata is valid. For example: 48h, 5d.
- Name string
- Name used to refer to the SAML authentication.
- Name
Id stringFormat - The Name ID Format to request within the SAML assertion. Defaults to urn:oasis:names:tc:SAML:2.0:nameid-format:transient
- Org
Mapping string - List of comma- or space-separated Organization:OrgId:Role mappings. Organization can be * meaning “All users”. Role is optional and can have the following values: Viewer, Editor or Admin.
- Private
Key string - Base64-encoded string for the SP private key.
- Private
Key stringPath - Path for the SP private key.
- Relay
State string - Relay state for IdP-initiated login. Should match relay state configured in IdP.
- Role
Values stringAdmin - List of comma- or space-separated roles which will be mapped into the Admin role.
- Role
Values stringEditor - List of comma- or space-separated roles which will be mapped into the Editor role.
- Role
Values stringGrafana Admin - List of comma- or space-separated roles which will be mapped into the Grafana Admin (Super Admin) role.
- Role
Values stringNone - List of comma- or space-separated roles which will be mapped into the None role.
- Role
Values stringViewer - List of comma- or space-separated roles which will be mapped into the Viewer role.
- Signature
Algorithm string - Signature algorithm used for signing requests to the IdP. Supported values are rsa-sha1, rsa-sha256, rsa-sha512.
- Single
Logout bool - Whether SAML Single Logout is enabled.
- Skip
Org boolRole Sync - Prevent synchronizing users’ organization roles from your IdP.
- Allow
Idp boolInitiated - Whether SAML IdP-initiated login is allowed.
- Allow
Sign boolUp - Whether to allow new Grafana user creation through SAML login. If set to false, then only existing Grafana users can log in with SAML.
- Allowed
Organizations string - List of comma- or space-separated organizations. User should be a member of at least one organization to log in.
- Assertion
Attribute stringEmail - Friendly name or name of the attribute within the SAML assertion to use as the user email.
- Assertion
Attribute stringGroups - Friendly name or name of the attribute within the SAML assertion to use as the user groups.
- Assertion
Attribute stringLogin - Friendly name or name of the attribute within the SAML assertion to use as the user login handle.
- Assertion
Attribute stringName - Friendly name or name of the attribute within the SAML assertion to use as the user name. Alternatively, this can be a template with variables that match the names of attributes within the SAML assertion.
- Assertion
Attribute stringOrg - Friendly name or name of the attribute within the SAML assertion to use as the user organization.
- Assertion
Attribute stringRole - Friendly name or name of the attribute within the SAML assertion to use as the user roles.
- Auto
Login bool - Whether SAML auto login is enabled.
- Certificate string
- Base64-encoded string for the SP X.509 certificate.
- Certificate
Path string - Path for the SP X.509 certificate.
- Enabled bool
- Define whether this configuration is enabled for SAML. Defaults to
true
. - Idp
Metadata string - Base64-encoded string for the IdP SAML metadata XML.
- Idp
Metadata stringPath - Path for the IdP SAML metadata XML.
- Idp
Metadata stringUrl - URL for the IdP SAML metadata XML.
- Max
Issue stringDelay - Duration, since the IdP issued a response and the SP is allowed to process it. For example: 90s, 1h.
- Metadata
Valid stringDuration - Duration, for how long the SP metadata is valid. For example: 48h, 5d.
- Name string
- Name used to refer to the SAML authentication.
- Name
Id stringFormat - The Name ID Format to request within the SAML assertion. Defaults to urn:oasis:names:tc:SAML:2.0:nameid-format:transient
- Org
Mapping string - List of comma- or space-separated Organization:OrgId:Role mappings. Organization can be * meaning “All users”. Role is optional and can have the following values: Viewer, Editor or Admin.
- Private
Key string - Base64-encoded string for the SP private key.
- Private
Key stringPath - Path for the SP private key.
- Relay
State string - Relay state for IdP-initiated login. Should match relay state configured in IdP.
- Role
Values stringAdmin - List of comma- or space-separated roles which will be mapped into the Admin role.
- Role
Values stringEditor - List of comma- or space-separated roles which will be mapped into the Editor role.
- Role
Values stringGrafana Admin - List of comma- or space-separated roles which will be mapped into the Grafana Admin (Super Admin) role.
- Role
Values stringNone - List of comma- or space-separated roles which will be mapped into the None role.
- Role
Values stringViewer - List of comma- or space-separated roles which will be mapped into the Viewer role.
