diff --git a/docs/sources/administration/migration-guide/manually-migrate-to-grafana-cloud.md b/docs/sources/administration/migration-guide/manually-migrate-to-grafana-cloud.md index 5f4fa75a787..6c97c00b62a 100644 --- a/docs/sources/administration/migration-guide/manually-migrate-to-grafana-cloud.md +++ b/docs/sources/administration/migration-guide/manually-migrate-to-grafana-cloud.md @@ -54,7 +54,7 @@ Ensure you have the following: ## Upgrade Grafana OSS/Enterprise to the latest version -Grafana Cloud stacks generally run the latest version of Grafana. In order to avoid issues during migration, upgrade Grafana by following our guides [here](https://grafana.com/docs/grafana/latest/upgrade-guide/). +Grafana Cloud stacks generally run the latest version of Grafana. In order to avoid issues during migration, upgrade Grafana by following our guides [here](https://grafana.com/docs/grafana//upgrade-guide/). ## Migrate Grafana resources @@ -275,28 +275,28 @@ Grizzly does not currently support Reports and Playlists as a resource, so you c ### Migrate single sign-on configuration -Grafana Cloud stacks support all of the same authentication and authorization options as Grafana OSS/Enterprise, except for [anonymous authentication](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/anonymous-auth/) and use of the [Auth proxy](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/). However, single sign-on settings cannot be exported and imported like dashboards, alerts, and other resources. +Grafana Cloud stacks support all of the same authentication and authorization options as Grafana OSS/Enterprise, except for [anonymous authentication](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-authentication/anonymous-auth/) and use of the [Auth proxy](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-authentication/auth-proxy/). However, single sign-on settings cannot be exported and imported like dashboards, alerts, and other resources. -To set up SAML authentication from scratch using Grafana’s UI or API, follow [these instructions](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/saml-ui/) to Configure SAML authentication in Grafana. +To set up SAML authentication from scratch using Grafana’s UI or API, follow [these instructions](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-authentication/saml/saml-ui/) to Configure SAML authentication in Grafana. LDAP and OIDC/OAuth2 can only be configured in Grafana Cloud by the Grafana Labs support team. Follow [these instructions](https://grafana.com/docs/grafana-cloud/account-management/authentication-and-permissions/) to request SSO configuration from the support team. ### Migrate custom Grafana configuration -You may have customized the [configuration](https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/) of your Grafana OSS/Enterprise instance, for example with feature toggles, custom auth, or embedding options. Since Grafana configuration is stored in environment variables or the filesystem where Grafana runs, Grafana Cloud users do not have access to it. However, you can open a support ticket to ask a Grafana Labs support engineer for customizations. +You may have customized the [configuration](https://grafana.com/docs/grafana//setup-grafana/configure-grafana/) of your Grafana OSS/Enterprise instance, for example with feature toggles, custom auth, or embedding options. Since Grafana configuration is stored in environment variables or the filesystem where Grafana runs, Grafana Cloud users do not have access to it. However, you can open a support ticket to ask a Grafana Labs support engineer for customizations. The following customizations are available via support: -- Enabling [feature toggles](http://www.grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/feature-toggles). -- [Single sign-on and team sync using SAML, LDAP, or OAuth](http://www.grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication). -- Enable [embedding Grafana dashboards in other applications](https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#allow_embedding) for Grafana Cloud contracted customers. -- [Audit logging](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/audit-grafana/) ([Usage insights logs and dashboards](https://grafana.com/docs/grafana-cloud/account-management/usage-insights/) are available in select Grafana Cloud paid accounts). +- Enabling [feature toggles](http://www.grafana.com/docs/grafana//setup-grafana/configure-grafana/feature-toggles). +- [Single sign-on and team sync using SAML, LDAP, or OAuth](http://www.grafana.com/docs/grafana//setup-grafana/configure-access/configure-authentication). +- Enable [embedding Grafana dashboards in other applications](https://grafana.com/docs/grafana//setup-grafana/configure-grafana/#allow_embedding) for Grafana Cloud contracted customers. +- [Audit logging](https://grafana.com/docs/grafana//setup-grafana/configure-security/audit-grafana/) ([Usage insights logs and dashboards](https://grafana.com/docs/grafana-cloud/account-management/usage-insights/) are available in select Grafana Cloud paid accounts). Note that the following custom configurations are not supported in Grafana Cloud: -- [Anonymous user access](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/anonymous-auth/). -- [Auth proxy](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/). -- [Third-party database encryption](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-database-encryption/) and the [Hashicorp Vault](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-database-encryption/encrypt-secrets-using-hashicorp-key-vault/) integration. +- [Anonymous user access](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-authentication/anonymous-auth/). +- [Auth proxy](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-authentication/auth-proxy/). +- [Third-party database encryption](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-database-encryption/) and the [Hashicorp Vault](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-database-encryption/encrypt-secrets-using-hashicorp-key-vault/) integration. - Running self-signed plugins, like custom-built data sources or visualizations. For more information on plugin signing, refer to our [developer documentation](https://grafana.com/developers/plugin-tools/publish-a-plugin/sign-a-plugin). If you have a custom configuration in Grafana OSS/Enterprise that is not listed here, reach out to our support team to find out whether they can help you set it up. diff --git a/docs/sources/administration/roles-and-permissions/access-control/_index.md b/docs/sources/administration/roles-and-permissions/access-control/_index.md index 9cc5406ffc8..db72bb1b49f 100644 --- a/docs/sources/administration/roles-and-permissions/access-control/_index.md +++ b/docs/sources/administration/roles-and-permissions/access-control/_index.md @@ -185,7 +185,7 @@ Assign fixed roles when the basic roles do not meet your permission requirements - [Explore](/docs/grafana//explore/) - [Feature Toggles](/docs/grafana//administration/feature-toggles/) - [Folders](ref:dashboards-create-a-dashboard-folder) -- [LDAP](/docs/grafana//setup-grafana/configure-security/configure-authentication/ldap/) +- [LDAP](/docs/grafana//setup-grafana/configure-access/configure-authentication/ldap/) - [Library panels](ref:dashboards-manage-library-panels) - [Licenses](/docs/grafana//administration/stats-and-license/) - [Organizations](/docs/grafana//administration/organization-management/) diff --git a/docs/sources/administration/roles-and-permissions/access-control/plan-rbac-rollout-strategy/index.md b/docs/sources/administration/roles-and-permissions/access-control/plan-rbac-rollout-strategy/index.md index b6bf0bfe759..1924ab84149 100644 --- a/docs/sources/administration/roles-and-permissions/access-control/plan-rbac-rollout-strategy/index.md +++ b/docs/sources/administration/roles-and-permissions/access-control/plan-rbac-rollout-strategy/index.md @@ -82,7 +82,7 @@ For example: 1. Map SAML, LDAP, or Oauth roles to Grafana basic roles (viewer, editor, or admin). -2. Use the Grafana Enterprise team sync feature to synchronize teams from your SAML, LDAP, or Oauth provider to Grafana. For more information about team sync, refer to [Team sync](/docs/grafana//setup-grafana/configure-security/configure-team-sync/). +2. Use the Grafana Enterprise team sync feature to synchronize teams from your SAML, LDAP, or OAuth provider to Grafana. For more information about team sync, refer to [Team sync](/docs/grafana//setup-grafana/configure-access/configure-team-sync/). 3. Within Grafana, assign RBAC permissions to users and teams. @@ -123,7 +123,7 @@ If you have a use case that you'd like to share, feel free to contribute to this 1. In Grafana, create a team with the name `Internal employees`. 1. Assign the `fixed:datasources:explorer` role to the `Internal employees` team. -1. Add internal employees to the `Internal employees` team, or map them from a SAML, LDAP, or Oauth team using [Team Sync](/docs/grafana//setup-grafana/configure-security/configure-team-sync/). +1. Add internal employees to the `Internal employees` team, or map them from a SAML, LDAP, or OAuth team using [Team Sync](/docs/grafana//setup-grafana/configure-access/configure-team-sync/). 1. Assign the viewer role to both internal employees and contractors. ### Limit viewer, editor, or admin permissions diff --git a/docs/sources/administration/team-management/configure-grafana-teams.md b/docs/sources/administration/team-management/configure-grafana-teams.md index 7f2b9e051e9..06dff486046 100644 --- a/docs/sources/administration/team-management/configure-grafana-teams.md +++ b/docs/sources/administration/team-management/configure-grafana-teams.md @@ -32,7 +32,7 @@ Before you begin creating and working with Grafana Teams: Recommended for `isolated` teams. - Viewer role - by default can view all resources. Recommended for `collaborative` teams. - Ensure team sync is turned on if you plan to manage team members through team sync. -Refer to [Configure Team Sync](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-team-sync/) for a list of providers and instructions on how to turn on team sync for each provider. +Refer to [Configure Team Sync](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-team-sync/) for a list of providers and instructions on how to turn on team sync for each provider. {{< admonition type="note" >}} diff --git a/docs/sources/breaking-changes/breaking-changes-v10-0.md b/docs/sources/breaking-changes/breaking-changes-v10-0.md index 8250dba93d2..f55c473a793 100644 --- a/docs/sources/breaking-changes/breaking-changes-v10-0.md +++ b/docs/sources/breaking-changes/breaking-changes-v10-0.md @@ -193,7 +193,7 @@ We strongly recommend not doing this in case you are using Azure AD as an identi #### Learn more - [CVE-2023-3128 Advisory](https://grafana.com/security/security-advisories/cve-2023-3128//) -- [Enable email lookup](../../setup-grafana/configure-security/configure-authentication/) +- [Enable email lookup](../../setup-grafana/configure-access/configure-authentication/) ### The "Alias" field in the CloudWatch data source is removed diff --git a/docs/sources/breaking-changes/breaking-changes-v11-0.md b/docs/sources/breaking-changes/breaking-changes-v11-0.md index 883c062ae04..313015b275d 100644 --- a/docs/sources/breaking-changes/breaking-changes-v11-0.md +++ b/docs/sources/breaking-changes/breaking-changes-v11-0.md @@ -81,7 +81,7 @@ Turn off anonymous access, and consider using public dashboards to allow view-on #### Learn more -[Anonymous access documentation](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-authentication/grafana/#anonymous-authentication) +[Anonymous access documentation](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-authentication/grafana/#anonymous-authentication) ### Legacy alerting is entirely removed diff --git a/docs/sources/datasources/azure-monitor/_index.md b/docs/sources/datasources/azure-monitor/_index.md index 7814af16326..90452f4cc52 100644 --- a/docs/sources/datasources/azure-monitor/_index.md +++ b/docs/sources/datasources/azure-monitor/_index.md @@ -41,9 +41,9 @@ refs: destination: /docs/grafana//explore/ configure-grafana-azure-auth: - pattern: /docs/grafana/ - destination: /docs/grafana//setup-grafana/configure-security/configure-authentication/azuread/ + destination: /docs/grafana//setup-grafana/configure-access/configure-authentication/azuread/ - pattern: /docs/grafana-cloud/ - destination: /docs/grafana//setup-grafana/configure-security/configure-authentication/azuread/ + destination: /docs/grafana//setup-grafana/configure-access/configure-authentication/azuread/ build-dashboards: - pattern: /docs/grafana/ destination: /docs/grafana//dashboards/build-dashboards/ @@ -61,9 +61,9 @@ refs: destination: /docs/grafana//administration/data-source-management/ configure-grafana-azure-auth-scopes: - pattern: /docs/grafana/ - destination: /docs/grafana//setup-grafana/configure-security/configure-authentication/azuread/#enable-azure-ad-oauth-in-grafana + destination: /docs/grafana//setup-grafana/configure-access/configure-authentication/azuread/#enable-azure-ad-oauth-in-grafana - pattern: /docs/grafana-cloud/ - destination: /docs/grafana//setup-grafana/configure-security/configure-authentication/azuread/#enable-azure-ad-oauth-in-grafana + destination: /docs/grafana//setup-grafana/configure-access/configure-authentication/azuread/#enable-azure-ad-oauth-in-grafana --- # Azure Monitor data source diff --git a/docs/sources/datasources/graphite/_index.md b/docs/sources/datasources/graphite/_index.md index af2320fe73c..fba9d616f38 100644 --- a/docs/sources/datasources/graphite/_index.md +++ b/docs/sources/datasources/graphite/_index.md @@ -38,9 +38,9 @@ refs: destination: /docs/grafana//dashboards/build-dashboards/ configure-authentication: - pattern: /docs/grafana/ - destination: /docs/grafana//setup-grafana/configure-security/configure-authentication/ + destination: /docs/grafana//setup-grafana/configure-access/configure-authentication/ - pattern: /docs/grafana-cloud/ - destination: /docs/grafana//setup-grafana/configure-security/configure-authentication/ + destination: /docs/grafana//setup-grafana/configure-access/configure-authentication/ data-source-management: - pattern: /docs/grafana/ destination: /docs/grafana//administration/data-source-management/ diff --git a/docs/sources/datasources/graphite/configure/index.md b/docs/sources/datasources/graphite/configure/index.md index ab384c99560..ce09ece5be1 100644 --- a/docs/sources/datasources/graphite/configure/index.md +++ b/docs/sources/datasources/graphite/configure/index.md @@ -39,9 +39,9 @@ refs: destination: /docs/grafana//dashboards/build-dashboards/ configure-authentication: - pattern: /docs/grafana/ - destination: /docs/grafana//setup-grafana/configure-security/configure-authentication/ + destination: /docs/grafana//setup-grafana/configure-access/configure-authentication/ - pattern: /docs/grafana-cloud/ - destination: /docs/grafana//setup-grafana/configure-security/configure-authentication/ + destination: /docs/grafana//setup-grafana/configure-access/configure-authentication/ data-source-management: - pattern: /docs/grafana/ destination: /docs/grafana//administration/data-source-management/ diff --git a/docs/sources/datasources/prometheus/configure/azure-authentication.md b/docs/sources/datasources/prometheus/configure/azure-authentication.md index 6333a160330..49e4909d0c5 100644 --- a/docs/sources/datasources/prometheus/configure/azure-authentication.md +++ b/docs/sources/datasources/prometheus/configure/azure-authentication.md @@ -99,15 +99,15 @@ After creating a Azure Monitor Managed Service for Prometheus data source: 1. In the data source configuration page, locate the **Authentication** section 2. Select your authentication method: - - **Managed Identity**: For Azure-hosted Grafana instances. To learn more about Entra login for Grafana, refer to [Configure Azure AD/Entra ID OAuth authentication](/docs/grafana//setup-grafana/configure-security/configure-authentication/azuread/#configure-azure-adentra-id-oauth-authentication) + - **Managed Identity**: For Azure-hosted Grafana instances. To learn more about Entra login for Grafana, refer to [Configure Entra ID/Entra ID OAuth authentication](/docs/grafana//setup-grafana/configure-access/configure-authentication/azuread/#configure-azure-adentra-id-oauth-authentication) - **App Registration**: For service principal authentication - - **Current User**: Uses the current user's Azure AD credentials + - **Current User**: Uses the current user's Entra ID credentials 3. Configure based on your chosen method: | Setting | Description | Example | | --------------------------- | ------------------------------- | -------------------------------------- | -| **Directory (tenant) ID** | Your Azure AD tenant ID | `12345678-1234-1234-1234-123456789012` | +| **Directory (tenant) ID** | Your Entra ID tenant ID | `12345678-1234-1234-1234-123456789012` | | **Application (client) ID** | Your app registration client ID | `87654321-4321-4321-4321-210987654321` | | **Client secret** | Your app registration secret | `your-client-secret` | diff --git a/docs/sources/developers/http_api/examples/curl-examples.md b/docs/sources/developers/http_api/examples/curl-examples.md index b00e59feb4a..80e48db81a5 100644 --- a/docs/sources/developers/http_api/examples/curl-examples.md +++ b/docs/sources/developers/http_api/examples/curl-examples.md @@ -27,16 +27,16 @@ The most basic example for a dashboard for which there is no authentication. You curl http://localhost:3000/api/search ``` -Here's a cURL command that works for getting the home dashboard when you are running Grafana locally with [basic authentication](/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/#basic-auth) enabled using the default admin credentials: +Here's a cURL command that works for getting the home dashboard when you are running Grafana locally with [basic authentication](/docs/grafana//setup-grafana/configure-access/configure-authentication/#basic-auth) enabled using the default admin credentials: ``` curl http://admin:admin@localhost:3000/api/search ``` -To pass a username and password with [HTTP basic authorization](/docs/grafana/latest/administration/roles-and-permissions/access-control/manage-rbac-roles/), encode them as base64. +To pass a username and password with [HTTP basic authorization](/docs/grafana//administration/roles-and-permissions/access-control/manage-rbac-roles/), encode them as base64. You can't use authorization tokens in the request. -For example, to [list permissions associated with roles](/docs/grafana/latest/administration/roles-and-permissions/access-control/manage-rbac-roles/) given a username of `user` and password of `password`, use: +For example, to [list permissions associated with roles](/docs/grafana//administration/roles-and-permissions/access-control/manage-rbac-roles/) given a username of `user` and password of `password`, use: ``` curl --location '/api/access-control/builtin-roles' --user 'user:password' diff --git a/docs/sources/developers/http_api/sso-settings.md b/docs/sources/developers/http_api/sso-settings.md index a99a4d6f0fc..6aba3759f9c 100644 --- a/docs/sources/developers/http_api/sso-settings.md +++ b/docs/sources/developers/http_api/sso-settings.md @@ -25,7 +25,7 @@ title: SSO Settings API The API can be used to create, update, delete, get, and list SSO Settings for OAuth2 and SAML. The settings managed by this API are stored in the database and override -[settings from other sources](../../../setup-grafana/configure-security/configure-authentication/) +[settings from other sources](../../../setup-grafana/configure-access/configure-authentication/) (arguments, environment variables, settings file, etc). Therefore, every time settings for a specific provider are removed or reset to the default settings at runtime, the settings are inherited from the other sources in the reverse order of precedence diff --git a/docs/sources/fundamentals/getting-started/first-dashboards/_index.md b/docs/sources/fundamentals/getting-started/first-dashboards/_index.md index 72b65613a9a..01be1e54d00 100644 --- a/docs/sources/fundamentals/getting-started/first-dashboards/_index.md +++ b/docs/sources/fundamentals/getting-started/first-dashboards/_index.md @@ -85,7 +85,7 @@ Continue to experiment with what you have built, try the [explore workflow](http The following topics are of interest to Grafana server admin users: - [Grafana configuration](https://grafana.com/docs/grafana//setup-grafana/configure-grafana/) -- [Authentication](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-authentication/) +- [Authentication](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-authentication/) - [User permissions and roles](https://grafana.com/docs/grafana//administration/roles-and-permissions/) - [Provisioning](https://grafana.com/docs/grafana//administration/provisioning/) - [Grafana CLI](https://grafana.com/docs/grafana//cli/) diff --git a/docs/sources/introduction/_index.md b/docs/sources/introduction/_index.md index 3c71f685351..62ed1d7074d 100644 --- a/docs/sources/introduction/_index.md +++ b/docs/sources/introduction/_index.md @@ -16,7 +16,7 @@ weight: 5 [Grafana open source software](/oss/) enables you to query, visualize, alert on, and explore your metrics, logs, and traces wherever they are stored. Grafana OSS provides you with tools to turn your time-series database (TSDB) data into insightful graphs and visualizations. The Grafana OSS plugin framework also enables you to connect other data sources like NoSQL/SQL databases, ticketing tools like Jira or ServiceNow, and CI/CD tooling like GitLab. -After you have [installed Grafana](../setup-grafana/installation/) and set up your first dashboard using instructions in [Getting started with Grafana](../getting-started/build-first-dashboard/), you will have many options to choose from depending on your requirements. For example, if you want to view weather data and statistics about your smart home, then you can create a [playlist](../dashboards/create-manage-playlists/). If you are the administrator for an enterprise and are managing Grafana for multiple