- Signature
Algorithm string - Signature algorithm used for signing requests to the IdP. Supported values are rsa-sha1, rsa-sha256, rsa-sha512.
- Single
Logout bool - Whether SAML Single Logout is enabled.
- Skip
Org boolRole Sync - Prevent synchronizing users’ organization roles from your IdP.
- allow
Idp BooleanInitiated - Whether SAML IdP-initiated login is allowed.
- allow
Sign BooleanUp - Whether to allow new Grafana user creation through SAML login. If set to false, then only existing Grafana users can log in with SAML.
- allowed
Organizations String - List of comma- or space-separated organizations. User should be a member of at least one organization to log in.
- assertion
Attribute StringEmail - Friendly name or name of the attribute within the SAML assertion to use as the user email.
- assertion
Attribute StringGroups - Friendly name or name of the attribute within the SAML assertion to use as the user groups.
- assertion
Attribute StringLogin - Friendly name or name of the attribute within the SAML assertion to use as the user login handle.
- assertion
Attribute StringName - Friendly name or name of the attribute within the SAML assertion to use as the user name. Alternatively, this can be a template with variables that match the names of attributes within the SAML assertion.
- assertion
Attribute StringOrg - Friendly name or name of the attribute within the SAML assertion to use as the user organization.
- assertion
Attribute StringRole - Friendly name or name of the attribute within the SAML assertion to use as the user roles.
- auto
Login Boolean - Whether SAML auto login is enabled.
- certificate String
- Base64-encoded string for the SP X.509 certificate.
- certificate
Path String - Path for the SP X.509 certificate.
- enabled Boolean
- Define whether this configuration is enabled for SAML. Defaults to
true
. - idp
Metadata String - Base64-encoded string for the IdP SAML metadata XML.
- idp
Metadata StringPath - Path for the IdP SAML metadata XML.
- idp
Metadata StringUrl - URL for the IdP SAML metadata XML.
- max
Issue StringDelay - Duration, since the IdP issued a response and the SP is allowed to process it. For example: 90s, 1h.
- metadata
Valid StringDuration - Duration, for how long the SP metadata is valid. For example: 48h, 5d.
- name String
- Name used to refer to the SAML authentication.
- name
Id StringFormat - The Name ID Format to request within the SAML assertion. Defaults to urn:oasis:names:tc:SAML:2.0:nameid-format:transient
- org
Mapping String - List of comma- or space-separated Organization:OrgId:Role mappings. Organization can be * meaning “All users”. Role is optional and can have the following values: Viewer, Editor or Admin.
- private
Key String - Base64-encoded string for the SP private key.
- private
Key StringPath - Path for the SP private key.
- relay
State String - Relay state for IdP-initiated login. Should match relay state configured in IdP.
- role
Values StringAdmin - List of comma- or space-separated roles which will be mapped into the Admin role.
- role
Values StringEditor - List of comma- or space-separated roles which will be mapped into the Editor role.
- role
Values StringGrafana Admin - List of comma- or space-separated roles which will be mapped into the Grafana Admin (Super Admin) role.
- role
Values StringNone - List of comma- or space-separated roles which will be mapped into the None role.
- role
Values StringViewer - List of comma- or space-separated roles which will be mapped into the Viewer role.
- signature
Algorithm String - Signature algorithm used for signing requests to the IdP. Supported values are rsa-sha1, rsa-sha256, rsa-sha512.
- single
Logout Boolean - Whether SAML Single Logout is enabled.
- skip
Org BooleanRole Sync - Prevent synchronizing users’ organization roles from your IdP.
- allow
Idp booleanInitiated - Whether SAML IdP-initiated login is allowed.
- allow
Sign booleanUp - Whether to allow new Grafana user creation through SAML login. If set to false, then only existing Grafana users can log in with SAML.
- allowed
Organizations string - List of comma- or space-separated organizations. User should be a member of at least one organization to log in.
- assertion
Attribute stringEmail - Friendly name or name of the attribute within the SAML assertion to use as the user email.
- assertion
Attribute stringGroups - Friendly name or name of the attribute within the SAML assertion to use as the user groups.
- assertion
Attribute stringLogin - Friendly name or name of the attribute within the SAML assertion to use as the user login handle.
- assertion
Attribute stringName - Friendly name or name of the attribute within the SAML assertion to use as the user name. Alternatively, this can be a template with variables that match the names of attributes within the SAML assertion.
- assertion
Attribute stringOrg - Friendly name or name of the attribute within the SAML assertion to use as the user organization.