teams, then you can set up [provisioning](../administration/provisioning/) and [authentication](../setup-grafana/configure-security/configure-authentication/). +After you have [installed Grafana](../setup-grafana/installation/) and set up your first dashboard using instructions in [Getting started with Grafana](../getting-started/build-first-dashboard/), you will have many options to choose from depending on your requirements. For example, if you want to view weather data and statistics about your smart home, then you can create a [playlist](../dashboards/create-manage-playlists/). If you are the administrator for an enterprise and are managing Grafana for multiple teams, then you can set up [provisioning](../administration/provisioning/) and [authentication](../setup-grafana/configure-access/configure-authentication/). The following sections provide an overview of Grafana features and links to product documentation to help you learn more. For more guidance and ideas, check out our [Grafana Community forums](https://community.grafana.com/). @@ -54,7 +54,7 @@ Discover hundreds of [dashboards](/grafana/dashboards) and [plugins](/grafana/pl ## Authentication -Grafana supports different authentication methods, such as LDAP and OAuth, and allows you to map users to organizations. Refer to the [User authentication overview](../setup-grafana/configure-security/configure-authentication/) for more information. +Grafana supports different authentication methods, such as LDAP and OAuth, and allows you to map users to organizations. Refer to the [User authentication overview](../setup-grafana/configure-access/configure-authentication/) for more information. In Grafana Enterprise, you can also map users to teams: If your company has its own authentication system, Grafana allows you to map the teams in your internal systems to teams in Grafana. That way, you can automatically give people access to the dashboards designated for their teams. Refer to [Grafana Enterprise](grafana-enterprise/) for more information. diff --git a/docs/sources/introduction/grafana-enterprise.md b/docs/sources/introduction/grafana-enterprise.md index 023aa5d6583..5500601829d 100644 --- a/docs/sources/introduction/grafana-enterprise.md +++ b/docs/sources/introduction/grafana-enterprise.md @@ -29,31 +29,31 @@ Grafana Enterprise includes integrations with more ways to authenticate your use ### Team sync -[Team sync](/docs/grafana//setup-grafana/configure-security/configure-team-sync/) allows you to set up synchronization between teams in Grafana and teams in your auth provider so that your users automatically end up in the right team. +[Team sync](/docs/grafana//setup-grafana/configure-access/configure-team-sync/) allows you to set up synchronization between teams in Grafana and teams in your auth provider so that your users automatically end up in the right team. Supported auth providers: -- [Auth Proxy](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-authentication/auth-proxy#team-sync-enterprise-only) -- [Azure AD OAuth](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-authentication/azuread/#team-sync-enterprise-only) -- [GitHub OAuth](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-authentication/github/#configure-team-synchronization) -- [Generic OAuth integration](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-authentication/generic-oauth/#configure-team-synchronization) -- [GitLab OAuth](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-authentication/gitlab/#configure-team-synchronization) -- [Google OAuth](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-authentication/google/#configure-team-synchronization) -- [LDAP](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-authentication/enhanced-ldap/#ldap-group-synchronization-for-teams) -- [Okta](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-authentication/okta#configure-team-synchronization-enterprise-only) -- [SAML](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-authentication/saml#configure-team-sync) +- [Auth Proxy](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-authentication/auth-proxy#team-sync-enterprise-only) +- [Entra ID OAuth](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-authentication/azuread/#team-sync-enterprise-only) +- [GitHub OAuth](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-authentication/github/#configure-team-synchronization) +- [Generic OAuth integration](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-authentication/generic-oauth/#configure-team-synchronization) +- [GitLab OAuth](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-authentication/gitlab/#configure-team-synchronization) +- [Google OAuth](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-authentication/google/#configure-team-synchronization) +- [LDAP](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-authentication/enhanced-ldap/#ldap-group-synchronization-for-teams) +- [Okta](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-authentication/okta#configure-team-synchronization-enterprise-only) +- [SAML](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-authentication/saml#configure-team-sync) ### Enhanced LDAP integration -With [enhanced LDAP integration](/docs/grafana//setup-grafana/configure-security/configure-authentication/enhanced-ldap/), you can set up active LDAP synchronization. +With [enhanced LDAP integration](/docs/grafana//setup-grafana/configure-access/configure-authentication/enhanced-ldap/), you can set up active LDAP synchronization. ### SAML authentication -[SAML authentication](/docs/grafana//setup-grafana/configure-security/configure-authentication/saml/) enables users to authenticate with single sign-on services that use Security Assertion Markup Language (SAML). +[SAML authentication](/docs/grafana//setup-grafana/configure-access/configure-authentication/saml/) enables users to authenticate with single sign-on services that use Security Assertion Markup Language (SAML). ### Protected roles -With [protected roles](/docs/grafana//setup-grafana/configure-security/configure-authentication/#protected-roles), you can define user roles that are exempt from being converted from one authentication type to another when changing auth providers. +With [protected roles](/docs/grafana//setup-grafana/configure-access/configure-authentication/#protected-roles), you can define user roles that are exempt from being converted from one authentication type to another when changing auth providers. ## Enterprise features diff --git a/docs/sources/setup-grafana/configure-security/planning-iam-strategy/index.md b/docs/sources/setup-grafana/configure-access/_index.md similarity index 74% rename from docs/sources/setup-grafana/configure-security/planning-iam-strategy/index.md rename to docs/sources/setup-grafana/configure-access/_index.md index e4a44e54ed6..63f14286dc0 100644 --- a/docs/sources/setup-grafana/configure-security/planning-iam-strategy/index.md +++ b/docs/sources/setup-grafana/configure-access/_index.md @@ -1,8 +1,11 @@ --- +aliases: + - ../setup-grafana/configure-security/planning-iam-strategy/ # /docs/grafana//setup-grafana/configure-security/planning-iam-strategy/ + - ./configure-security/planning-iam-strategy/ # /docs/grafana/next/setup-grafana/configure-security/planning-iam-strategy/ title: Plan your IAM integration strategy -menuTitle: Plan your IAM integration strategy +menuTitle: Configure access management description: Learn how to plan your identity and access management strategy before setting up Grafana. -weight: 100 +weight: 700 keywords: - IdP - IAM @@ -12,7 +15,7 @@ keywords: # Plan your IAM integration strategy -This section describes the decisions you should make when using an Identity and Access Management (IAM) provider to manage access to Grafana. IAM ensures that users have secure access to sensitive data and [other resources](../../../administration/data-source-management/), simplifying user management and authentication. +This section describes the decisions you should make when using an Identity and Access Management (IAM) provider to manage access to Grafana. IAM ensures that users have secure access to sensitive data and [other resources](../../administration/data-source-management/), simplifying user management and authentication. ## Benefits of integrating with an IAM provider @@ -33,12 +36,12 @@ In order to plan an integration with Grafana, assess your organization's current As a first step, determine how you want to manage users who will access Grafana. Do you already use an identity provider to manage users? If so, Grafana might be able to integrate with your identity provider through one of our IdP integrations. -Refer to [Configure authentication documentation](../configure-authentication/) for the list of supported providers. +Refer to [Configure authentication documentation](../configure-access/configure-authentication/) for the list of supported providers. If you are not interested in setting up an external identity provider, but still want to limit access to your Grafana instance, consider using Grafana's basic authentication. Finally, if you want your Grafana instance to be accessible to everyone, you can enable anonymous access to Grafana. -For information, refer to the [anonymous authentication documentation](../configure-authentication/#anonymous-authentication). +For information, refer to the [anonymous authentication documentation](../configure-access/configure-authentication/#anonymous-authentication). ## Ways to organize users @@ -51,7 +54,7 @@ Organize users in subgroups that are sensible to the organization. For example: ### Users in Grafana teams -You can organize users into [teams](../../../administration/team-management/) and assign them roles and permissions reflecting the current organization. For example, instead of assigning five users access to the same dashboard, you can create a team of those users and assign dashboard permissions to the team. +You can organize users into [teams](../../administration/team-management/) and assign them roles and permissions reflecting the current organization. For example, instead of assigning five users access to the same dashboard, you can create a team of those users and assign dashboard permissions to the team. A user can belong to multiple teams and be a member or an administrator for a given team. Team members inherit permissions from the team but cannot edit the team itself. Team administrators can add members to a team and update its settings, such as the team name, team members, roles assigned, and UI preferences. @@ -59,17 +62,17 @@ Teams are a perfect solution for working with a subset of users. Teams can share ### Users in Grafana organizations -[Grafana organizations](../../../administration/organization-management/) allow complete isolation of resources, such as dashboards and data sources. Users can be members of one or several organizations, and they can only access resources from an organization they belong to. +[Grafana organizations](../../administration/organization-management/) allow complete isolation of resources, such as dashboards and data sources. Users can be members of one or several organizations, and they can only access resources from an organization they belong to. Having multiple organizations in a single instance of Grafana lets you manage your users in one place while completely separating resources. -Organizations provide a higher measure of isolation within Grafana than teams do and can be helpful in certain scenarios. However, because organizations lack the scalability and flexibility of teams and [folders](../../../dashboards/manage-dashboards/#create-a-dashboard-folder), we do not recommend using them as the default way to group users and resources. +Organizations provide a higher measure of isolation within Grafana than teams do and can be helpful in certain scenarios. However, because organizations lack the scalability and flexibility of teams and [folders](../../dashboards/manage-dashboards/#create-a-dashboard-folder), we do not recommend using them as the default way to group users and resources. Note that Grafana Cloud does not support having more than 1 organizations per instance. ### Choosing between teams and organizations -[Grafana teams](../../../administration/team-management/) and Grafana organizations serve similar purposes in the Grafana platform. Both are designed to help group users and manage and control access to resources. +[Grafana teams](../../administration/team-management/) and Grafana organizations serve similar purposes in the Grafana platform. Both are designed to help group users and manage and control access to resources. Teams provide more flexibility, as resources can be accessible by multiple teams, and team creation and management are simple. @@ -106,7 +109,7 @@ A common use case for creating a service account is to perform operations on aut - Set up an external SAML authentication provider - Interact with Grafana without signing in as a user -In [Grafana Enterprise](../../../introduction/grafana-enterprise/), you can also use service accounts in combination with [role-based access control](../../../administration/roles-and-permissions/access-control/) to grant very specific permissions to applications that interact with Grafana. +In [Grafana Enterprise](../../introduction/grafana-enterprise/), you can also use service accounts in combination with [role-based access control](../../administration/roles-and-permissions/access-control/) to grant very specific permissions to applications that interact with Grafana. {{< admonition type="note" >}} Service accounts can only act in the organization they are created for. We recommend creating service accounts in each organization if you have the same task needed for multiple organizations. @@ -141,7 +144,7 @@ You can assign roles through the user interface or APIs, establish them through ### What are roles? -Within an organization, Grafana has established three primary [organization roles](../../../administration/roles-and-permissions/#organization-roles) - organization administrator, editor, and viewer - which dictate the user's level of access and permissions, including the ability to edit data sources or create teams. Grafana also has an empty role that you can start with and to which you can gradually add custom permissions. +Within an organization, Grafana has established three primary [organization roles](../../administration/roles-and-permissions/#organization-roles) - organization administrator, editor, and viewer - which dictate the user's level of access and permissions, including the ability to edit data sources or create teams. Grafana also has an empty role that you can start with and to which you can gradually add custom permissions. To be a member of any organization, every user must be assigned a role. In addition, Grafana provides a server administrator role that grants access to and enables interaction with resources that affect the entire instance, including organizations, users, and server-wide settings. @@ -149,23 +152,23 @@ This particular role can only be accessed by users of self-hosted Grafana instan ### What are permissions? -Each role consists of a set of [permissions](../../../administration/roles-and-permissions/#dashboard-permissions) that determine the tasks a user can perform in the system. +Each role consists of a set of [permissions](../../administration/roles-and-permissions/#dashboard-permissions) that determine the tasks a user can perform in the system. For example, the **Admin** role includes permissions that let an administrator create and delete users. Grafana allows for precise permission settings on both dashboards and folders, giving you the ability to control which users and teams can view, edit, and administer them. For example, you might want a certain viewer to be able to edit a dashboard. While that user can see all dashboards, you can grant them access to update only one of them. -In [Grafana Enterprise](../../../introduction/grafana-enterprise/), you can also grant granular permissions for data sources to control who can query and edit them. +In [Grafana Enterprise](../../introduction/grafana-enterprise/), you can also grant granular permissions for data sources to control who can query and edit them. Dashboard, folder, and data source permissions can be set through the UI or APIs or provisioned through Terraform. ### Role-based access control {{< admonition type="note" >}} -Available in [Grafana Enterprise](../../../introduction/grafana-enterprise/) and [Grafana Cloud](/docs/grafana-cloud/). +Available in [Grafana Enterprise](../../introduction/grafana-enterprise/) and [Grafana Cloud](/docs/grafana-cloud/). {{< /admonition >}} -If you think that the basic organization and server administrator roles are too limiting, it might be beneficial to employ [role-based access control (RBAC)](../../../administration/roles-and-permissions/access-control/). +If you think that the basic organization and server administrator roles are too limiting, it might be beneficial to employ [role-based access control (RBAC)](../../administration/roles-and-permissions/access-control/). RBAC is a flexible approach to managing user access to Grafana resources, including users, data sources, and reports. It enables easy granting, changing, and revoking of read and write access for users. RBAC comes with pre-defined roles, such as data source writer, which allows updating, reading, or querying all data sources. @@ -182,7 +185,7 @@ When connecting Grafana to an identity provider, it's important to think beyond Team sync is a feature that allows you to synchronize teams or groups from your authentication provider with teams in Grafana. This means that users of specific teams or groups in LDAP, OAuth, or SAML will be automatically added or removed as members of corresponding teams in Grafana. Whenever a user logs in, Grafana will check for any changes in the teams or groups of the authentication provider and update the user's teams in Grafana accordingly. This makes it easy to manage user permissions across multiple systems. {{< admonition type="note" >}} -Available in [Grafana Enterprise](../../../introduction/grafana-enterprise/) and to customers on select Grafana Cloud plans. For pricing information, visit [pricing](https://grafana.com/pricing/) or contact our sales team. +Available in [Grafana Enterprise](../../introduction/grafana-enterprise/) and to customers on select Grafana Cloud plans. For pricing information, visit [pricing](https://grafana.com/pricing/) or contact our sales team. {{< /admonition >}} {{< admonition type="note" >}} @@ -191,22 +194,20 @@ Team synchronization occurs only when a user logs in. However, if you are using ### Role Sync -Grafana can synchronize basic roles from your authentication provider by mapping attributes from the identity provider to the user role in Grafana. This means that users with specific attributes, like role, team, or group membership in LDAP, OAuth, or SAML, will be automatically assigned the corresponding role in Grafana. Whenever a user logs in, Grafana will check for any changes in the user information retrieved from the authentication provider and update the user's role in Grafana accordingly. +Grafana can synchronize basic roles from your authentication provider by mapping attributes from the identity provider to the user role in Grafana. This means that users with specific attributes, like role, team, or group membership in LDAP, OAuth, or SAML, can be automatically assigned the corresponding role in Grafana. Whenever a user logs in, Grafana checks for any changes in the user information retrieved from the authentication provider and updates the user's role in Grafana accordingly. ### Organization sync Organization sync is the process of binding all the users from an organization in Grafana. This delegates the role of managing users to the identity provider. This way, there's no need to manage user access from Grafana because the identity provider will be queried whenever a new user tries to log in. -With organization sync, users from identity provider groups can be assigned to corresponding Grafana organizations. This functionality is similar to role sync but with the added benefit of specifying the organization that a user belongs to for a particular identity provider group. Please note that this feature is only available for self-hosted Grafana instances, as Cloud Grafana instances have a single organization limit. +With organization sync, you can assign users from identity provider groups to corresponding Grafana organizations. This functionality is similar to role sync but with the added benefit of specifying the organization that a user belongs to for a particular identity provider group. Please note that this feature is only available for self-hosted Grafana instances, as Cloud Grafana instances have a single organization limit. {{< admonition type="note" >}} -Organization sync is currently only supported for SAML and LDAP. -{{< /admonition >}} -{{< admonition type="note" >}} -You don't need to invite users through Grafana when syncing with Organization sync. -{{< /admonition >}} +The following applies: + +- Organization sync is currently only supported for SAML and LDAP. +- You can only map basic roles with Organization sync. +- You don't need to invite users through Grafana when syncing with Organization sync. -{{< admonition type="note" >}} -Currently, only basic roles can be mapped via Organization sync. {{< /admonition >}} diff --git a/docs/sources/setup-grafana/configure-security/configure-authentication/_index.md b/docs/sources/setup-grafana/configure-access/configure-authentication/_index.md similarity index 96% rename from docs/sources/setup-grafana/configure-security/configure-authentication/_index.md rename to docs/sources/setup-grafana/configure-access/configure-authentication/_index.md index 821ad95a9ef..61e266f7a65 100644 --- a/docs/sources/setup-grafana/configure-security/configure-authentication/_index.md +++ b/docs/sources/setup-grafana/configure-access/configure-authentication/_index.md @@ -1,16 +1,17 @@ --- aliases: - - ../../auth/ - - ../../auth/overview/ -description: Learn about all the ways in which you can configure Grafana to authenticate - users. + - ../../auth/ # /docs/grafana/next/auth/ + - ../../auth/overview/ # /docs/grafana/next/auth/overview/ + - ../setup-grafana/configure-security/configure-authentication/ # /docs/grafana/next/setup-grafana/setup-grafana/configure-security/configure-authentication/ + - ../configure-security/configure-authentication/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/ +description: Learn about all the ways in which you can configure Grafana to authenticate users. labels: products: - cloud - enterprise - oss title: Configure authentication -weight: 200 +weight: 100 --- # Configure authentication @@ -23,7 +24,7 @@ The following table shows all supported authentication methods and the features | :---------------------------------- | :---------------- | :----------- | :----------- | :-------------------- | :-------- | :------------- | :---------- | :------------------- | :--------- | :------------ | :----------- | | [Anonymous access](anonymous-auth/) | N/A | N/A | N/A | N/A | N/A | N/A | N/A | N/A | N/A | N/A | N/A | | [Auth Proxy](auth-proxy/) | no | yes | yes | no | yes | no | N/A | no | N/A | N/A | N/A | -| [Azure AD OAuth](azuread/) | yes | yes | yes | yes | yes | yes | N/A | yes | yes | yes | N/A | +| [Entra ID OAuth](azuread/) | yes | yes | yes | yes | yes | yes | N/A | yes | yes | yes | N/A | | [Basic auth](grafana/) | yes | N/A | yes | yes | N/A | N/A | N/A | N/A | N/A | N/A | N/A | | [Passwordless auth](passwordless/) | yes | N/A | yes | yes | N/A | N/A | N/A | N/A | N/A | N/A | N/A | | [Generic OAuth](generic-oauth/) | yes | yes | yes | yes | yes | no | N/A | yes | yes | yes | N/A | @@ -58,7 +59,7 @@ Fields explanation: **Single Logout:** Logging out from Grafana also logs you out of provider session -**SCIM support:** Support for SCIM provisioning. Supported Identity Providers are Azure AD and Okta. +**SCIM support:** Support for SCIM provisioning. Supported Identity Providers are Entra ID and Okta. ## Configuring multiple identity providers @@ -83,7 +84,7 @@ To enable this option, refer to the [Enable email lookup](#enable-email-lookup) Grafana and the Grafana Cloud portal currently do not include built-in support for multi-factor authentication (MFA). -We strongly recommend integrating an external identity provider (IdP) that supports MFA, such as Okta, Azure AD, or Google Workspace. By configuring your Grafana instances to use an external IdP, you can leverage MFA to protect your accounts and resources effectively. +We strongly recommend integrating an external identity provider (IdP) that supports MFA, such as Okta, Entra ID, or Google Workspace. By configuring your Grafana instances to use an external IdP, you can leverage MFA to protect your accounts and resources effectively. ## Login and short-lived tokens diff --git a/docs/sources/setup-grafana/configure-security/configure-authentication/anonymous-auth/index.md b/docs/sources/setup-grafana/configure-access/configure-authentication/anonymous-auth/index.md similarity index 83% rename from docs/sources/setup-grafana/configure-security/configure-authentication/anonymous-auth/index.md rename to docs/sources/setup-grafana/configure-access/configure-authentication/anonymous-auth/index.md index 4538d36fd7e..77df611f904 100644 --- a/docs/sources/setup-grafana/configure-security/configure-authentication/anonymous-auth/index.md +++ b/docs/sources/setup-grafana/configure-access/configure-authentication/anonymous-auth/index.md @@ -1,6 +1,8 @@ --- aliases: - - ../../../auth/anonymous-auth/ + - ../../../auth/anonymous-auth/ # /docs/grafana/next/auth/anonymous-auth/ + - ../../configure-security/setup-grafana/configure-security/configure-authentication/anonymous-auth/ # /docs/grafana/next/setup-grafana/configure-security/setup-grafana/configure-security/configure-authentication/anonymous-auth/ + - ../../configure-security/configure-authentication/anonymous-auth/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/anonymous-auth/ description: Learn how to configure anonymous access in Grafana labels: products: diff --git a/docs/sources/setup-grafana/configure-security/configure-authentication/auth-proxy/index.md b/docs/sources/setup-grafana/configure-access/configure-authentication/auth-proxy/index.md similarity index 96% rename from docs/sources/setup-grafana/configure-security/configure-authentication/auth-proxy/index.md rename to docs/sources/setup-grafana/configure-access/configure-authentication/auth-proxy/index.md index a379eb82d52..9a79b026fbd 100644 --- a/docs/sources/setup-grafana/configure-security/configure-authentication/auth-proxy/index.md +++ b/docs/sources/setup-grafana/configure-access/configure-authentication/auth-proxy/index.md @@ -1,7 +1,9 @@ --- aliases: - - ../../../auth/auth-proxy/ - - ../../../tutorials/authproxy/ + - ../../../auth/auth-proxy/ # /docs/grafana/next/auth/auth-proxy/ + - ../../../tutorials/authproxy/ # /docs/grafana/next/tutorials/authproxy/ + - ../../configure-security/setup-grafana/configure-security/configure-authentication/authproxy/ # /docs/grafana/next/setup-grafana/configure-security/setup-grafana/configure-security/configure-authentication/authproxy/ + - ../../configure-security/configure-authentication/auth-proxy/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/auth-proxy/ description: Grafana Auth Proxy Guide keywords: - grafana diff --git a/docs/sources/setup-grafana/configure-security/configure-authentication/enhanced-ldap/index.md b/docs/sources/setup-grafana/configure-access/configure-authentication/enhanced-ldap/index.md similarity index 88% rename from docs/sources/setup-grafana/configure-security/configure-authentication/enhanced-ldap/index.md rename to docs/sources/setup-grafana/configure-access/configure-authentication/enhanced-ldap/index.md index 92eecc0caaa..284de0e86b0 100644 --- a/docs/sources/setup-grafana/configure-security/configure-authentication/enhanced-ldap/index.md +++ b/docs/sources/setup-grafana/configure-access/configure-authentication/enhanced-ldap/index.md @@ -1,7 +1,9 @@ --- aliases: - - ../../../enterprise/enhanced_ldap/ - - ../../../auth/enhanced_ldap/ + - ../../../enterprise/enhanced_ldap/ # /docs/grafana/next/enterprise/enhanced_ldap/ + - ../../../auth/enhanced_ldap/ # /docs/grafana/next/auth/enhanced_ldap/ + - ../../configure-security/setup-grafana/configure-security/configure-authentication/enhanced_ldap/ # /docs/grafana/next/setup-grafana/configure-security/setup-grafana/configure-security/configure-authentication/enhanced_ldap/ + - ../../configure-security/configure-authentication/enhanced-ldap/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/enhanced-ldap/ description: Grafana Enhanced LDAP Integration Guide keywords: - grafana @@ -41,7 +43,7 @@ Grafana keeps track of all synchronized users in teams, and you can see which us This mechanism allows Grafana to remove an existing synchronized user from a team when its LDAP group membership changes. This mechanism also allows you to manually add a user as member of a team, and it will not be removed when the user signs in. This gives you flexibility to combine LDAP group memberships and Grafana team memberships. -[Learn more about team sync.](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-team-sync) +[Learn more about team sync.](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-team-sync)
diff --git a/docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md b/docs/sources/setup-grafana/configure-access/configure-authentication/entraid/index.md similarity index 98% rename from docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md rename to docs/sources/setup-grafana/configure-access/configure-authentication/entraid/index.md index 6cdda56ad07..8e2e831798e 100644 --- a/docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md +++ b/docs/sources/setup-grafana/configure-access/configure-authentication/entraid/index.md @@ -1,7 +1,10 @@ --- aliases: - - ../../../auth/azuread/ -description: Grafana Azure AD OAuth Guide + - ../../../auth/azuread/ # /docs/grafana/next/auth/azuread/ + - ../../configure-security/setup-grafana/configure-security/configure-authentication/azuread/ # /docs/grafana/next/setup-grafana/configure-security/setup-grafana/configure-security/configure-authentication/azuread/ + - ../../configure-security/configure-authentication/azuread/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/azuread/ + - ./azuread/ # /docs/grafana/next/setup-grafana/configure-access/configure-authentication/azuread/ +description: Grafana Entra ID OAuth Guide keywords: - grafana - configuration @@ -80,7 +83,7 @@ To enable the Entra ID OAuth, register your application with Entra ID. {{< /admonition >}} - **_Workload Identity (K8s/AKS)_** - 1. Refer to [Federated identity credential for an Azure AD application](https://azure.github.io/azure-workload-identity/docs/topics/federated-identity-credential.html#azure-portal-ui) for a complete guide on setting up a federated credential for workload identity. + 1. Refer to [Federated identity credential for an Entra ID application](https://azure.github.io/azure-workload-identity/docs/topics/federated-identity-credential.html#azure-portal-ui) for a complete guide on setting up a federated credential for workload identity. Add a new entry under Federated credentials with the following configuration. - Federated credential scenario: Select **Kubernetes accessing Azure resources**. - [Cluster issuer URL](https://learn.microsoft.com/en-us/azure/aks/use-oidc-issuer#get-the-oidc-issuer-url): The OIDC issuer URL that your cluster is integrated with. For example: `https://{region}.oic.prod-aks.azure.com/{tenant_id}/{uuid}`. @@ -95,7 +98,7 @@ To enable the Entra ID OAuth, register your application with Entra ID. 1. You may optionally set `workload_identity_token_file` (env var `GF_AUTH_AZUREAD_WORKLOAD_IDENTITY_TOKEN_FILE`) under `[auth.azuread]` to `/var/run/secrets/azure/tokens/azure-identity-token` in the Grafana server configuration for this to work. (Optional, defaults to `/var/run/secrets/azure/tokens/azure-identity-token`) - 1. You must have set `client_id` (env var `GF_AUTH_AZUREAD_CLIENT_ID`) under `[auth.azuread]` in the Grafana server configuration for this to work. This must match the Entra ID/Azure AD App Registration Application (client) ID. + 1. You must have set `client_id` (env var `GF_AUTH_AZUREAD_CLIENT_ID`) under `[auth.azuread]` in the Grafana server configuration for this to work. This must match the Entra ID/Entra ID App Registration Application (client) ID. 1. You must have set `token_url` (env var `GF_AUTH_AZUREAD_TOKEN_URL`) under `[auth.azuread]` to `https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/token` in the Grafana server configuration for this to work. @@ -228,7 +231,7 @@ Ensure that you have followed the steps in [Create the Microsoft Entra ID applic ## Configure Entra ID authentication client using the Grafana UI -As a Grafana Admin, you can configure your Entra ID OAuth client from within Grafana using the Grafana UI. To do this, navigate to the **Administration > Authentication > Azure AD** page and fill in the form. If you have a current configuration in the Grafana configuration file, the form will be pre-populated with those values. Otherwise the form will contain default values. +As a Grafana Admin, you can configure your Entra ID OAuth client from within Grafana using the Grafana UI. To do this, navigate to the **Administration > Authentication > Entra ID** page and fill in the form. If you have a current configuration in the Grafana configuration file, the form will be pre-populated with those values. Otherwise the form will contain default values. After you have filled in the form, click **Save** to save the configuration. If the save was successful, Grafana will apply the new configurations. @@ -244,7 +247,7 @@ If you run Grafana in high availability mode, configuration changes may not get resource "grafana_sso_settings" "azuread_sso_settings" { provider_name = "azuread" oauth2_settings { - name = "Azure AD" + name = "Entra ID" auth_url = "https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize" token_url = "https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token" client_authentication = "CLIENT_AUTHENTICATION_OPTION" @@ -422,7 +425,7 @@ the correct teams. You can reference Entra ID groups by group object ID, like `8bab1c86-8fba-33e5-2089-1d1c80ec267d`. -To learn more, refer to the [Team Sync](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-team-sync) documentation. +To learn more, refer to the [Team Sync](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-team-sync) documentation. ## Common troubleshooting diff --git a/docs/sources/setup-grafana/configure-security/configure-authentication/generic-oauth/index.md b/docs/sources/setup-grafana/configure-access/configure-authentication/generic-oauth/index.md similarity index 98% rename from docs/sources/setup-grafana/configure-security/configure-authentication/generic-oauth/index.md rename to docs/sources/setup-grafana/configure-access/configure-authentication/generic-oauth/index.md index c3ad98f81b7..f52a194c572 100644 --- a/docs/sources/setup-grafana/configure-security/configure-authentication/generic-oauth/index.md +++ b/docs/sources/setup-grafana/configure-access/configure-authentication/generic-oauth/index.md @@ -1,6 +1,8 @@ --- aliases: - - ../../../auth/generic-oauth/ + - ../../../auth/generic-oauth/ # /docs/grafana/next/auth/generic-oauth/ + - ../../configure-security/setup-grafana/configure-security/configure-authentication/generic-oauth/ # /docs/grafana/next/setup-grafana/configure-security/setup-grafana/configure-security/configure-authentication/generic-oauth/ + - ../../configure-security/configure-authentication/generic-oauth/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/generic-oauth/ description: Configure Generic OAuth authentication keywords: - grafana @@ -23,7 +25,7 @@ weight: 700 Grafana provides OAuth2 integrations for the following auth providers: -- [Azure AD OAuth](../azuread/) +- [Entra ID OAuth](../azuread/) - [GitHub OAuth](../github/) - [GitLab OAuth](../gitlab/) - [Google OAuth](../google/) @@ -44,7 +46,7 @@ To follow this guide: - If you are using refresh tokens, ensure you know how to set them up with your OAuth2 provider. Consult the documentation of your OAuth2 provider for more information. {{< admonition type="note" >}} -If Users use the same email address in Azure AD that they use with other authentication providers (such as Grafana.com), you need to do additional configuration to ensure that the users are matched correctly. Please refer to the [Using the same email address to login with different identity providers](../#using-the-same-email-address-to-login-with-different-identity-providers) documentation for more information. +If Users use the same email address in Entra ID that they use with other authentication providers (such as Grafana.com), you need to do additional configuration to ensure that the users are matched correctly. Please refer to the [Using the same email address to login with different identity providers](../#using-the-same-email-address-to-login-with-different-identity-providers) documentation for more information. {{< /admonition >}} ## Configure generic OAuth authentication client using the Grafana UI @@ -119,7 +121,7 @@ To integrate your OAuth2 provider with Grafana using our Generic OAuth authentic c. Enable the refresh token on the provider if required. 1. [Configure role mapping](#configure-role-mapping). -1. Optional: [Configure team synchronization](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-team-sync/). 1. Restart Grafana. You should now see a Generic OAuth login button on the login page and be able to log in or sign up with your OAuth2 provider. @@ -349,7 +351,7 @@ Generic OAuth groups can be referenced by group ID, such as `8bab1c86-8fba-33e5- Group information can be extracted from the OAuth2 ID token, user information from the UserInfo endpoint, or the OAuth2 access token. For information on configuring OAuth2 groups with Grafana using the `groups_attribute_path` configuration option, refer to [configuration options](#configuration-options). -To learn more about Team Sync, refer to [Configure team sync](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-team-sync/). +To learn more about Team Sync, refer to [Configure team sync](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-team-sync/). ### Team synchronization example diff --git a/docs/sources/setup-grafana/configure-security/configure-authentication/github/index.md b/docs/sources/setup-grafana/configure-access/configure-authentication/github/index.md similarity index 98% rename from docs/sources/setup-grafana/configure-security/configure-authentication/github/index.md rename to docs/sources/setup-grafana/configure-access/configure-authentication/github/index.md index c11ef4fd3ab..7675d739951 100644 --- a/docs/sources/setup-grafana/configure-security/configure-authentication/github/index.md +++ b/docs/sources/setup-grafana/configure-access/configure-authentication/github/index.md @@ -1,6 +1,8 @@ --- aliases: - - ../../../auth/github/ + - ../../../auth/github/ # /docs/grafana/next/auth/github/ + - ../../configure-security/setup-grafana/configure-security/configure-authentication/github/ # /docs/grafana/next/setup-grafana/configure-security/setup-grafana/configure-security/configure-authentication/github/ + - ../../configure-security/configure-authentication/github/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/github/ description: Configure GitHub OAuth authentication keywords: - grafana @@ -102,7 +104,7 @@ To configure GitHub authentication with Grafana, follow these steps: Review the list of other GitHub [configuration options](#configuration-options) and complete them, as necessary. 1. [Configure role mapping](#configure-role-mapping). -1. Optional: [Configure team synchronization](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-team-sync/). +1. Optional: [Configure team synchronization](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-team-sync/). 1. Restart Grafana. You should now see a GitHub login button on the login page and be able to log in or sign up with your GitHub accounts. @@ -224,7 +226,7 @@ GitHub teams can be referenced in two ways: Examples: `https://github.com/orgs/grafana/teams/developers` or `@grafana/developers`. -To learn more about Team Sync, refer to [Configure team sync](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-team-sync/). +To learn more about Team Sync, refer to [Configure team sync](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-team-sync/). ## Configuration options diff --git a/docs/sources/setup-grafana/configure-security/configure-authentication/gitlab/index.md b/docs/sources/setup-grafana/configure-access/configure-authentication/gitlab/index.md similarity index 98% rename from docs/sources/setup-grafana/configure-security/configure-authentication/gitlab/index.md rename to docs/sources/setup-grafana/configure-access/configure-authentication/gitlab/index.md index ac45c634599..913df8f4792 100644 --- a/docs/sources/setup-grafana/configure-security/configure-authentication/gitlab/index.md +++ b/docs/sources/setup-grafana/configure-access/configure-authentication/gitlab/index.md @@ -1,6 +1,8 @@ --- aliases: - - ../../../auth/gitlab/ + - ../../../auth/gitlab/ # /docs/grafana/next/auth/gitlab/ + - ../../configure-security/setup-grafana/configure-security/configure-authentication/gitlab/ # /docs/grafana/next/setup-grafana/configure-security/setup-grafana/configure-security/configure-authentication/gitlab/ + - ../../configure-security/configure-authentication/gitlab/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/gitlab/ description: Grafana GitLab OAuth Guide keywords: - grafana @@ -110,7 +112,7 @@ To configure GitLab authentication with Grafana, follow these steps: a. Set `use_refresh_token` to `true` in `[auth.gitlab]` section in Grafana configuration file. 1. [Configure role mapping](#configure-role-mapping). -1. Optional: [Configure team synchronization](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-team-sync/). +1. Optional: [Configure team synchronization](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-team-sync/). 