- assertion
Attribute stringRole - Friendly name or name of the attribute within the SAML assertion to use as the user roles.
- auto
Login boolean - Whether SAML auto login is enabled.
- certificate string
- Base64-encoded string for the SP X.509 certificate.
- certificate
Path string - Path for the SP X.509 certificate.
- enabled boolean
- Define whether this configuration is enabled for SAML. Defaults to
true
. - idp
Metadata string - Base64-encoded string for the IdP SAML metadata XML.
- idp
Metadata stringPath - Path for the IdP SAML metadata XML.
- idp
Metadata stringUrl - URL for the IdP SAML metadata XML.
- max
Issue stringDelay - Duration, since the IdP issued a response and the SP is allowed to process it. For example: 90s, 1h.
- metadata
Valid stringDuration - Duration, for how long the SP metadata is valid. For example: 48h, 5d.
- name string
- Name used to refer to the SAML authentication.
- name
Id stringFormat - The Name ID Format to request within the SAML assertion. Defaults to urn:oasis:names:tc:SAML:2.0:nameid-format:transient
- org
Mapping string - List of comma- or space-separated Organization:OrgId:Role mappings. Organization can be * meaning “All users”. Role is optional and can have the following values: Viewer, Editor or Admin.
- private
Key string - Base64-encoded string for the SP private key.
- private
Key stringPath - Path for the SP private key.
- relay
State string - Relay state for IdP-initiated login. Should match relay state configured in IdP.
- role
Values stringAdmin - List of comma- or space-separated roles which will be mapped into the Admin role.
- role
Values stringEditor - List of comma- or space-separated roles which will be mapped into the Editor role.
- role
Values stringGrafana Admin - List of comma- or space-separated roles which will be mapped into the Grafana Admin (Super Admin) role.
- role
Values stringNone - List of comma- or space-separated roles which will be mapped into the None role.
- role
Values stringViewer - List of comma- or space-separated roles which will be mapped into the Viewer role.
- signature
Algorithm string - Signature algorithm used for signing requests to the IdP. Supported values are rsa-sha1, rsa-sha256, rsa-sha512.
- single
Logout boolean - Whether SAML Single Logout is enabled.
- skip
Org booleanRole Sync - Prevent synchronizing users’ organization roles from your IdP.
- allow_
idp_ boolinitiated - Whether SAML IdP-initiated login is allowed.
- allow_
sign_ boolup - Whether to allow new Grafana user creation through SAML login. If set to false, then only existing Grafana users can log in with SAML.
- allowed_
organizations str - List of comma- or space-separated organizations. User should be a member of at least one organization to log in.
- assertion_
attribute_ stremail - Friendly name or name of the attribute within the SAML assertion to use as the user email.
- assertion_
attribute_ strgroups - Friendly name or name of the attribute within the SAML assertion to use as the user groups.
- assertion_
attribute_ strlogin - Friendly name or name of the attribute within the SAML assertion to use as the user login handle.
- assertion_
attribute_ strname - Friendly name or name of the attribute within the SAML assertion to use as the user name. Alternatively, this can be a template with variables that match the names of attributes within the SAML assertion.
- assertion_
attribute_ strorg - Friendly name or name of the attribute within the SAML assertion to use as the user organization.
- assertion_
attribute_ strrole - Friendly name or name of the attribute within the SAML assertion to use as the user roles.
- auto_
login bool - Whether SAML auto login is enabled.
- certificate str
- Base64-encoded string for the SP X.509 certificate.
- certificate_
path str - Path for the SP X.509 certificate.
- enabled bool
- Define whether this configuration is enabled for SAML. Defaults to
true
. - idp_
metadata str - Base64-encoded string for the IdP SAML metadata XML.
- idp_
metadata_ strpath - Path for the IdP SAML metadata XML.
- idp_
metadata_ strurl - URL for the IdP SAML metadata XML.
- max_
issue_ strdelay - Duration, since the IdP issued a response and the SP is allowed to process it. For example: 90s, 1h.
- metadata_
valid_ strduration - Duration, for how long the SP metadata is valid. For example: 48h, 5d.
- name str
- Name used to refer to the SAML authentication.
- name_
id_ strformat - The Name ID Format to request within the SAML assertion. Defaults to urn:oasis:names:tc:SAML:2.0:nameid-format:transient
- org_
mapping str - List of comma- or space-separated Organization:OrgId:Role mappings. Organization can be * meaning “All users”. Role is optional and can have the following values: Viewer, Editor or Admin.
- private_
key str - Base64-encoded string for the SP private key.