1. Restart Grafana. You should now see a GitLab login button on the login page and be able to log in or sign up with your GitLab accounts. @@ -246,7 +248,7 @@ GitLab groups are referenced by the group name. For example, `developers`. To re Note that in GitLab, the group or subgroup name does not always match its display name, especially if the display name contains spaces or special characters. Make sure you always use the group or subgroup name as it appears in the URL of the group or subgroup. -To learn more about Team Sync, refer to [Configure team sync](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-team-sync/). +To learn more about Team Sync, refer to [Configure team sync](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-team-sync/). ## Configuration options diff --git a/docs/sources/setup-grafana/configure-security/configure-authentication/google/index.md b/docs/sources/setup-grafana/configure-access/configure-authentication/google/index.md similarity index 98% rename from docs/sources/setup-grafana/configure-security/configure-authentication/google/index.md rename to docs/sources/setup-grafana/configure-access/configure-authentication/google/index.md index 367d05c068d..df0cc342d38 100644 --- a/docs/sources/setup-grafana/configure-security/configure-authentication/google/index.md +++ b/docs/sources/setup-grafana/configure-access/configure-authentication/google/index.md @@ -1,6 +1,8 @@ --- aliases: - - ../../../auth/google/ + - ../../../auth/google/ # /docs/grafana/next/auth/google/ + - ../../configure-security/setup-grafana/configure-security/configure-authentication/google/ # /docs/grafana/next/setup-grafana/configure-security/setup-grafana/configure-security/configure-authentication/google/ + - ../../configure-security/configure-authentication/google/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/google/ description: Grafana Google OAuth Guide labels: products: @@ -182,7 +184,7 @@ To set up team sync for Google OAuth: 1. Configure team sync in your Grafana team's `External group sync` tab. The external group ID for a Google group is the group's email address, such as `dev@grafana.com`. -To learn more about Team Sync, refer to [Configure Team Sync](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-team-sync/). +To learn more about Team Sync, refer to [Configure Team Sync](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-team-sync/). #### Configure allowed groups diff --git a/docs/sources/setup-grafana/configure-security/configure-authentication/grafana-cloud/index.md b/docs/sources/setup-grafana/configure-access/configure-authentication/grafana-cloud/index.md similarity index 80% rename from docs/sources/setup-grafana/configure-security/configure-authentication/grafana-cloud/index.md rename to docs/sources/setup-grafana/configure-access/configure-authentication/grafana-cloud/index.md index c2b2e25eb0b..26131240580 100644 --- a/docs/sources/setup-grafana/configure-security/configure-authentication/grafana-cloud/index.md +++ b/docs/sources/setup-grafana/configure-access/configure-authentication/grafana-cloud/index.md @@ -1,6 +1,8 @@ --- aliases: - - ../../../auth/grafana-cloud/ + - ../../../auth/grafana-cloud/ # /docs/grafana/next/auth/grafana-cloud/ + - ../../configure-security/setup-grafana/configure-security/configure-authentication/grafana-cloud/ # /docs/grafana/next/setup-grafana/configure-security/setup-grafana/configure-security/configure-authentication/grafana-cloud/ + - ../../configure-security/configure-authentication/grafana-cloud/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/grafana-cloud/ description: Grafana Cloud Authentication labels: products: diff --git a/docs/sources/setup-grafana/configure-security/configure-authentication/grafana/index.md b/docs/sources/setup-grafana/configure-access/configure-authentication/grafana/index.md similarity index 77% rename from docs/sources/setup-grafana/configure-security/configure-authentication/grafana/index.md rename to docs/sources/setup-grafana/configure-access/configure-authentication/grafana/index.md index 5b538ab4753..1d0b18d3a67 100644 --- a/docs/sources/setup-grafana/configure-security/configure-authentication/grafana/index.md +++ b/docs/sources/setup-grafana/configure-access/configure-authentication/grafana/index.md @@ -1,6 +1,8 @@ --- aliases: - - ../../../auth/grafana/ + - ../../../auth/grafana/ # /docs/grafana/next/auth/grafana/ + - ../../configure-security/setup-grafana/configure-security/configure-authentication/grafana/ # /docs/grafana/next/setup-grafana/configure-security/setup-grafana/configure-security/configure-authentication/grafana/ + - ../../configure-security/configure-authentication/grafana/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/grafana/ description: Learn how to configure basic authentication in Grafana labels: products: diff --git a/docs/sources/setup-grafana/configure-security/configure-authentication/jwt/index.md b/docs/sources/setup-grafana/configure-access/configure-authentication/jwt/index.md similarity index 96% rename from docs/sources/setup-grafana/configure-security/configure-authentication/jwt/index.md rename to docs/sources/setup-grafana/configure-access/configure-authentication/jwt/index.md index a6de78e495c..3c60087bc0f 100644 --- a/docs/sources/setup-grafana/configure-security/configure-authentication/jwt/index.md +++ b/docs/sources/setup-grafana/configure-access/configure-authentication/jwt/index.md @@ -1,6 +1,8 @@ --- aliases: - - ../../../auth/jwt/ + - ../../../auth/jwt/ # /docs/grafana/next/auth/jwt/ + - ../../configure-security/setup-grafana/configure-security/configure-authentication/jwt/ # /docs/grafana/next/setup-grafana/configure-security/setup-grafana/configure-security/configure-authentication/jwt/ + - ../../configure-security/configure-authentication/jwt/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/jwt/ description: Grafana JWT Authentication labels: products: diff --git a/docs/sources/setup-grafana/configure-security/configure-authentication/keycloak-multitenant/index.md b/docs/sources/setup-grafana/configure-access/configure-authentication/keycloak-multitenant/index.md similarity index 77% rename from docs/sources/setup-grafana/configure-security/configure-authentication/keycloak-multitenant/index.md rename to docs/sources/setup-grafana/configure-access/configure-authentication/keycloak-multitenant/index.md index 6302f650b96..10ec9783df6 100644 --- a/docs/sources/setup-grafana/configure-security/configure-authentication/keycloak-multitenant/index.md +++ b/docs/sources/setup-grafana/configure-access/configure-authentication/keycloak-multitenant/index.md @@ -1,4 +1,7 @@ --- +aliases: + - ../../configure-security/setup-grafana/configure-security/configure-authentication/keycloak-multitenant/ # /docs/grafana/next/setup-grafana/configure-security/setup-grafana/configure-security/configure-authentication/keycloak-multitenant/ + - ../../configure-security/configure-authentication/keycloak-multitenant/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/keycloak-multitenant/ description: Multiple providers with Keycloak keywords: - grafana @@ -26,21 +29,21 @@ This guide explains how to set up multiple providers of the same type with Keycl The idea is to set up multiple OIDC providers in Keycloak with different tenants and configure Grafana to use the same Keycloak instance as the authentication provider. -## Azure AD configuration +## Entra ID configuration -For Azure AD, repeat the following steps for each tenant you want to set up in Keycloak. +For Entra ID, repeat the following steps for each tenant you want to set up in Keycloak. ### Overview -1. Register your application in Azure AD. +1. Register your application in Entra ID. 1. Give access to the application to the users in the tenant. 1. Create credentials for the application. 1. Configure the application in Keycloak. 1. Configure Grafana to use Keycloak. -#### Register your application in Azure AD +#### Register your application in Entra ID -Registering an application in Azure AD is a one-time process. You can follow the steps in the [Azure AD documentation](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app) to register your application. +Registering an application in Entra ID is a one-time process. You can follow the steps in the [Entra ID documentation](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app) to register your application. 1. Go to the Azure portal and ensure you are using the correct tenant also known as directory. 1. Search for **App Registrations** and click on **New registration**. @@ -56,7 +59,7 @@ Assigning the correct access to users ensures only intended users or groups have #### Create credentials for the application -To authenticate with Azure AD, the Keycloak application needs a client ID and client secret. +To authenticate with Entra ID, the Keycloak application needs a client ID and client secret. 1. Search for **App Registrations** and look for the application ypu just created. 1. Click on **Certificates & Secrets**. @@ -65,7 +68,7 @@ To authenticate with Azure AD, the Keycloak application needs a client ID and cl #### Configure the application in Keycloak 1. Go to the Keycloak admin console. -1. Go to the Realm where you want to configure the Azure AD tenant. +1. Go to the Realm where you want to configure the Entra ID tenant. 1. Go to the Identity Providers section and click on **Add provider**. 1. Select **OpenID Connect v1.0**. 1. Select a unique **Alias** and **Display name**. @@ -83,13 +86,13 @@ To authenticate with Azure AD, the Keycloak application needs a client ID and cl 1. Click Add. {{< admonition type="note" >}} -Up to this point, you have created an App Registration in Azure AD, assigned users to the application, created credentials for the application, and configured the application in Keycloak. In the Keycloak Client's section, the client with ID `account` Home URL can be used to test the configuration. This will open a new tab where you can login into the correct Keycloak realm with the Azure AD tenant you just configured. +Up to this point, you have created an App Registration in Entra ID, assigned users to the application, created credentials for the application, and configured the application in Keycloak. In the Keycloak Client's section, the client with ID `account` Home URL can be used to test the configuration. This will open a new tab where you can login into the correct Keycloak realm with the Entra ID tenant you just configured. {{< /admonition >}} -Repeat this steps, for every Azure AD tenant you want to configure in Keycloak. +Repeat this steps, for every Entra ID tenant you want to configure in Keycloak. #### Configure Grafana to use Keycloak -Now that the Azure AD tenants are configured in Keycloak, you can configure Grafana to use Keycloak as the authentication provider. +Now that the Entra ID tenants are configured in Keycloak, you can configure Grafana to use Keycloak as the authentication provider. Refer to the [Keycloak documentation](https://grafana.com/docs/grafana/latest/auth/keycloak/) to configure Grafana to use Keycloak as the authentication provider. diff --git a/docs/sources/setup-grafana/configure-security/configure-authentication/keycloak/index.md b/docs/sources/setup-grafana/configure-access/configure-authentication/keycloak/index.md similarity index 85% rename from docs/sources/setup-grafana/configure-security/configure-authentication/keycloak/index.md rename to docs/sources/setup-grafana/configure-access/configure-authentication/keycloak/index.md index 6425eb09db7..6a9f6488994 100644 --- a/docs/sources/setup-grafana/configure-security/configure-authentication/keycloak/index.md +++ b/docs/sources/setup-grafana/configure-access/configure-authentication/keycloak/index.md @@ -1,6 +1,8 @@ --- aliases: - - ../../../auth/keycloak/ + - ../../../auth/keycloak/ # /docs/grafana/next/auth/keycloak/ + - ../../configure-security/setup-grafana/configure-security/configure-authentication/keycloak/ # /docs/grafana/next/setup-grafana/configure-security/setup-grafana/configure-security/configure-authentication/keycloak/ + - ../../configure-security/configure-authentication/keycloak/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/keycloak/ description: Grafana Keycloak Guide keywords: - grafana @@ -25,7 +27,7 @@ Keycloak OAuth2 authentication allows users to log in to Grafana using their Key Refer to [Generic OAuth authentication](../generic-oauth/) for extra configuration options available for this provider. {{< admonition type="note" >}} -If Users use the same email address in Keycloak that they use with other authentication providers (such as Grafana.com), you need to do additional configuration to ensure that the users are matched correctly. Please refer to the [Using the same email address to login with different identity providers](../#using-the-same-email-address-to-login-with-different-identity-providers) documentation for more information. +If you use the same email address in Keycloak as in other authentication providers (such as Grafana.com), you need to do additional configuration to ensure that the users are matched correctly. Please refer to the [Using the same email address to login with different identity providers](../#using-the-same-email-address-to-login-with-different-identity-providers) documentation for more information. {{< /admonition >}} You may have to set the `root_url` option of `[server]` for the callback URL to be @@ -112,7 +114,7 @@ viewer Available in [Grafana Enterprise](https://grafana.com/docs/grafana//introduction/grafana-enterprise/) and to customers on select Grafana Cloud plans. For pricing information, visit [pricing](https://grafana.com/pricing/) or contact our sales team. {{< /admonition >}} -[Teamsync](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-team-sync/) is a feature that allows you to map groups from your identity provider to Grafana teams. This is useful if you want to give your users access to specific dashboards or folders based on their group membership. +[Team Sync](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-team-sync/) is a feature that allows you to map groups from your identity provider to Grafana teams. This is useful if you want to give your users access to specific dashboards or folders based on their group membership. To enable teamsync, you need to add a `groups` mapper to the client configuration in Keycloak. This will add the `groups` claim to the id_token. You can then use the `groups` claim to map groups to teams in Grafana. diff --git a/docs/sources/setup-grafana/configure-security/configure-authentication/ldap-ui/_index.md b/docs/sources/setup-grafana/configure-access/configure-authentication/ldap-ui/_index.md similarity index 92% rename from docs/sources/setup-grafana/configure-security/configure-authentication/ldap-ui/_index.md rename to docs/sources/setup-grafana/configure-access/configure-authentication/ldap-ui/_index.md index ea8ec60d0f5..2d749dad98e 100644 --- a/docs/sources/setup-grafana/configure-security/configure-authentication/ldap-ui/_index.md +++ b/docs/sources/setup-grafana/configure-access/configure-authentication/ldap-ui/_index.md @@ -1,6 +1,8 @@ --- aliases: - - ../../../auth/enhanced-ldap/ + - ../../../auth/enhanced-ldap/ # /docs/grafana/next/auth/enhanced-ldap/ + - ../../configure-security/setup-grafana/configure-security/configure-authentication/ldap-ui/ # /docs/grafana/next/setup-grafana/configure-security/setup-grafana/configure-security/configure-authentication/ldap-ui/ + - ../../configure-security/configure-authentication/ldap-ui/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/ldap-ui/ description: Learn about configuring LDAP authentication in Grafana using the Grafana UI. labels: products: diff --git a/docs/sources/setup-grafana/configure-security/configure-authentication/ldap/index.md b/docs/sources/setup-grafana/configure-access/configure-authentication/ldap/index.md similarity index 96% rename from docs/sources/setup-grafana/configure-security/configure-authentication/ldap/index.md rename to docs/sources/setup-grafana/configure-access/configure-authentication/ldap/index.md index fac378a498c..0a7dd45e585 100644 --- a/docs/sources/setup-grafana/configure-security/configure-authentication/ldap/index.md +++ b/docs/sources/setup-grafana/configure-access/configure-authentication/ldap/index.md @@ -1,7 +1,9 @@ --- aliases: - - ../../../auth/ldap/ - - ../../../installation/ldap/ + - ../../../auth/ldap/ # /docs/grafana/next/auth/ldap/ + - ../../../installation/ldap/ # /docs/grafana/next/installation/ldap/ + - ../../configure-security/setup-grafana/configure-security/configure-authentication/ldap/ # /docs/grafana/next/setup-grafana/configure-security/setup-grafana/configure-security/configure-authentication/ldap/ + - ../../configure-security/configure-authentication/ldap/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/ldap/ description: Grafana LDAP Authentication Guide labels: products: diff --git a/docs/sources/setup-grafana/configure-security/configure-authentication/okta/index.md b/docs/sources/setup-grafana/configure-access/configure-authentication/okta/index.md similarity index 98% rename from docs/sources/setup-grafana/configure-security/configure-authentication/okta/index.md rename to docs/sources/setup-grafana/configure-access/configure-authentication/okta/index.md index 53618823a06..6cb2d7d13c8 100644 --- a/docs/sources/setup-grafana/configure-security/configure-authentication/okta/index.md +++ b/docs/sources/setup-grafana/configure-access/configure-authentication/okta/index.md @@ -1,6 +1,8 @@ --- aliases: - - ../../../auth/okta/ + - ../../../auth/okta/ # /docs/grafana/next/auth/okta/ + - ../../configure-security/setup-grafana/configure-security/configure-authentication/okta/ # /docs/grafana/next/setup-grafana/configure-security/setup-grafana/configure-security/configure-authentication/okta/ + - ../../configure-security/configure-authentication/okta/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/okta/ description: Grafana Okta OIDC Guide labels: products: @@ -246,7 +248,7 @@ the correct teams. Okta groups can be referenced by group names, like `Admins` or `Editors`. -To learn more about Team Sync, refer to [Configure Team Sync](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-team-sync/). +To learn more about Team Sync, refer to [Configure Team Sync](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-team-sync/). ## Configuration options diff --git a/docs/sources/setup-grafana/configure-security/configure-authentication/passwordless/index.md b/docs/sources/setup-grafana/configure-access/configure-authentication/passwordless/index.md similarity index 79% rename from docs/sources/setup-grafana/configure-security/configure-authentication/passwordless/index.md rename to docs/sources/setup-grafana/configure-access/configure-authentication/passwordless/index.md index c5c0a744776..ef55d9bfdd8 100644 --- a/docs/sources/setup-grafana/configure-security/configure-authentication/passwordless/index.md +++ b/docs/sources/setup-grafana/configure-access/configure-authentication/passwordless/index.md @@ -1,4 +1,7 @@ --- +aliases: + - ../../configure-security/setup-grafana/configure-security/configure-authentication/passwordless/ # /docs/grafana/next/setup-grafana/configure-security/setup-grafana/configure-security/configure-authentication/passwordless/ + - ../../configure-security/configure-authentication/passwordless/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/passwordless/ description: Learn how to configure passwordless authentication with magic links in Grafana labels: products: diff --git a/docs/sources/setup-grafana/configure-security/configure-authentication/saml/_index.md b/docs/sources/setup-grafana/configure-access/configure-authentication/saml/_index.md similarity index 85% rename from docs/sources/setup-grafana/configure-security/configure-authentication/saml/_index.md rename to docs/sources/setup-grafana/configure-access/configure-authentication/saml/_index.md index 88ed97ec782..1b5f18c3802 100644 --- a/docs/sources/setup-grafana/configure-security/configure-authentication/saml/_index.md +++ b/docs/sources/setup-grafana/configure-access/configure-authentication/saml/_index.md @@ -8,8 +8,9 @@ aliases: - ../../../enterprise/saml/enable-saml/ # /docs/grafana/latest/enterprise/saml/enable-saml/ - ../../../enterprise/saml/set-up-saml-with-okta/ # /docs/grafana/latest/enterprise/saml/set-up-saml-with-okta/ - ../../../enterprise/saml/troubleshoot-saml/ # /docs/grafana/latest/enterprise/saml/troubleshoot-saml/ -description: Learn how to configure SAML authentication in Grafana's configuration - file. + - ../../configure-security/setup-grafana/configure-security/configure-authentication/saml/ # /docs/grafana/next/setup-grafana/configure-security/setup-grafana/configure-security/configure-authentication/saml/ + - ../../configure-security/configure-authentication/saml/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/saml/ +description: Learn how to configure SAML authentication in Grafana's configuration file. labels: products: - cloud @@ -31,14 +32,14 @@ You can configure SAML authentication in Grafana through one of the following me - Configure SAML using the [Grafana configuration file](#configure-saml-using-the-grafana-configuration-file) - Configure SAML using the [SSO Settings API](https://grafana.com/docs/grafana//developers/http_api/sso-settings/) -- Configure SAML using the [SAML user interface](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-authentication/saml/saml-ui/) +- Configure SAML using the [SAML user interface](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-authentication/saml/saml-ui/) - Configure SAML using the [Grafana Terraform provider](https://registry.terraform.io/providers/grafana/grafana//docs/resources/sso_settings) -If you are using Okta or Azure AD as Identity Provider, see the following documentation for configuration: +If you are using Okta or Entra ID as Identity Provider, see the following documentation for configuration: -- [Configure SAML with Azure AD](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-authentication/saml/configure-saml-with-azuread/) -- [Configure SAML with Okta](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-authentication/saml/configure-saml-with-okta/) -- [Configure SAML with Okta catalog application](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-authentication/saml/configure-saml-with-okta/oin-application) +- [Configure SAML with Entra ID](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-authentication/saml/configure-saml-with-azuread/) +- [Configure SAML with Okta](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-authentication/saml/configure-saml-with-okta/) +- [Configure SAML with Okta catalog application](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-authentication/saml/configure-saml-with-okta/oin-application) All methods offer the same configuration options. However, if you want to keep all of Grafana authentication settings in one place, use the Grafana configuration file or the Terraform provider. If you are a Grafana Cloud user, you do not have access to Grafana configuration file. Instead, configure SAML through the other methods. @@ -85,10 +86,10 @@ The integration provides two key endpoints as part of Grafana: 1. In the `[auth.saml]` section in the Grafana configuration file, set [`enabled`](/docs/grafana//setup-grafana/configure-grafana/enterprise-configuration/#enabled-3) to `true`. 2. Configure SAML options: - - Review all [available configuration options](/docs/grafana//setup-grafana/configure-security/configure-authentication/saml/saml-configuration-options/) + - Review all [available configuration options](/docs/grafana//setup-grafana/configure-access/configure-authentication/saml/saml-configuration-options/) - For IdP-specific configuration, refer to: - - [Configure SAML with Okta](/docs/grafana//setup-grafana/configure-security/configure-authentication/saml/configure-saml-with-okta/) - - [Configure SAML with Entra ID](/docs/grafana//setup-grafana/configure-security/configure-authentication/saml/configure-saml-with-azuread/) + - [Configure SAML with Okta](/docs/grafana//setup-grafana/configure-access/configure-authentication/saml/configure-saml-with-okta/) + - [Configure SAML with Entra ID](/docs/grafana//setup-grafana/configure-access/configure-authentication/saml/configure-saml-with-azuread/) 3. Save the configuration file and then restart the Grafana server. When you are finished, the Grafana configuration might look like this example: @@ -178,14 +179,14 @@ By default, new Grafana users using SAML authentication will have an account cre ## Integrating with SCIM Provisioning -If you are also using SCIM provisioning for this Grafana application in Azure AD, it's crucial to align the user identifiers between SAML and SCIM for seamless operation. The unique identifier that links the SAML user to the SCIM provisioned user is determined by the `assertion_attribute_external_uid` setting in the Grafana SAML configuration. This `assertion_attribute_external_uid` should correspond to the `externalId` used in SCIM provisioning (typically set to the Azure AD `user.objectid`). +If you are also using SCIM provisioning for this Grafana application in Entra ID, it's crucial to align the user identifiers between SAML and SCIM for seamless operation. The unique identifier that links the SAML user to the SCIM provisioned user is determined by the `assertion_attribute_external_uid` setting in the Grafana SAML configuration. This `assertion_attribute_external_uid` should correspond to the `externalId` used in SCIM provisioning (typically set to the Entra ID `user.objectid`). 1. **Ensure Consistent Identifier in SAML Assertion:** - - The unique identifier from Azure AD (typically `user.objectid`) that you mapped to the `externalId` attribute in Grafana in your SCIM provisioning setup **must also be sent as a claim in the SAML assertion.** For more details on SCIM, refer to the [SCIM provisioning documentation](/docs/grafana//setup-grafana/configure-security/configure-scim-provisioning/). - - In the Azure AD Enterprise Application, under **Single sign-on** > **Attributes & Claims**, ensure you add a claim that provides this identifier. For example, you might add a claim named `UserID` (or similar, like `externalId`) that sources its value from `user.objectid`. + - The unique identifier from Entra ID (typically `user.objectid`) that you mapped to the `externalId` attribute in Grafana in your SCIM provisioning setup **must also be sent as a claim in the SAML assertion.** For more details on SCIM, refer to the [SCIM provisioning documentation](/docs/grafana//setup-grafana/configure-access/configure-authentication/). + - In the Entra ID Enterprise Application, under **Single sign-on** > **Attributes & Claims**, ensure you add a claim that provides this identifier. For example, you might add a claim named `UserID` (or similar, like `externalId`) that sources its value from `user.objectid`. 2. **Configure Grafana SAML Settings for SCIM:** - - In the `[auth.saml]` section of your Grafana configuration, set `assertion_attribute_external_uid` to the name of the SAML claim you configured in the previous step (e.g., `userUID` or the full URI like `http://schemas.microsoft.com/identity/claims/objectidentifier` if that's how Azure AD sends it). + - In the `[auth.saml]` section of your Grafana configuration, set `assertion_attribute_external_uid` to the name of the SAML claim you configured in the previous step (e.g., `userUID` or the full URI like `http://schemas.microsoft.com/identity/claims/objectidentifier` if that's how Entra ID sends it). - The `assertion_attribute_login` setting should still be configured to map to the attribute your users will log in with (e.g., `userPrincipalName`, `mail`). _Example Grafana Configuration:_ @@ -197,20 +198,20 @@ If you are also using SCIM provisioning for this Grafana application in Azure AD assertion_attribute_external_uid = http://schemas.microsoft.com/identity/claims/objectidentifier # Or your custom claim name for user.objectid ``` - Ensure that the value specified in `assertion_attribute_external_uid` precisely matches the name of the claim as it's sent in the SAML assertion from Azure AD. + Ensure that the value specified in `assertion_attribute_external_uid` precisely matches the name of the claim as it's sent in the SAML assertion from Entra ID. -3. **SCIM Linking Identifier and Azure AD:** +3. **SCIM Linking Identifier and Entra ID:** - By default (if `assertion_attribute_external_uid` is not set), Grafana uses the `userUID` attribute from the SAML assertion for SCIM linking. - - **Recommended for Azure AD:** For SCIM integration with Azure AD, it is necessary to: - 1. Ensure Azure AD sends the `user.objectid` in a claim. - 2. Either set this claim name in Azure AD to `userUID`, or, if you want to use a different claim name, set `assertion_attribute_external_uid` in Grafana to match the claim name you chose in Azure AD. + - **Recommended for Entra ID:** For SCIM integration with Entra ID, it is necessary to: + 1. Ensure Entra ID sends the `user.objectid` in a claim. + 2. Either set this claim name in Entra ID to `userUID`, or, if you want to use a different claim name, set `assertion_attribute_external_uid` in Grafana to match the claim name you chose in Entra ID. ## Configure automatic login Set `auto_login` option to true to attempt login automatically, skipping the login screen. This setting is ignored if multiple auth providers are configured to use auto login. -For more information about automatic login behavior and troubleshooting, see [Automatic login](/docs/grafana//setup-grafana/configure-security/configure-authentication/#automatic-oauth-login). +For more information about automatic login behavior and troubleshooting, see [Automatic login](/docs/grafana//setup-grafana/configure-access/configure-authentication/#automatic-oauth-login). ``` auto_login = true @@ -248,9 +249,9 @@ IdP-initiated SSO has some security risks, so make sure you understand the risks For advanced configuration and troubleshooting, please refer to the one of the following pages: -- [Configure SAML signing and encryption](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-authentication/saml/configure-saml-signing-encryption/) -- [Configure SAML single logout](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-authentication/saml/configure-saml-single-logout/) -- [Configure Organization mapping](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-authentication/saml/configure-saml-org-mapping/) -- [Configure Role and Team sync](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-authentication/saml/configure-saml-team-role-mapping/) -- [SAML configuration options](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-authentication/saml/saml-configuration-options/) -- [Troubleshooting](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-authentication/saml/troubleshoot-saml/) +- [Configure SAML request signing](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-authentication/saml/configure-saml-signing-encryption/) +- [Configure SAML single logout](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-authentication/saml/configure-saml-single-logout/) +- [Configure Organization mapping](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-authentication/saml/configure-saml-org-mapping/) +- [Configure Role and Team sync](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-authentication/saml/configure-saml-team-role-mapping/) +- [SAML configuration options](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-authentication/saml/saml-configuration-options/) +- [Troubleshooting](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-authentication/saml/troubleshoot-saml/) diff --git a/docs/sources/setup-grafana/configure-security/configure-authentication/saml/configure-saml-org-mapping/_index.md b/docs/sources/setup-grafana/configure-access/configure-authentication/saml/configure-saml-org-mapping/_index.md similarity index 88% rename from docs/sources/setup-grafana/configure-security/configure-authentication/saml/configure-saml-org-mapping/_index.md rename to docs/sources/setup-grafana/configure-access/configure-authentication/saml/configure-saml-org-mapping/_index.md index 049f47b94f0..7243610cb36 100644 --- a/docs/sources/setup-grafana/configure-security/configure-authentication/saml/configure-saml-org-mapping/_index.md +++ b/docs/sources/setup-grafana/configure-access/configure-authentication/saml/configure-saml-org-mapping/_index.md @@ -1,4 +1,7 @@ --- +aliases: + - ../../../configure-security/configure-authentication/setup-grafana/configure-security/configure-authentication/saml/configure-saml-org-mapping/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/setup-grafana/configure-security/configure-authentication/saml/configure-saml-org-mapping/ + - ../../../configure-security/configure-authentication/saml/configure-saml-org-mapping/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/saml/configure-saml-org-mapping/ description: Learn how to configure SAML authentication in Grafana's UI. labels: products: diff --git a/docs/sources/setup-grafana/configure-security/configure-authentication/saml/configure-saml-signing-encryption/_index.md b/docs/sources/setup-grafana/configure-access/configure-authentication/saml/configure-saml-signing-encryption/_index.md similarity index 86% rename from docs/sources/setup-grafana/configure-security/configure-authentication/saml/configure-saml-signing-encryption/_index.md rename to docs/sources/setup-grafana/configure-access/configure-authentication/saml/configure-saml-signing-encryption/_index.md index bbdedd6f5af..62d939014dc 100644 --- a/docs/sources/setup-grafana/configure-security/configure-authentication/saml/configure-saml-signing-encryption/_index.md +++ b/docs/sources/setup-grafana/configure-access/configure-authentication/saml/configure-saml-signing-encryption/_index.md @@ -1,4 +1,7 @@ --- +aliases: + - ../../../configure-security/configure-authentication/setup-grafana/configure-security/configure-authentication/saml/configure-saml-signing-encryption/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/setup-grafana/configure-security/configure-authentication/saml/configure-saml-signing-encryption/ + - ../../../configure-security/configure-authentication/saml/configure-saml-signing-encryption/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/saml/configure-saml-signing-encryption/ description: Learn how to configure SAML authentication in Grafana's UI. labels: products: diff --git a/docs/sources/setup-grafana/configure-security/configure-authentication/saml/configure-saml-single-logout/_index.md b/docs/sources/setup-grafana/configure-access/configure-authentication/saml/configure-saml-single-logout/_index.md similarity index 69% rename from docs/sources/setup-grafana/configure-security/configure-authentication/saml/configure-saml-single-logout/_index.md rename to docs/sources/setup-grafana/configure-access/configure-authentication/saml/configure-saml-single-logout/_index.md index deda1759d5c..4eeca751d54 100644 --- a/docs/sources/setup-grafana/configure-security/configure-authentication/saml/configure-saml-single-logout/_index.md +++ b/docs/sources/setup-grafana/configure-access/configure-authentication/saml/configure-saml-single-logout/_index.md @@ -1,4 +1,7 @@ --- +aliases: + - ../../../configure-security/configure-authentication/setup-grafana/configure-security/configure-authentication/saml/configure-saml-single-logout/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/setup-grafana/configure-security/configure-authentication/saml/configure-saml-single-logout/ + - ../../../configure-security/configure-authentication/saml/configure-saml-single-logout/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/saml/configure-saml-single-logout/ description: Learn how to configure SAML authentication in Grafana's UI. labels: products: diff --git a/docs/sources/setup-grafana/configure-security/configure-authentication/saml/configure-saml-team-role-mapping/_index.md b/docs/sources/setup-grafana/configure-access/configure-authentication/saml/configure-saml-team-role-mapping/_index.md similarity index 87% rename from docs/sources/setup-grafana/configure-security/configure-authentication/saml/configure-saml-team-role-mapping/_index.md rename to docs/sources/setup-grafana/configure-access/configure-authentication/saml/configure-saml-team-role-mapping/_index.md index ad4dab8cf00..e91bb944c84 100644 --- a/docs/sources/setup-grafana/configure-security/configure-authentication/saml/configure-saml-team-role-mapping/_index.md +++ b/docs/sources/setup-grafana/configure-access/configure-authentication/saml/configure-saml-team-role-mapping/_index.md @@ -1,4 +1,8 @@ --- +aliases: + - ../../../configure-access/configure-authentication/saml/configure-saml-team-role-mapping/ # /docs/grafana/next/configure-access/configure-authentication/saml/configure-saml-team-role-mapping/ + - ../../../configure-security/configure-authentication/setup-grafana/configure-security/configure-authentication/saml/configure-saml-team-role-mapping/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/setup-grafana/configure-security/configure-authentication/saml/configure-saml-team-role-mapping/ + - ../../../configure-security/configure-authentication/saml/configure-saml-team-role-mapping/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/saml/configure-saml-team-role-mapping/ description: Learn how to configure SAML authentication in Grafana's UI. labels: products: @@ -65,7 +69,7 @@ The following `External Group ID`s would be valid for input in the desired team' - `admins_group` - `division_1` -[Learn more about Team Sync](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-team-sync/) +[Learn more about Team Sync](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-team-sync/) # Configure role sync for SAML diff --git a/docs/sources/setup-grafana/configure-security/configure-authentication/saml/configure-saml-with-azuread/_index.md b/docs/sources/setup-grafana/configure-access/configure-authentication/saml/configure-saml-with-entraid/_index.md similarity index 89% rename from docs/sources/setup-grafana/configure-security/configure-authentication/saml/configure-saml-with-azuread/_index.md rename to docs/sources/setup-grafana/configure-access/configure-authentication/saml/configure-saml-with-entraid/_index.md index 9d9d929288d..a3042e41dc2 100644 --- a/docs/sources/setup-grafana/configure-security/configure-authentication/saml/configure-saml-with-azuread/_index.md +++ b/docs/sources/setup-grafana/configure-access/configure-authentication/saml/configure-saml-with-entraid/_index.md @@ -1,4 +1,8 @@ --- +aliases: + - ../../../configure-access/configure-authentication/saml/configure-saml-with-azuread/ # /docs/grafana/next/setup-grafana/configure-access/configure-authentication/saml/configure-saml-with-azuread/ + - ../../../configure-security/configure-authentication/setup-grafana/configure-security/configure-authentication/saml/configure-saml-with-entraid/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/setup-grafana/configure-security/configure-authentication/saml/configure-saml-with-entraid/ + - ../../../configure-security/configure-authentication/saml/configure-saml-with-azuread/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/saml/configure-saml-with-azuread/ description: Learn how to configure SAML authentication in Grafana's UI. labels: products: @@ -16,7 +20,7 @@ Grafana supports user authentication through Microsoft Entra ID. This topic show {{< admonition type="note" >}} If an Entra ID user belongs to more than 150 groups, a Graph API endpoint is used instead. -Grafana versions 11.1 and below, do not support fetching the groups from the Graph API endpoint. As a result, users with more than 150 groups will not be able to retrieve their groups. Instead, it is recommended that you use the Azure AD connector. +Grafana versions 11.1 and below, do not support fetching the groups from the Graph API endpoint. As a result, users with more than 150 groups will not be able to retrieve their groups. Instead, it is recommended that you use the Entra ID connector. As of Grafana 11.2, the SAML integration offers a mechanism to retrieve user groups from the Graph API. @@ -78,11 +82,11 @@ In order to validate Entra ID users with Grafana, you need to configure the SAML 1. In the **Add a client secret** pane, enter a description for the secret. 1. Set the expiration date for the secret. 1. Select **Add**. -1. Copy the value of the secret. This value is used in the `client_secret` field in the [SAML configuration](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-authentication/saml/saml-configuration-options/). +1. Copy the value of the secret. This value is used in the `client_secret` field in the [SAML configuration](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-authentication/saml/saml-configuration-options/). ## Configure SAML assertions when using SCIM provisioning -In order to verify the logged in user is the same user that was provisioned through Azure AD, you need to include the same `externalId` in the SAML assertion by mapping the SAML assertion `assertion_attribute_external_id`. +In order to verify the logged in user is the same user that was provisioned through Entra ID, you need to include the same `externalId` in the SAML assertion by mapping the SAML assertion `assertion_attribute_external_id`. 1. Open your Entra ID application. 1. Select the SAML single sign-on configuration. diff --git a/docs/sources/setup-grafana/configure-security/configure-authentication/saml/configure-saml-with-okta/_index.md b/docs/sources/setup-grafana/configure-access/configure-authentication/saml/configure-saml-with-okta/_index.md similarity index 90% rename from docs/sources/setup-grafana/configure-security/configure-authentication/saml/configure-saml-with-okta/_index.md rename to docs/sources/setup-grafana/configure-access/configure-authentication/saml/configure-saml-with-okta/_index.md index bb16de2b0ee..af8d2b2d65e 100644 --- a/docs/sources/setup-grafana/configure-security/configure-authentication/saml/configure-saml-with-okta/_index.md +++ b/docs/sources/setup-grafana/configure-access/configure-authentication/saml/configure-saml-with-okta/_index.md @@ -1,4 +1,7 @@ --- +aliases: + - ../../../configure-security/configure-authentication/setup-grafana/configure-security/configure-authentication/saml/configure-saml-with-okta/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/setup-grafana/configure-security/configure-authentication/saml/configure-saml-with-okta/ + - ../../../configure-security/configure-authentication/saml/configure-saml-with-okta/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/saml/configure-saml-with-okta/ description: Learn how to configure SAML authentication in Grafana's UI. labels: products: diff --git a/docs/sources/setup-grafana/configure-security/configure-authentication/saml/configure-saml-with-okta/oin-application.md b/docs/sources/setup-grafana/configure-access/configure-authentication/saml/configure-saml-with-okta/oin-application.md similarity index 78% rename from docs/sources/setup-grafana/configure-security/configure-authentication/saml/configure-saml-with-okta/oin-application.md rename to docs/sources/setup-grafana/configure-access/configure-authentication/saml/configure-saml-with-okta/oin-application.md index c9346df8921..56802de6a74 100644 --- a/docs/sources/setup-grafana/configure-security/configure-authentication/saml/configure-saml-with-okta/oin-application.md +++ b/docs/sources/setup-grafana/configure-access/configure-authentication/saml/configure-saml-with-okta/oin-application.md @@ -1,4 +1,7 @@ --- +aliases: + - ../../../../configure-security/configure-authentication/saml/setup-grafana/configure-security/configure-authentication/saml/configure-saml-org-mapping/configure-saml-with-okta/oin-application/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/saml/setup-grafana/configure-security/configure-authentication/saml/configure-saml-org-mapping/configure-saml-with-okta/oin-application/ + - ../../../../configure-security/configure-authentication/saml/configure-saml-with-okta/oin-application/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/saml/configure-saml-with-okta/oin-application/ description: Learn how to configure SAML authentication with Okta using the Okta Integration Network (OIN) application. labels: products: diff --git a/docs/sources/setup-grafana/configure-security/configure-authentication/saml/saml-configuration-options/_index.md b/docs/sources/setup-grafana/configure-access/configure-authentication/saml/saml-configuration-options/_index.md similarity index 95% rename from docs/sources/setup-grafana/configure-security/configure-authentication/saml/saml-configuration-options/_index.md rename to docs/sources/setup-grafana/configure-access/configure-authentication/saml/saml-configuration-options/_index.md index c5d88ae10b3..7ad1014b226 100644 --- a/docs/sources/setup-grafana/configure-security/configure-authentication/saml/saml-configuration-options/_index.md +++ b/docs/sources/setup-grafana/configure-access/configure-authentication/saml/saml-configuration-options/_index.md @@ -1,4 +1,8 @@ --- +aliases: + - ../../../configure-access/configure-authentication/saml/saml-configuration-options/_index.md/ # /docs/grafana/next/setup-grafana/configure-access/configure-authentication/saml/saml-configuration-options/_index.md/ + - ../../../configure-security/configure-authentication/setup-grafana/configure-security/configure-authentication/saml/saml-configuration-options/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/setup-grafana/configure-security/configure-authentication/saml/saml-configuration-options/ + - ../../../configure-security/configure-authentication/saml/saml-configuration-options/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/saml/saml-configuration-options/ labels: products: - cloud diff --git a/docs/sources/setup-grafana/configure-security/configure-authentication/saml/saml-ui/_index.md b/docs/sources/setup-grafana/configure-access/configure-authentication/saml/saml-ui/_index.md similarity index 90% rename from docs/sources/setup-grafana/configure-security/configure-authentication/saml/saml-ui/_index.md rename to docs/sources/setup-grafana/configure-access/configure-authentication/saml/saml-ui/_index.md index 1bb9ae36c5c..22048e1b407 100644 --- a/docs/sources/setup-grafana/configure-security/configure-authentication/saml/saml-ui/_index.md +++ b/docs/sources/setup-grafana/configure-access/configure-authentication/saml/saml-ui/_index.md @@ -1,6 +1,9 @@ --- aliases: - - ../saml-ui/ # /docs/grafana/latest/setup-grafana/configure-security/configure-authentication/saml-ui/ + - ../../../configure-security/configure-authentication/saml-ui/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/saml-ui/ + - ../saml-ui/ # /docs/grafana/latest/setup-grafana/configure-access/configure-authentication/saml-ui/ + - ../../../configure-security/configure-authentication/setup-grafana/configure-security/configure-authentication/saml/saml-ui/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/setup-grafana/configure-security/configure-authentication/saml/saml-ui/ + - ../../../configure-security/configure-authentication/saml/saml-ui/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/saml/saml-ui/ description: Learn how to configure SAML authentication in Grafana's UI. labels: products: @@ -125,11 +128,11 @@ Learn more about [team sync](../../../configure-team-sync) and [configuring team Role mapping will automatically update user's [basic role](../../../../../administration/roles-and-permissions/access-control/#basic-roles) based on their SAML roles every time the user logs in to Grafana. Learn more about [SAML role synchronization](../configure-saml-team-role-mapping/#configure-role-sync). -1. If you're setting up Grafana with Azure AD using the SAML protocol and want to fetch user groups from the Graph API, complete the **Azure AD Service Account Configuration** subsection. - 1. Set up a service account in Azure AD and provide the necessary details in the **Azure AD Service Account Configuration** section. - 1. Provide the **Client ID** of your Azure AD application. - 1. Provide the **Client Secret** of your Azure AD application, the **Client Secret** will be used to request an access token from Azure AD. - 1. Provide the Azure AD request **Access Token URL**. +1. If you're setting up Grafana with Entra ID using the SAML protocol and want to fetch user groups from the Graph API, complete the **Entra ID Service Account Configuration** subsection. + 1. Set up a service account in Entra ID and provide the necessary details in the **Entra ID Service Account Configuration** section. + 1. Provide the **Client ID** of your Entra ID application. + 1. Provide the **Client Secret** of your Entra ID application, the **Client Secret** will be used to request an access token from Entra ID. + 1. Provide the Entra ID request **Access Token URL**. 