- private_
key_ strpath - Path for the SP private key.
- relay_
state str - Relay state for IdP-initiated login. Should match relay state configured in IdP.
- role_
values_ stradmin - List of comma- or space-separated roles which will be mapped into the Admin role.
- role_
values_ streditor - List of comma- or space-separated roles which will be mapped into the Editor role.
- role_
values_ strgrafana_ admin - List of comma- or space-separated roles which will be mapped into the Grafana Admin (Super Admin) role.
- role_
values_ strnone - List of comma- or space-separated roles which will be mapped into the None role.
- role_
values_ strviewer - List of comma- or space-separated roles which will be mapped into the Viewer role.
- signature_
algorithm str - Signature algorithm used for signing requests to the IdP. Supported values are rsa-sha1, rsa-sha256, rsa-sha512.
- single_
logout bool - Whether SAML Single Logout is enabled.
- skip_
org_ boolrole_ sync - Prevent synchronizing users’ organization roles from your IdP.
- allow
Idp BooleanInitiated - Whether SAML IdP-initiated login is allowed.
- allow
Sign BooleanUp - Whether to allow new Grafana user creation through SAML login. If set to false, then only existing Grafana users can log in with SAML.
- allowed
Organizations String - List of comma- or space-separated organizations. User should be a member of at least one organization to log in.
- assertion
Attribute StringEmail - Friendly name or name of the attribute within the SAML assertion to use as the user email.
- assertion
Attribute StringGroups - Friendly name or name of the attribute within the SAML assertion to use as the user groups.
- assertion
Attribute StringLogin - Friendly name or name of the attribute within the SAML assertion to use as the user login handle.
- assertion
Attribute StringName - Friendly name or name of the attribute within the SAML assertion to use as the user name. Alternatively, this can be a template with variables that match the names of attributes within the SAML assertion.
- assertion
Attribute StringOrg - Friendly name or name of the attribute within the SAML assertion to use as the user organization.
- assertion
Attribute StringRole - Friendly name or name of the attribute within the SAML assertion to use as the user roles.
- auto
Login Boolean - Whether SAML auto login is enabled.
- certificate String
- Base64-encoded string for the SP X.509 certificate.
- certificate
Path String - Path for the SP X.509 certificate.
- enabled Boolean
- Define whether this configuration is enabled for SAML. Defaults to
true
. - idp
Metadata String - Base64-encoded string for the IdP SAML metadata XML.
- idp
Metadata StringPath - Path for the IdP SAML metadata XML.
- idp
Metadata StringUrl - URL for the IdP SAML metadata XML.
- max
Issue StringDelay - Duration, since the IdP issued a response and the SP is allowed to process it. For example: 90s, 1h.
- metadata
Valid StringDuration - Duration, for how long the SP metadata is valid. For example: 48h, 5d.
- name String
- Name used to refer to the SAML authentication.
- name
Id StringFormat - The Name ID Format to request within the SAML assertion. Defaults to urn:oasis:names:tc:SAML:2.0:nameid-format:transient
- org
Mapping String - List of comma- or space-separated Organization:OrgId:Role mappings. Organization can be * meaning “All users”. Role is optional and can have the following values: Viewer, Editor or Admin.
- private
Key String - Base64-encoded string for the SP private key.
- private
Key StringPath - Path for the SP private key.
- relay
State String - Relay state for IdP-initiated login. Should match relay state configured in IdP.
- role
Values StringAdmin - List of comma- or space-separated roles which will be mapped into the Admin role.
- role
Values StringEditor - List of comma- or space-separated roles which will be mapped into the Editor role.
- role
Values StringGrafana Admin - List of comma- or space-separated roles which will be mapped into the Grafana Admin (Super Admin) role.
- role
Values StringNone - List of comma- or space-separated roles which will be mapped into the None role.
- role
Values StringViewer - List of comma- or space-separated roles which will be mapped into the Viewer role.
- signature
Algorithm String - Signature algorithm used for signing requests to the IdP. Supported values are rsa-sha1, rsa-sha256, rsa-sha512.
- single
Logout Boolean - Whether SAML Single Logout is enabled.
- skip
Org BooleanRole Sync - Prevent synchronizing users’ organization roles from your IdP.
Import
$ pulumi import grafana:index/ssoSettings:SsoSettings name "{{ provider }}"
$ pulumi import grafana:index/ssoSettings:SsoSettings name "{{ orgID }}:{{ provider }}"
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- grafana pulumiverse/pulumi-grafana
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
grafana
Terraform Provider.