1. If you don't have users with more than 150 groups, you can still force the use of the Graph API by enabling the **Force use Graph API** toggle. 1. If you have multiple organizations and want to automatically add users to organizations, complete the **Org mapping section**. diff --git a/docs/sources/setup-grafana/configure-security/configure-authentication/saml/troubleshoot-saml/_index.md b/docs/sources/setup-grafana/configure-access/configure-authentication/saml/troubleshoot-saml/_index.md similarity index 85% rename from docs/sources/setup-grafana/configure-security/configure-authentication/saml/troubleshoot-saml/_index.md rename to docs/sources/setup-grafana/configure-access/configure-authentication/saml/troubleshoot-saml/_index.md index 1460d94ec31..b06ceea154d 100644 --- a/docs/sources/setup-grafana/configure-security/configure-authentication/saml/troubleshoot-saml/_index.md +++ b/docs/sources/setup-grafana/configure-access/configure-authentication/saml/troubleshoot-saml/_index.md @@ -1,4 +1,7 @@ --- +aliases: + - ../../../configure-security/configure-authentication/setup-grafana/configure-security/configure-authentication/saml/troublsehoot-saml/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/setup-grafana/configure-security/configure-authentication/saml/troublsehoot-saml/ + - ../../../configure-security/configure-authentication/saml/troubleshoot-saml/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/saml/troubleshoot-saml/ description: Learn how to configure SAML authentication in Grafana's UI. labels: products: @@ -110,7 +113,7 @@ For enhanced security, set `cookie_secure` to `true`, which forces cookies to be ### Troubleshoot Graph API calls -When setting up SAML authentication with Azure AD, you may encounter issues with Graph API calls. This can happen if the Azure AD application is not properly configured to allow Graph API access. +When setting up SAML authentication with Entra ID, you may encounter issues with Graph API calls. This can happen if the Entra ID application is not properly configured to allow Graph API access. To help in the troubleshooting process, test the Graph API calls using the following commands: @@ -122,9 +125,9 @@ curl -X POST "{token_url}" \ Where the following values come from your [SAML configuration](../saml-configuration-options/_index.md#saml-configuration-options): -- `token_url`: The token URL of your Azure AD application. -- `client_id`: The client ID of your Azure AD application. -- `client_secret`: The client secret of your Azure AD application. +- `token_url`: The token URL of your Entra ID application. +- `client_id`: The client ID of your Entra ID application. +- `client_secret`: The client secret of your Entra ID application. The response should look like: @@ -153,4 +156,4 @@ The response should look like: } ``` -If the second call fails due to 401 or 403, you may need to check the Azure AD application settings to ensure that Graph API access is enabled. +If the second call fails due to 401 or 403, you may need to check the Entra ID application settings to ensure that Graph API access is enabled. diff --git a/docs/sources/setup-grafana/configure-security/configure-scim-provisioning/_index.md b/docs/sources/setup-grafana/configure-access/configure-scim-provisioning/_index.md similarity index 92% rename from docs/sources/setup-grafana/configure-security/configure-scim-provisioning/_index.md rename to docs/sources/setup-grafana/configure-access/configure-scim-provisioning/_index.md index 0fdb20d2408..9ef98bbc433 100644 --- a/docs/sources/setup-grafana/configure-security/configure-scim-provisioning/_index.md +++ b/docs/sources/setup-grafana/configure-access/configure-scim-provisioning/_index.md @@ -1,4 +1,7 @@ --- +aliases: + - ../setup-grafana/configure-security/configure-scim-provisioning/ # /docs/grafana/next/setup-grafana/setup-grafana/configure-security/configure-scim-provisioning/ + - ../configure-security/configure-scim-provisioning/ # /docs/grafana/next/setup-grafana/configure-security/configure-scim-provisioning/ description: Learn how to use SCIM provisioning to synchronize users and groups from your identity provider to Grafana. SCIM enables automated user management, team provisioning, and enhanced security through real-time synchronization with your identity provider. keywords: - grafana @@ -12,7 +15,7 @@ labels: - enterprise menuTitle: Configure SCIM provisioning title: Configure SCIM provisioning -weight: 300 +weight: 200 --- # Configure SCIM provisioning @@ -52,7 +55,7 @@ SCIM offers several advantages for managing users and teams in Grafana: ## Authentication and access requirements {{< admonition type="warning" title="Critical: Aligning SAML Identifier with SCIM externalId" >}} -When using SAML for authentication alongside SCIM provisioning, a critical security measure is to ensure proper alignment between the the SCIM user's `externalId` and the SAML user identifier. The unique identifier used for SCIM provisioning (which becomes the `externalId` in Grafana, often sourced from a stable IdP attribute like Azure AD's `user.objectid`) **must also be sent as a claim in the SAML assertion from your Identity Provider.** +When using SAML for authentication alongside SCIM provisioning, a critical security measure is to ensure proper alignment between the the SCIM user's `externalId` and the SAML user identifier. The unique identifier used for SCIM provisioning (which becomes the `externalId` in Grafana, often sourced from a stable IdP attribute like Entra ID's `user.objectid`) **must also be sent as a claim in the SAML assertion from your Identity Provider.** Furthermore, the Grafana SAML configuration must be correctly set up to identify and use this specific claim for linking the authenticated SAML user to their SCIM-provisioned user. This can be achieved by either ensuring the primary SAML login identifier by using the `assertion_attribute_external_uid` setting in Grafana to explicitly set the name of the SAML claim that contains the stable unique identifier attribute. **Why is this important?** @@ -60,7 +63,7 @@ A mismatch or inconsistent mapping between this SAML login identifier and the SC Grafana relies on this linkage to correctly associate the authenticated user from SAML with the provisioned user from SCIM. Failure to ensure a consistent and unique identifier across both systems can break this linkage, leading to incorrect user mapping and potential unauthorized access. -Always verify that your SAML identity provider is configured to send a stable, unique user identifier that your SCIM configuration maps to `externalId`. Refer to your identity provider's documentation and the specific Grafana SCIM integration guides (e.g., for [Azure AD](configure-scim-with-azuread/) or [Okta](configure-scim-with-okta/)) for detailed instructions on configuring these attributes correctly. +Always verify that your SAML identity provider is configured to send a stable, unique user identifier that your SCIM configuration maps to `externalId`. Refer to your identity provider's documentation and the specific Grafana SCIM integration guides (e.g., for [Entra ID](configure-scim-with-azuread/) or [Okta](configure-scim-with-okta/)) for detailed instructions on configuring these attributes correctly. {{< /admonition >}} When you enable SCIM in Grafana, the following requirements and restrictions apply: @@ -68,8 +71,8 @@ When you enable SCIM in Grafana, the following requirements and restrictions app 1. **Use the same identity provider for user provisioning and for authentication flow**: You must use the same identity provider for both authentication and user provisioning. 2. **Security restriction**: When using SAML, the login authentication flow requires the SAML assertion exchange between the Identity Provider and Grafana to include the `userUID` SAML assertion with the user's unique identifier at the Identity Provider. - - Configure `userUID` SAML assertion in [Azure AD](/docs/grafana//setup-grafana/configure-security/configure-authentication/saml/configure-saml-with-azuread/#configure-saml-assertions-when-using-scim-provisioning) - - Configure `userUID` SAML assertion in [Okta](/docs/grafana//setup-grafana/configure-security/configure-authentication/saml/configure-saml-with-okta/#configure-saml-assertions-when-using-scim-provisioning) + - Configure `userUID` SAML assertion in [Entra ID](/docs/grafana//setup-grafana/configure-access/configure-authentication/saml/configure-saml-with-azuread/#configure-saml-assertions-when-using-scim-provisioning) + - Configure `userUID` SAML assertion in [Okta](/docs/grafana//setup-grafana/configure-access/configure-authentication/saml/configure-saml-with-okta/#configure-saml-assertions-when-using-scim-provisioning) ## Configure SCIM using the Grafana user interface @@ -102,7 +105,7 @@ The SCIM UI also displays information that may help you configure SCIM in your i After configuring SCIM in Grafana, configure your identity provider: - [Configure SCIM with Okta](configure-scim-with-okta/) -- [Configure SCIM with Azure AD](configure-scim-with-azuread/) +- [Configure SCIM with Entra ID](configure-scim-with-azuread/) ## Configure SCIM using the configuration file @@ -119,7 +122,7 @@ The table below describes all SCIM configuration options. Like any other Grafana - SCIM group sync (`group_sync_enabled = true`) and Team Sync cannot be enabled simultaneously - You can use SCIM user sync (`user_sync_enabled = true`) alongside Team Sync -- For more details about migration and compatibility, see [SCIM vs Team Sync](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-scim-provisioning/manage-users-teams/#scim-vs-team-sync) +- For more details about migration and compatibility, see [SCIM vs Team Sync](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-scim-provisioning/manage-users-teams/#scim-vs-team-sync) {{< /admonition >}} ### Example SCIM configuration @@ -159,7 +162,7 @@ The Terraform `grafana_scim_config` resource supports the same configuration opt The following identity providers are supported: -- [Azure AD](../configure-authentication/azuread/) +- [Entra ID](../configure-authentication/azuread/) - [Okta](../configure-authentication/saml/) ## How it works @@ -194,5 +197,5 @@ The following table compares SCIM with other synchronization methods to help you - [Manage users and teams with SCIM provisioning](manage-users-teams/) - [Troubleshoot SCIM provisioning](troubleshooting/) -- [Configure SCIM with Azure AD](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-scim-provisioning/configure-scim-with-azuread/) -- [Configure SCIM with Okta](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-scim-provisioning/configure-scim-with-okta/) +- [Configure SCIM with Entra ID](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-authentication/configure-scim-with-azuread/) +- [Configure SCIM with Okta](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-authentication/configure-scim-with-okta/) diff --git a/docs/sources/setup-grafana/configure-security/configure-scim-provisioning/configure-scim-with-azuread/_index.md b/docs/sources/setup-grafana/configure-access/configure-scim-provisioning/configure-scim-with-entraid/_index.md similarity index 71% rename from docs/sources/setup-grafana/configure-security/configure-scim-provisioning/configure-scim-with-azuread/_index.md rename to docs/sources/setup-grafana/configure-access/configure-scim-provisioning/configure-scim-with-entraid/_index.md index 955a53e3f0d..348481fcfc5 100644 --- a/docs/sources/setup-grafana/configure-security/configure-scim-provisioning/configure-scim-with-azuread/_index.md +++ b/docs/sources/setup-grafana/configure-access/configure-scim-provisioning/configure-scim-with-entraid/_index.md @@ -1,5 +1,11 @@ --- -description: Learn how to configure SCIM provisioning with Azure AD in Grafana Enterprise. This guide provides step-by-step instructions for setting up automated user and team management, including enterprise application configuration, service account creation, attribute mapping, and provisioning settings to ensure seamless integration between Azure AD and Grafana. +aliases: + - ../../configure-access/configure-authentication/configure-scim-with-azuread/ # /docs/grafana/next/setup-grafana/configure-access/configure-authentication/configure-scim-with-azuread/ + - ../../configure-security/setup-grafana/configure-security/configure-scim-provisioning/configure-scim-with-azuread/ # /docs/grafana/next/setup-grafana/configure-security/setup-grafana/configure-security/configure-scim-provisioning/configure-scim-with-azuread/ + - ../../configure-security/configure-scim-provisioning/configure-scim-with-azuread/ # /docs/grafana/next/setup-grafana/configure-security/configure-scim-provisioning/configure-scim-with-azuread/ + - ../../configure-access/configure-scim-with-azuread/ # /docs/grafana/next/setup-grafana/configure-access/configure-scim-provisioning/configure-scim-with-azuread/ + +description: Learn how to configure SCIM provisioning with Entra ID in Grafana Enterprise. This guide provides step-by-step instructions for setting up automated user and team management, including enterprise application configuration, service account creation, attribute mapping, and provisioning settings to ensure seamless integration between Entra ID and Grafana. keywords: - grafana - scim @@ -13,12 +19,12 @@ labels: products: - cloud - enterprise -menuTitle: Configure SCIM with Azure AD -title: Configure SCIM with Azure AD +menuTitle: Configure SCIM with Entra ID +title: Configure SCIM with Entra ID weight: 320 --- -# Configure SCIM with Azure AD +# Configure SCIM with Entra ID {{< admonition type="note" >}} Available in [Grafana Enterprise](/docs/grafana//introduction/grafana-enterprise/) and to customers on select Grafana Cloud plans. For pricing information, visit [pricing](https://grafana.com/pricing/) or contact our sales team. @@ -28,7 +34,7 @@ Available in [Grafana Enterprise](/docs/grafana//introduction/g **Public Preview:** SCIM provisioning is currently in Public Preview. While functional, the feature is actively being refined and may undergo changes. We recommend thorough testing in non-production environments before deploying to production systems. {{< /admonition >}} -This guide explains how to configure SCIM provisioning with Azure AD to automate user and team management in Grafana. +This guide explains how to configure SCIM provisioning with Entra ID to automate user and team management in Grafana. {{< admonition type="note" >}} This feature is behind the `enableSCIM` feature toggle. @@ -39,23 +45,23 @@ For more information, refer to the [feature toggles documentation](/docs/grafana {{< admonition type="note" >}} **Important SAML and SCIM Configuration:** -When using SAML for authentication alongside SCIM provisioning with Azure AD, it is crucial to correctly align user identifiers. +When using SAML for authentication alongside SCIM provisioning with Entra ID, it is crucial to correctly align user identifiers. For detailed information on why this is critical for security and how to configure it, refer to the main [SCIM provisioning documentation](../). -Refer to the [SAML authentication with Azure AD documentation](../../configure-authentication/saml/configure-saml-with-azuread/) for specific instructions on how to configure SAML claims and Grafana SAML settings for your Azure AD SCIM setup. +Refer to the [SAML authentication with Entra ID documentation](../../configure-authentication/saml/configure-saml-with-azuread/) for specific instructions on how to configure SAML claims and Grafana SAML settings for your Entra ID SCIM setup. {{< /admonition >}} ## Prerequisites -Before configuring SCIM with Azure AD, ensure you have: +Before configuring SCIM with Entra ID, ensure you have: - Grafana Enterprise or a paid Grafana Cloud account with SCIM provisioning enabled. -- Admin access to both Grafana and Azure AD +- Admin access to both Grafana and Entra ID - SCIM feature enabled in Grafana ## Configure SCIM in Grafana -To enable SCIM provisioning in Grafana, create a service account and generate a service account token that will be used to authenticate SCIM requests from Azure AD. +To enable SCIM provisioning in Grafana, create a service account and generate a service account token that will be used to authenticate SCIM requests from Entra ID. ### Create a service account @@ -77,15 +83,15 @@ To enable SCIM provisioning in Grafana, create a service account and generate a - `teams:delete` 5. Create a new token for the newly created service account and save it securely - - This token will be used in the Azure AD configuration + - This token will be used in the Entra ID configuration -## Configure SCIM in Azure AD +## Configure SCIM in Entra ID -Configure the enterprise application in Azure AD to enable automated user and team synchronization with Grafana. This involves creating a new application and setting up both authentication and provisioning. +Configure the enterprise application in Entra ID to enable automated user and team synchronization with Grafana. This involves creating a new application and setting up both authentication and provisioning. ### Create the enterprise application -1. Open Azure Portal Entra ID (Azure AD) +1. Open Azure Portal Entra ID (Entra ID) 2. Click **+ Add** dropdown 3. Click **Add Enterprise Application** 4. Click **+ Create Your Own Application** @@ -120,18 +126,18 @@ Configure the enterprise application in Azure AD to enable automated user and te ### Configure attribute mappings -After setting the Tenant URL and Secret Token, navigate to the **Mappings** section within the same **Provisioning** settings in your Azure AD enterprise application and then click **Provision Microsoft Entra ID Users**. This is where you will define how Azure AD attributes correspond to the SCIM attributes for Grafana, including the mandatory `externalId`. +After setting the Tenant URL and Secret Token, navigate to the **Mappings** section within the same **Provisioning** settings in your Entra ID enterprise application and then click **Provision Microsoft Entra ID Users**. This is where you will define how Entra ID attributes correspond to the SCIM attributes for Grafana, including the mandatory `externalId`. {{< admonition type="note" >}} -- Only work email addresses are supported. Azure AD must be configured to use `emails[type eq "work"].value` for email mapping. -- The `externalId` attribute in Grafana is mandatory. Azure AD uses this to uniquely identify users and groups. You must map an attribute from Azure AD to the `externalId` attribute in Grafana. This Azure AD attribute must be **a stable and a unique identifier for each individual user** (for example, the `objectId` attribute in Azure AD is commonly used for this purpose). +- Only work email addresses are supported. Entra ID must be configured to use `emails[type eq "work"].value` for email mapping. +- The `externalId` attribute in Grafana is mandatory. Entra ID uses this to uniquely identify users and groups. You must map an attribute from Entra ID to the `externalId` attribute in Grafana. This Entra ID attribute must be **a stable and a unique identifier for each individual user** (for example, the `objectId` attribute in Entra ID is commonly used for this purpose). {{< /admonition >}} Configure the following required attributes: -| Azure AD Attribute | Grafana Attribute | +| Entra ID Attribute | Grafana Attribute | | ------------------------------------------------------------- | ------------------------------ | | `userPrincipalName` | `userName` | | `mail` | `emails[type eq "work"].value` | @@ -145,7 +151,7 @@ During provisioning, if the identity provider sends user attributes that has no ### Enable provisioning -Click **Start provisioning** from the top action bar in the **Overview** page from your Azure AD enterprise application. +Click **Start provisioning** from the top action bar in the **Overview** page from your Entra ID enterprise application. ### Configure group provisioning @@ -160,7 +166,7 @@ To enable group synchronization: After completing the configuration: -1. Test the SCIM connector in Azure AD +1. Test the SCIM connector in Entra ID 2. Assign a test user to the application 3. Verify the user is provisioned in Grafana 4. Test group synchronization if configured diff --git a/docs/sources/setup-grafana/configure-security/configure-scim-provisioning/configure-scim-with-okta/_index.md b/docs/sources/setup-grafana/configure-access/configure-scim-provisioning/configure-scim-with-okta/_index.md similarity index 89% rename from docs/sources/setup-grafana/configure-security/configure-scim-provisioning/configure-scim-with-okta/_index.md rename to docs/sources/setup-grafana/configure-access/configure-scim-provisioning/configure-scim-with-okta/_index.md index b4642638b08..fe33b12bb87 100644 --- a/docs/sources/setup-grafana/configure-security/configure-scim-provisioning/configure-scim-with-okta/_index.md +++ b/docs/sources/setup-grafana/configure-access/configure-scim-provisioning/configure-scim-with-okta/_index.md @@ -1,4 +1,8 @@ --- +aliases: + - ../../configure-access/configure-authentication/configure-scim-with-okta/ # /docs/grafana/next/setup-grafana/configure-access/configure-authentication/configure-scim-with-okta/ + - ../../configure-security/setup-grafana/configure-security/configure-scim-provisioning/configure-scim-with-okta/ # /docs/grafana/next/setup-grafana/configure-security/setup-grafana/configure-security/configure-scim-provisioning/configure-scim-with-okta/ + - ../../configure-security/configure-scim-provisioning/configure-scim-with-okta/ # /docs/grafana/next/setup-grafana/configure-security/configure-scim-provisioning/configure-scim-with-okta/ description: Learn how to configure SCIM provisioning with Okta in Grafana. This guide provides step-by-step instructions for setting up automated user and team management, including SAML configuration, service account creation, attribute mapping, and provisioning settings to ensure seamless integration between Okta and Grafana. keywords: - grafana diff --git a/docs/sources/setup-grafana/configure-security/configure-scim-provisioning/manage-users-teams/_index.md b/docs/sources/setup-grafana/configure-access/configure-scim-provisioning/manage-users-teams/_index.md similarity index 94% rename from docs/sources/setup-grafana/configure-security/configure-scim-provisioning/manage-users-teams/_index.md rename to docs/sources/setup-grafana/configure-access/configure-scim-provisioning/manage-users-teams/_index.md index 23a389d582e..c1d9249c5f2 100644 --- a/docs/sources/setup-grafana/configure-security/configure-scim-provisioning/manage-users-teams/_index.md +++ b/docs/sources/setup-grafana/configure-access/configure-scim-provisioning/manage-users-teams/_index.md @@ -1,5 +1,8 @@ --- -description: Learn how to implement SCIM provisioning in Grafana for automated user and team synchronization. SCIM integrates with identity providers like Okta and Azure AD to streamline user management, automate team provisioning, and replace Team Sync. +aliases: + - ../../configure-security/setup-grafana/configure-security/configure-scim-provisioning/manage-users-teams/ # /docs/grafana/next/setup-grafana/configure-security/setup-grafana/configure-security/configure-scim-provisioning/manage-users-teams/ + - ../../configure-security/configure-scim-provisioning/manage-users-teams/ # /docs/grafana/next/setup-grafana/configure-security/configure-scim-provisioning/manage-users-teams/ +description: Learn how to implement SCIM provisioning in Grafana for automated user and team synchronization. SCIM integrates with identity providers like Okta and Entra ID to streamline user management, automate team provisioning, and replace Team Sync. keywords: - grafana - scim @@ -49,7 +52,7 @@ After a user is provisioned through SCIM, they cannot be deleted from Grafana - For detailed configuration steps specific to the identity provider, see: -- [Configure SCIM with Azure AD](../configure-scim-with-azuread/) +- [Configure SCIM with Entra ID](../configure-scim-with-azuread/) - [Configure SCIM with Okta](../configure-scim-with-okta/) ### How SCIM identifies users @@ -69,10 +72,10 @@ SCIM uses a specific process to establish and maintain user identity between the - Grafana updates the authentication validations to expect this External ID 3. **Matching the User During Login:** - When a user logs in via SAML, Grafana needs to securely match them to the correct user account provisioned by SCIM. This requires using a consistent, unique identifier across both processes (for example, the user's `objectId` in Azure AD). - - **Configure SAML Claims:** Set up your identity provider (e.g., Azure AD) to include this unique identifier in the information it sends during SAML login. + When a user logs in via SAML, Grafana needs to securely match them to the correct user account provisioned by SCIM. This requires using a consistent, unique identifier across both processes (for example, the user's `objectId` in Entra ID). + - **Configure SAML Claims:** Set up your identity provider (e.g., Entra ID) to include this unique identifier in the information it sends during SAML login. - **Configure Grafana SAML:** In the Grafana SAML settings, use the `assertion_attribute_login` setting to specify which incoming SAML attribute contains this unique identifier. - - **Configure SCIM Mapping:** To complete the link, ensure your SCIM attribute mapping in the identity provider sets the user's Grafana **externalId** attribute to be the _same_ unique identifier provided via SAML (for example, the user's `objectId` in Azure AD). + - **Configure SCIM Mapping:** To complete the link, ensure your SCIM attribute mapping in the identity provider sets the user's Grafana **externalId** attribute to be the _same_ unique identifier provided via SAML (for example, the user's `objectId` in Entra ID). - See [SAML configuration details](../../configure-authentication/saml/#integrating-with-scim-provisioning) for specific configuration guidance. This process ensures secure and consistent user identification across both systems, preventing security issues that could arise from email changes or other user attribute modifications. @@ -228,7 +231,7 @@ Teams provisioned through SCIM cannot be deleted manually from Grafana - they ca For detailed configuration steps specific to the identity provider, see: -- [Configure SCIM with Azure AD](../configure-scim-with-azuread/) +- [Configure SCIM with Entra ID](../configure-scim-with-azuread/) - [Configure SCIM with Okta](../configure-scim-with-okta/) ### SCIM vs Team Sync @@ -279,5 +282,5 @@ Team membership maintenance: ## Next steps - [Troubleshoot SCIM provisioning](../troubleshooting/) -- [Configure SCIM with Azure AD](../configure-scim-with-azuread/) +- [Configure SCIM with Entra ID](../configure-scim-with-azuread/) - [Configure SCIM with Okta](../configure-scim-with-okta/) diff --git a/docs/sources/setup-grafana/configure-security/configure-scim-provisioning/troubleshooting/_index.md b/docs/sources/setup-grafana/configure-access/configure-scim-provisioning/troubleshooting/_index.md similarity index 79% rename from docs/sources/setup-grafana/configure-security/configure-scim-provisioning/troubleshooting/_index.md rename to docs/sources/setup-grafana/configure-access/configure-scim-provisioning/troubleshooting/_index.md index eab22ea56a4..b7f26e8d53d 100644 --- a/docs/sources/setup-grafana/configure-security/configure-scim-provisioning/troubleshooting/_index.md +++ b/docs/sources/setup-grafana/configure-access/configure-scim-provisioning/troubleshooting/_index.md @@ -1,4 +1,7 @@ --- +aliases: + - ../../configure-security/setup-grafana/configure-security/configure-scim-provisioning/troubleshooting/ # /docs/grafana/next/setup-grafana/configure-security/setup-grafana/configure-security/configure-scim-provisioning/troubleshooting/ + - ../../configure-security/configure-scim-provisioning/troubleshooting/ # /docs/grafana/next/setup-grafana/configure-security/configure-scim-provisioning/troubleshooting/ description: Troubleshoot common SCIM provisioning issues in Grafana, including user provisioning, authentication, and login problems. keywords: - grafana @@ -65,11 +68,11 @@ Where: | SAML Assertion | Identity Provider | Value | | -------------- | ----------------- | -------------------------------- | -| `userUID` | Azure AD | `objectId` | +| `userUID` | Entra ID | `objectId` | | `userUID` | Okta | `user.getInternalProperty("id")` | ## Next steps - [Manage users and teams with SCIM provisioning](../manage-users-teams/) -- [Configure SCIM with Azure AD](../configure-scim-with-azuread/) +- [Configure SCIM with Entra ID](../configure-scim-with-azuread/) - [Configure SCIM with Okta](../configure-scim-with-okta/) diff --git a/docs/sources/setup-grafana/configure-security/configure-team-sync.md b/docs/sources/setup-grafana/configure-access/configure-team-sync.md similarity index 68% rename from docs/sources/setup-grafana/configure-security/configure-team-sync.md rename to docs/sources/setup-grafana/configure-access/configure-team-sync.md index 268e907908f..1741fd33edc 100644 --- a/docs/sources/setup-grafana/configure-security/configure-team-sync.md +++ b/docs/sources/setup-grafana/configure-access/configure-team-sync.md @@ -1,15 +1,16 @@ --- aliases: - - ../../auth/team-sync/ - - ../../enterprise/team-sync/ -description: Learn how to use Team Sync to synchronize between your authentication - provider teams and Grafana teams. + - ../setup-grafana/configure-security/configure-team-sync/ # /docs/grafana/next/setup-grafana/setup-grafana/configure-security/configure-team-sync/ + - ../../auth/team-sync/ # /docs/grafana/next/auth/team-sync/ + - ../../enterprise/team-sync/ # /docs/grafana/next/enterprise/team-sync/ + - ../configure-security/configure-team-sync/ # /docs/grafana/next/setup-grafana/configure-security/configure-team-sync/ +description: Learn how to use Team Sync to synchronize between your authentication provider teams and Grafana teams. labels: products: - cloud - enterprise title: Configure Team Sync -weight: 1000 +weight: 600 --- # Configure Team Sync @@ -29,15 +30,15 @@ This mechanism allows Grafana to remove an existing synchronized user from a tea ## Supported providers -- [Auth Proxy](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-authentication/auth-proxy/#team-sync) -- [Azure AD](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-authentication/azuread/#team-sync) -- [Generic OAuth integration](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-authentication/generic-oauth/#configure-team-synchronization) -- [GitHub OAuth](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-authentication/github/#configure-team-synchronization) -- [GitLab OAuth](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-authentication/gitlab/#configure-team-synchronization) -- [Google OAuth](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-authentication/google/#configure-team-synchronization) -- [LDAP](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-authentication/enhanced-ldap/) -- [Okta](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-authentication/okta/#configure-team-synchronization) -- [SAML](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-authentication/saml/) +- [Auth Proxy](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-authentication/auth-proxy/#team-sync) +- [Entra ID](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-authentication/azuread/#team-sync) +- [Generic OAuth integration](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-authentication/generic-oauth/#configure-team-synchronization) +- [GitHub OAuth](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-authentication/github/#configure-team-synchronization) +- [GitLab OAuth](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-authentication/gitlab/#configure-team-synchronization) +- [Google OAuth](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-authentication/google/#configure-team-synchronization) +- [LDAP](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-authentication/enhanced-ldap/) +- [Okta](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-authentication/okta/#configure-team-synchronization) +- [SAML](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-authentication/saml/) ## Synchronize a Grafana team with an external group diff --git a/docs/sources/setup-grafana/configure-security/manage-single-access.md b/docs/sources/setup-grafana/configure-access/multi-team-access.md similarity index 90% rename from docs/sources/setup-grafana/configure-security/manage-single-access.md rename to docs/sources/setup-grafana/configure-access/multi-team-access.md index 1ca84d68960..6f179a842e1 100644 --- a/docs/sources/setup-grafana/configure-security/manage-single-access.md +++ b/docs/sources/setup-grafana/configure-access/multi-team-access.md @@ -1,6 +1,8 @@ --- aliases: - - ../../enterprise/manage-single-access/ + - ../setup-grafana/configure-security/manage-single-access/ # /docs/grafana/next/setup-grafana/setup-grafana/configure-security/manage-single-access/ + - ../../enterprise/manage-single-access/ # /docs/grafana/next/enterprise/manage-single-access/ + - ../configure-security/manage-single-access/ # /docs/grafana/next/setup-grafana/configure-security/manage-single-access/ description: Manage multi-team access in a single Grafana instance keywords: - grafana @@ -14,7 +16,8 @@ labels: - cloud - enterprise title: Manage multi-team access in a single Grafana instance -weight: 1200 +menuTitle: Multi-team access +weight: 500 refs: create-folder: - pattern: /docs/grafana/ @@ -38,17 +41,17 @@ refs: destination: /docs/grafana-cloud/security-and-account-management/authentication-and-permissions/access-control/rbac-fixed-basic-role-definitions/#fixed-role-definitions drilldown: - pattern: /docs/grafana/ - destination: /docs/grafana//explore/simplified-exploration/ - pattern: /docs/grafana-cloud/ destination: /docs/grafana-cloud/visualizations/simplified-exploration/ add-data-source: - pattern: /docs/grafana/ - destination: /docs/grafana//datasources/#add-a-data-source - pattern: /docs/grafana-cloud/ destination: /docs/grafana-cloud/connect-externally-hosted/data-sources/#add-a-data-source lbac: - pattern: /docs/grafana/ - destination: /docs/grafana//administration/data-source-management/teamlbac - pattern: /docs/grafana-cloud/ destination: /docs/grafana-cloud/security-and-account-management/authentication-and-permissions/access-policies/label-access-policies --- @@ -143,7 +146,7 @@ For example, users working in [Frontend Observability](https://grafana.com/docs/ After you've made sure the model is working, you can codify it. -You can add any new users to your Grafana instance with an Identity Provider through [SCIM](../../configure-security/configure-scim-provisioning/). Use [role sync](../../configure-security/configure-authentication/saml/configure-saml-team-role-mapping/#configure-role-sync-for-saml) to automatically assign users the correct basic role (Viewer, Editor, or Admin) based on their mapped attributes in the IdP.. +You can add any new users to your Grafana instance with an Identity Provider through [SCIM](../../configure-access/configure-authentication/). Use [role sync](../../../configure-access/configure-authentication/saml/configure-saml-team-role-mapping/#configure-role-sync-for-saml) to automatically assign users the correct basic role (Viewer, Editor, or Admin) based on their mapped attributes in the IdP.. You can also use Terraform to provision teams their folders, fixed roles, and shared data source LBAC rules. For example, if you need to add a new team (Team D), you only need to add the new team to Grafana and run the Terraform script, which will automatically set them up to start using Grafana. diff --git a/docs/sources/setup-grafana/configure-grafana/_index.md b/docs/sources/setup-grafana/configure-grafana/_index.md index b0b328866d6..f3d3dd89b45 100644 --- a/docs/sources/setup-grafana/configure-grafana/_index.md +++ b/docs/sources/setup-grafana/configure-grafana/_index.md @@ -1014,7 +1014,7 @@ This is a comma-separated list of usernames. Users specified here are hidden in ### `[auth]` -Grafana provides many ways to authenticate users. Refer to the Grafana [Authentication overview](../configure-security/configure-authentication/) and other authentication documentation for detailed instructions on how to set up and configure authentication. +Grafana provides many ways to authenticate users. Refer to the Grafana [Authentication overview](../configure-access/configure-authentication/) and other authentication documentation for detailed instructions on how to set up and configure authentication. #### `login_cookie_name` @@ -1219,25 +1219,25 @@ This means the plugin can only access data and resources within that specific or ### `[auth.anonymous]` -Refer to [Anonymous authentication](../configure-security/configure-authentication/grafana/#anonymous-authentication) for detailed instructions. +Refer to [Anonymous authentication](../configure-access/configure-authentication/grafana/#anonymous-authentication) for detailed instructions.
### `[auth.github]` -Refer to [GitHub OAuth2 authentication](../configure-security/configure-authentication/github/) for detailed instructions. +Refer to [GitHub OAuth2 authentication](../configure-access/configure-authentication/github/) for detailed instructions.
### `[auth.gitlab]` -Refer to [GitLab OAuth 2.0 authentication](../configure-security/configure-authentication/gitlab/) for detailed instructions. +Refer to [GitLab OAuth 2.0 authentication](../configure-access/configure-authentication/gitlab/) for detailed instructions.
### `[auth.google]` -Refer to [Google OAuth2 authentication](../configure-security/configure-authentication/google/) for detailed instructions. +Refer to [Google OAuth2 authentication](../configure-access/configure-authentication/google/) for detailed instructions.
@@ -1255,37 +1255,37 @@ Legacy key names, still in the configuration file so they work in environment va ### `[auth.azuread]` -Refer to [Azure AD OAuth2 authentication](../configure-security/configure-authentication/azuread/) for detailed instructions. +Refer to [Entra ID OAuth2 authentication](../configure-access/configure-authentication/azuread/) for detailed instructions.
### `[auth.okta]` -Refer to [Okta OAuth2 authentication](../configure-security/configure-authentication/okta/) for detailed instructions. +Refer to [Okta OAuth2 authentication](../configure-access/configure-authentication/okta/) for detailed instructions.
### `[auth.generic_oauth]` -Refer to [Generic OAuth authentication](../configure-security/configure-authentication/generic-oauth/) for detailed instructions. +Refer to [Generic OAuth authentication](../configure-access/configure-authentication/generic-oauth/) for detailed instructions.
### `[auth.basic]` -Refer to [Basic authentication](../configure-security/configure-authentication/#basic-authentication) for detailed instructions. +Refer to [Basic authentication](../configure-access/configure-authentication/#basic-authentication) for detailed instructions.
### `[auth.proxy]` -Refer to [Auth proxy authentication](../configure-security/configure-authentication/auth-proxy/) for detailed instructions. +Refer to [Auth proxy authentication](../configure-access/configure-authentication/auth-proxy/) for detailed instructions.
### `[auth.ldap]` -Refer to [LDAP authentication](../configure-security/configure-authentication/ldap/) for detailed instructions. +Refer to [LDAP authentication](../configure-access/configure-authentication/ldap/) for detailed instructions. ### `[aws]` @@ -1358,27 +1358,27 @@ Should be set for user-assigned identity and should be empty for system-assigned #### `workload_identity_enabled` -Specifies whether Azure AD Workload Identity authentication should be enabled in data sources that support it. +Specifies whether Entra ID Workload Identity authentication should be enabled in data sources that support it. -For more documentation on Azure AD Workload Identity, review [Azure AD Workload Identity](https://azure.github.io/azure-workload-identity/docs/) documentation. +For more documentation on Entra ID Workload Identity, review [Entra ID Workload Identity](https://azure.github.io/azure-workload-identity/docs/) documentation. Disabled by default, needs to be explicitly enabled. #### `workload_identity_tenant_id` -Tenant ID of the Azure AD Workload Identity. +Tenant ID of the Entra ID Workload Identity. -Allows to override default tenant ID of the Azure AD identity associated with the Kubernetes service account. +Allows to override default tenant ID of the Entra ID identity associated with the Kubernetes service account. #### `workload_identity_client_id` -Client ID of the Azure AD Workload Identity. +Client ID of the Entra ID Workload Identity. -Allows to override default client ID of the Azure AD identity associated with the Kubernetes service account. +Allows to override default client ID of the Entra ID identity associated with the Kubernetes service account. #### `workload_identity_token_file` -Custom path to token file for the Azure AD Workload Identity. +Custom path to token file for the Entra ID Workload Identity. Allows to set a custom path to the projected service account token file. @@ -1444,7 +1444,7 @@ Disabled by default, needs to be explicitly enabled. ### `[auth.jwt]` -Refer to [JWT authentication](../configure-security/configure-authentication/jwt/) for more information. +Refer to [JWT authentication](../configure-access/configure-authentication/jwt/) for more information.
diff --git a/docs/sources/shared/auth/intro.md b/docs/sources/shared/auth/intro.md index 06f702afc87..31013b10011 100644 --- a/docs/sources/shared/auth/intro.md +++ b/docs/sources/shared/auth/intro.md @@ -10,4 +10,4 @@ There are numerous authentication methods available in Grafana to verify user id You can also configure Grafana to automatically update users' roles and team memberships in Grafana based on the information returned by the auth provider integration. When deciding on an authentication method, it's important to take into account your current identity and access management system as well as the specific authentication and authorization features you require. -For a complete list of the available authentication options and the features they support, refer to [Configure authentication](/docs/grafana//setup-grafana/configure-security/configure-authentication). +For a complete list of the available authentication options and the features they support, refer to [Configure authentication](/docs/grafana//setup-grafana/configure-access/configure-authentication). diff --git a/docs/sources/whatsnew/whats-new-in-v10-0.md b/docs/sources/whatsnew/whats-new-in-v10-0.md index 410a1f56196..6da4aec0a88 100644 --- a/docs/sources/whatsnew/whats-new-in-v10-0.md +++ b/docs/sources/whatsnew/whats-new-in-v10-0.md @@ -270,7 +270,7 @@ With the new user interface (UI), you can now configure SAML without needing to The SAML UI is available in Grafana Enterprise, Cloud Pro, and Advanced. It's user-friendly, with clear instructions and helpful prompts to guide you through the process. -For more information on how to set up SAML using the Grafana UI, refer to [Configure SAML authentication using the Grafana user interface](../../setup-grafana/configure-security/configure-authentication/saml-ui/). +For more information on how to set up SAML using the Grafana UI, refer to [Configure SAML authentication using the Grafana user interface](../../setup-grafana/configure-access/configure-authentication/saml-ui/). ### Case-insensitive usernames and email addresses diff --git a/docs/sources/whatsnew/whats-new-in-v10-1.md b/docs/sources/whatsnew/whats-new-in-v10-1.md index 4e90fce99e8..1cce8d3829f 100644 --- a/docs/sources/whatsnew/whats-new-in-v10-1.md +++ b/docs/sources/whatsnew/whats-new-in-v10-1.md @@ -439,7 +439,7 @@ Grafana now supports GitLab OIDC through the `GitLab` OAuth provider in addition This change also allows Grafana to reduce the access scope to only the required scopes for authentication and authorization, instead of full read API access. -To learn how to migrate your GitLab OAuth2 setup to OIDC, refer to our [GitLab authentication documentation](../../setup-grafana/configure-security/configure-authentication/gitlab/). +To learn how to migrate your GitLab OAuth2 setup to OIDC, refer to our [GitLab authentication documentation](../../setup-grafana/configure-access/configure-authentication/gitlab/). ### Google OIDC and Team Sync support @@ -451,7 +451,7 @@ Grafana now supports Google OIDC through the `Google` OAuth provider in addition This release also adds support for Google OIDC in Team Sync. You can now easily add users to teams by using their Google groups. -To learn how to migrate your Google OAuth2 setup to OIDC and how to set up Team Sync, refer to our [Google authentication documentation](../../setup-grafana/configure-security/configure-authentication/google/). +To learn how to migrate your Google OAuth2 setup to OIDC and how to set up Team Sync, refer to our [Google authentication documentation](../../setup-grafana/configure-access/configure-authentication/google/). ## Plugins diff --git a/docs/sources/whatsnew/whats-new-in-v10-2.md b/docs/sources/whatsnew/whats-new-in-v10-2.md index 90ea8d067d2..dca0f40caf3 100644 --- a/docs/sources/whatsnew/whats-new-in-v10-2.md +++ b/docs/sources/whatsnew/whats-new-in-v10-2.md @@ -459,7 +459,7 @@ This is useful if you want to limit the access users have to your Grafana instan We've also added support for controlling allowed groups when using Google OIDC. -Refer to the [Google Authentication documentation](http://grafana.com/docs/grafana//setup-grafana/configure-security/configure-authentication/google/) to learn how to use these new options. +Refer to the [Google Authentication documentation](http://grafana.com/docs/grafana//setup-grafana/configure-access/configure-authentication/google/) to learn how to use these new options. ### Configure refresh token handling separately for OAuth providers @@ -471,7 +471,7 @@ With Grafana v9.3, we introduced a [feature toggle](https://grafana.com/docs/gra With the current release, we've introduced a new configuration option for each OAuth provider called `use_refresh_token` that allows you to configure whether the particular OAuth integration should use refresh tokens to automatically refresh access tokens when they expire. In addition, to further improve security and provide secure defaults, `use_refresh_token` is enabled by default for providers that support either refreshing tokens automatically or client-controlled fetching of refresh tokens. It's enabled by default for the following OAuth providers: `AzureAD`, `GitLab`, `Google`. -For more information on how to set up refresh token handling, please refer to [the documentation of the particular OAuth provider.](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-authentication/). +For more information on how to set up refresh token handling, please refer to [the documentation of the particular OAuth provider.](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-authentication/). {{< admonition type="note" >}} The `use_refresh_token` configuration must be used in conjunction with the `accessTokenExpirationCheck` [feature toggle](https://grafana.com/docs/grafana//setup-grafana/configure-grafana/feature-toggles/). If you disable the `accessTokenExpirationCheck` feature toggle, Grafana won't check the expiration of the access token and won't automatically refresh the expired access token, even if the `use_refresh_token` configuration is set to `true`. diff --git a/docs/sources/whatsnew/whats-new-in-v10-3.md b/docs/sources/whatsnew/whats-new-in-v10-3.md index 650e1809ff0..e43fdcd331e 100644 --- a/docs/sources/whatsnew/whats-new-in-v10-3.md +++ b/docs/sources/whatsnew/whats-new-in-v10-3.md @@ -407,4 +407,4 @@ When anonymous access has been enabled, any device which accesses Grafana in the {{< youtube id="B72X3_9e-ds" >}} -[Documentation](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-authentication/grafana/) +[Documentation](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-authentication/grafana/) diff --git a/docs/sources/whatsnew/whats-new-in-v10-4.md b/docs/sources/whatsnew/whats-new-in-v10-4.md index c8b1c6f496b..2d82968c8f6 100644 --- a/docs/sources/whatsnew/whats-new-in-v10-4.md +++ b/docs/sources/whatsnew/whats-new-in-v10-4.md @@ -219,7 +219,7 @@ We are working on adding complete support for configuring all other supported OA {{< youtube id="xXW2eRTbjDY" >}} -[Documentation](https://grafana.com/docs/grafana/next/setup-grafana/configure-security/configure-authentication/) +[Documentation](https://grafana.com/docs/grafana/next/setup-grafana/configure-access/configure-authentication/) ## Data sources diff --git a/docs/sources/whatsnew/whats-new-in-v11-0.md b/docs/sources/whatsnew/whats-new-in-v11-0.md index ea2ce483b0c..718032fb1fc 100644 --- a/docs/sources/whatsnew/whats-new-in-v11-0.md +++ b/docs/sources/whatsnew/whats-new-in-v11-0.md @@ -376,7 +376,7 @@ If you manage your users using Grafana's built-in basic authorization as an iden Starting with Grafana v11.0, you can enable an opinionated strong password policy feature. This configuration option validates all password updates to comply with our strong password policy. -To learn more about Grafana's strong password policy, refer to the [documentation](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-authentication/grafana/#strong-password-policy). +To learn more about the strong password policy in Grafana, refer to the [documentation](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-authentication/grafana/#strong-password-policy). ### Anonymous users are billed in Grafana Enterprise @@ -388,6 +388,6 @@ We are announcing a license change to the anonymous access feature in Grafana 1 **Affected Grafana versions** -[Anonymous authentication](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-authentication/grafana/#anonymous-authentication) is disabled by default in Grafana Cloud. This licensing change only affects Grafana Enterprise (self-managed) edition. Anonymous users will be charged as active users in Grafana Enterprise. +[Anonymous authentication](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-authentication/grafana/#anonymous-authentication) is disabled by default in Grafana Cloud. This licensing change only affects Grafana Enterprise (self-managed) edition. Anonymous users will be charged as active users in Grafana Enterprise. -[Documentation](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-authentication/grafana/#anonymous-devices) +[Documentation](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-authentication/grafana/#anonymous-devices) diff --git a/docs/sources/whatsnew/whats-new-in-v11-2.md b/docs/sources/whatsnew/whats-new-in-v11-2.md index 921739746b8..ceccf569bb3 100644 --- a/docs/sources/whatsnew/whats-new-in-v11-2.md +++ b/docs/sources/whatsnew/whats-new-in-v11-2.md @@ -254,7 +254,7 @@ This is a longstanding feature request from the community. We collaborated with For Generic OAuth and Okta, you can configure the claim (using the `org_attribute_path` setting) that contains the organizations which the user belongs to. Other OAuth providers use the same attribute for organization mapping that is used for group mapping: Entra ID (previously Azure AD), GitLab and Google use the current user’s Groups, and GitHub uses the user’s Teams. -To configure organization mapping for your instance, please check the documentation for the OAuth provider you are using in the [Grafana documentation](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-authentication/). You can find an example of how to configure organization mapping on each OAuth provider page under the **Org roles mapping example** section. +To configure organization mapping for your instance, please check the documentation for the OAuth provider you are using in the [Grafana documentation](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-authentication/). You can find an example of how to configure organization mapping on each OAuth provider page under the **Org roles mapping example** section. ### Better SAML integration for Azure AD @@ -266,7 +266,7 @@ When setting up Grafana with Azure AD using the SAML protocol, the Azure AD Grap With Grafana 11.2, we offer a mechanism for setting up an application as a Service Account in Azure AD and retrieving information from Graph API. -Please refer to our [documentation](https://grafana.com/docs/grafana//setup-grafana/configure-security/configure-authentication/saml/#configure-a-graph-api-application-in-azure-ad) on how to set up an Azure AD registered application for this setup. +Please refer to our [documentation](https://grafana.com/docs/grafana//setup-grafana/configure-access/configure-authentication/saml/#configure-a-graph-api-application-in-azure-ad) on how to set up an Azure AD registered application for this setup. ### API support for LDAP configuration diff --git a/docs/sources/whatsnew/whats-new-in-v7-0.md b/docs/sources/whatsnew/whats-new-in-v7-0.md index 50d5ddbe753..f8a2dff1665 100644 --- a/docs/sources/whatsnew/whats-new-in-v7-0.md +++ b/docs/sources/whatsnew/whats-new-in-v7-0.md @@ -225,11 +225,11 @@ This release includes a series of features that build on our new usage analytics ### SAML Role and Team Sync -SAML support in Grafana Enterprise is improved by adding Role and Team Sync. Read more about how to use these features in the [SAML team sync documentation](../../setup-grafana/configure-security/configure-authentication/saml/#configure-team-sync). +SAML support in Grafana Enterprise is improved by adding Role and Team Sync. Read more about how to use these features in the [SAML team sync documentation](../../setup-grafana/configure-access/configure-authentication/saml/#configure-team-sync). ### Okta OAuth Team Sync -Okta gets its own provider which adds support for Team Sync. Read more about it in the [Okta documentation](../../setup-grafana/configure-security/configure-authentication/okta/). +Okta gets its own provider which adds support for Team Sync. Read more about it in the [Okta documentation](../../setup-grafana/configure-access/configure-authentication/okta/). ## Changelog diff --git a/docs/sources/whatsnew/whats-new-in-v7-3.md b/docs/sources/whatsnew/whats-new-in-v7-3.md index 9f2f5882475..27734df4534 100644 --- a/docs/sources/whatsnew/whats-new-in-v7-3.md +++ b/docs/sources/whatsnew/whats-new-in-v7-3.md @@ -146,11 +146,11 @@ Insights: ### SAML single logout -SAML’s single logout (SLO) capability allows users to log out from all applications associated with the current identity provider (IdP) session established via SAML SSO. For more information, refer to the [docs](../../setup-grafana/configure-security/configure-authentication/saml/#single-logout). +SAML’s single logout (SLO) capability allows users to log out from all applications associated with the current identity provider (IdP) session established via SAML SSO. For more information, refer to the [docs](../../setup-grafana/configure-access/configure-authentication/saml/#single-logout). ### SAML IdP-initiated single sign on -IdP-initiated single sign on (SSO) allows the user to log in directly from the SAML identity provider (IdP). It is disabled by default for security reasons. For more information, refer to the [docs](../../setup-grafana/configure-security/configure-authentication/saml/#idp-initiated-single-sign-on-sso). +IdP-initiated single sign on (SSO) allows the user to log in directly from the SAML identity provider (IdP). It is disabled by default for security reasons. For more information, refer to the [docs](../../setup-grafana/configure-access/configure-authentication/saml/#idp-initiated-single-sign-on-sso). ## Changelog diff --git a/docs/sources/whatsnew/whats-new-in-v7-4.md b/docs/sources/whatsnew/whats-new-in-v7-4.md index 0d0b9cc4806..bcc8f0f31a6 100644 --- a/docs/sources/whatsnew/whats-new-in-v7-4.md +++ b/docs/sources/whatsnew/whats-new-in-v7-4.md @@ -211,7 +211,7 @@ For more information, refer to [Export logs of usage insights](../../setup-grafa ### New audit log events -New log out events are logged based on when a token expires or is revoked, as well as [SAML Single Logout](../../setup-grafana/configure-security/configure-authentication/saml/#single-logout). A `tokenId` field was added to all audit logs to help understand which session was logged out of. +New log out events are logged based on when a token expires or is revoked, as well as [SAML Single Logout](../../setup-grafana/configure-access/configure-authentication/saml/#single-logout). A `tokenId` field was added to all audit logs to help understand which session was logged out of. Also, a counter for audit log writing actions with status (success / failure) and logger (loki / file / console) labels was added. diff --git a/docs/sources/whatsnew/whats-new-in-v8-0.md b/docs/sources/whatsnew/whats-new-in-v8-0.md index 0d41ace7f4c..cf3792d8a48 100644 --- a/docs/sources/whatsnew/whats-new-in-v8-0.md +++ b/docs/sources/whatsnew/whats-new-in-v8-0.md @@ -267,11 +267,11 @@ JWT is a new authentication option in Grafana. You can now configure Grafana to accept a JWT token provided in the HTTP header. -[JWT authentication](../../setup-grafana/configure-security/configure-authentication/jwt/) was added and [Configuration](../../setup-grafana/configure-grafana/#authjwt) was updated as a result of this feature. +[JWT authentication](../../setup-grafana/configure-access/configure-authentication/jwt/) was added and [Configuration](../../setup-grafana/configure-grafana/#authjwt) was updated as a result of this feature. #### OAuth -[Generic OAuth authentication](../../setup-grafana/configure-security/configure-authentication/generic-oauth/) has been updated as a result of these changes. +[Generic OAuth authentication](../../setup-grafana/configure-access/configure-authentication/generic-oauth/) has been updated as a result of these changes. ##### Added OAuth support for empty scopes diff --git a/docs/sources/whatsnew/whats-new-in-v8-4.md b/docs/sources/whatsnew/whats-new-in-v8-4.md index 343599564cb..252f5beb8e3 100644 --- a/docs/sources/whatsnew/whats-new-in-v8-4.md +++ b/docs/sources/whatsnew/whats-new-in-v8-4.md @@ -130,13 +130,13 @@ Enable role-based access control by adding the term `accesscontrol` to the list #### Assign SAML users different roles in different Organizations -You can use Grafana's SAML integration to map organizations in your SAML service to [Organizations](../../setup-grafana/configure-security/configure-authentication/saml/#configure-organization-mapping) in Grafana so that users who authenticate using SAML have the right permissions. Previously, you could only choose a single role (Viewer, Editor, or Admin) for users, which would apply to all of their Organizations. Now, you can map a given SAML user or org to different roles in different Organizations, so that, for example, they can be a Viewer in one Organization and an Admin in another. +You can use Grafana SAML integration to map organizations in your SAML service to [Organizations](../../setup-grafana/configure-access/configure-authentication/saml/#configure-organization-mapping) in Grafana so that users who authenticate using SAML have the right permissions. Previously, you could only choose a single role (Viewer, Editor, or Admin) for users, which would apply to all of their Organizations. Now, you can map a given SAML user or org to different roles in different Organizations, so that, for example, they can be a Viewer in one Organization and an Admin in another. Additionally, you can now grant multiple SAML organizations access to Grafana, using the `allowed_organizations` attribute. Previously, you could only map one. {{< figure src="/static/img/docs/enterprise/8-4-SAML-auth.png" max-width="1200px" caption="Assign SAML users role" >}} -Learn more in our [SAML docs](../../setup-grafana/configure-security/configure-authentication/saml/). +Learn more in our [SAML docs](../../setup-grafana/configure-access/configure-authentication/saml/). ### Performance improvements diff --git a/docs/sources/whatsnew/whats-new-in-v9-1.md b/docs/sources/whatsnew/whats-new-in-v9-1.md index 839d36623a3..882cf7867dc 100644 --- a/docs/sources/whatsnew/whats-new-in-v9-1.md +++ b/docs/sources/whatsnew/whats-new-in-v9-1.md @@ -58,7 +58,7 @@ To see JWT URL embedding in action, see the [sample project](https://github.com/ You can now use GitHub OAuth2 to map users or teams to specific [Grafana organization roles](../../administration/roles-and-permissions/#organization-roles) by using `role_attribute_path` configuration option. Grafana will use [JMESPath](https://jmespath.org/examples.html) for path lookup and role mapping. -For more information, see the [documentation](../../setup-grafana/configure-security/configure-authentication/github/#map-roles). +For more information, see the [documentation](../../setup-grafana/configure-access/configure-authentication/github/#map-roles). Grafana Cloud users can access this feature by [opening a support ticket in the Cloud Portal](/profile/org#support). @@ -242,7 +242,7 @@ To learn more, see the [configuration documentation](../../setup-grafana/configu When you synchronize users from a SAML, LDAP, or OAuth provider, some user settings, such as name and email address, are synchronized from your identity provider. Previously, you could edit those settings in the Grafana UI, but they would revert back. To make user management clearer, you can now see which settings are synchronized from your identity provider, but you cannot edit those settings. -To learn more about authentication, see the [documentation](../../setup-grafana/configure-security/configure-authentication/). +To learn more about authentication, see the [documentation](../../setup-grafana/configure-access/configure-authentication/). {{< figure src="/static/img/docs/enterprise/oauth-synced-user-9-1.png" max-width="750px" caption="Non-interactive view of a user synced via OAuth" >}} diff --git a/docs/sources/whatsnew/whats-new-in-v9-2.md b/docs/sources/whatsnew/whats-new-in-v9-2.md index ae19c749c10..29f4614f2b0 100644 --- a/docs/sources/whatsnew/whats-new-in-v9-2.md +++ b/docs/sources/whatsnew/whats-new-in-v9-2.md @@ -205,7 +205,7 @@ _Generally available in Grafana Enterprise, Grafana Cloud Pro, and Advanced._ ### Map a user to all organizations in Grafana You can now use `*` as the Grafana organization in the mapping to add all users from a given SAML Organization to all existing Grafana organizations. -For more information, see ["Configure SAML authentication"](/docs/grafana/next/setup-grafana/configure-security/configure-authentication/saml/#configure-organization-mapping) in the documentation. +For more information, see ["Configure SAML authentication"](/docs/grafana/next/setup-grafana/configure-access/configure-authentication/saml/#configure-organization-mapping) in the documentation. ### Skip organization role sync @@ -215,13 +215,13 @@ If you use a SAML identity provider to manage your users but prefer to assign ro Use the `skip_org_role_sync` configuration option when configuring SAML to prevent synchronization with SAML roles and make user roles editable from within Grafana. -For more information, see the [SAML configuration documentation](/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/saml/). +For more information, see the [SAML configuration documentation](/docs/grafana//setup-grafana/configure-access/configure-authentication/saml/). ## Assign Server Admin permissions from Oauth You can now map OAuth groups and roles to Server Admin for the GitLab, GitHub, AzureAD, Okta, and Generic OAuth integrations. To enable this functionality, set the `allow_assign_grafana_admin` configuration option to `true` in the desired OAuth integration section. -For more information, see the [authentication configuration documentation](/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/) for each OAuth client. +For more information, see the [authentication configuration documentation](/docs/grafana//setup-grafana/configure-access/configure-authentication/) for each OAuth client. ## Match parameter support in prometheus labels API diff --git a/docs/sources/whatsnew/whats-new-in-v9-3.md b/docs/sources/whatsnew/whats-new-in-v9-3.md index 91981f5cf41..acf11473ed5 100644 --- a/docs/sources/whatsnew/whats-new-in-v9-3.md +++ b/docs/sources/whatsnew/whats-new-in-v9-3.md @@ -151,7 +151,7 @@ As part of our efforts to improve the security of Grafana, we are introducing a Because this feature introduces a breaking change, it is behind the `accessTokenExpirationCheck` feature toggle and is disabled by default. Enabling this functionality without configuring refresh tokens for the specific OAuth provider will sign users out after their access token has expired, and they would need to sign in again every time. -Complete documentation on how to configure obtaining a refresh token can be found on the [authentication configuration page](../../setup-grafana/configure-security/configure-authentication/), in the instructions for your Oauth identity provider. +Complete documentation on how to configure obtaining a refresh token can be found on the [authentication configuration page](../../setup-grafana/configure-access/configure-authentication/), in the instructions for your Oauth identity provider. ### Resolve user conflicts in Grafana's CLI @@ -181,7 +181,7 @@ If you use an LDAP directory to authenticate to Grafana but prefer to assign org or via API, you can now skip user organization role synchronization with your LDAP directory. -Use the `skip_org_role_sync` [LDAP authentication configuration option](../../setup-grafana/configure-security/configure-authentication/ldap/#disable-org-role-synchronization) +Use the `skip_org_role_sync` [LDAP authentication configuration option](../../setup-grafana/configure-access/configure-authentication/ldap/#disable-org-role-synchronization) when configuring LDAP authentication to prevent the synchronization between your LDAP groups and organization roles and make user roles editable manually. @@ -192,7 +192,7 @@ Generally available in all editions of Grafana If you use Azure AD OAuth2 authentication and use `SecurityEnabled` groups that you don't want Azure to embed in the authentication token, you can configure Grafana to use Microsoft's Graph API instead. -Use the [`force_use_graph_api` configuration option](../../setup-grafana/configure-security/configure-authentication/azuread/#force-fetching-groups-from-microsoft-graph-api) +Use the [`force_use_graph_api` configuration option](../../setup-grafana/configure-access/configure-authentication/azuread/#force-fetching-groups-from-microsoft-graph-api) when configuring Azure AD authentication to force Grafana to fetch groups using Graph API. ### RBAC: List token's permissions diff --git a/docs/sources/whatsnew/whats-new-in-v9-4.md b/docs/sources/whatsnew/whats-new-in-v9-4.md index 62717c01fd2..45ce56665ca 100644 --- a/docs/sources/whatsnew/whats-new-in-v9-4.md +++ b/docs/sources/whatsnew/whats-new-in-v9-4.md @@ -135,7 +135,7 @@ While Grafana integrates with many different auth providers, we have received re This option enables you to skip synchronization from your configured OAuth provider specifically in the auth provider section under `skip_org_role_sync`. Previously users could only do this for certain providers using the `oauth_skip_org_role_sync_update` option, but this would include all of the configured providers. -Learn more about Oauth in our [Oauth configuration guide](../../setup-grafana/configure-security/configure-authentication/generic-oauth/). +Learn more about Oauth in our [Oauth configuration guide](../../setup-grafana/configure-access/configure-authentication/generic-oauth/). ### RBAC support for Grafana OnCall plugin @@ -154,7 +154,7 @@ We've added auto-login support for SAML authentication, which you can turn on wi have a unified configuration style among all authentication providers. Instead of using `oauth_auto_login`, use the new `auto_login` option to enable automatic login for specific OAuth providers. -Learn more about SAML setup in our [SAML configuration guide](../../setup-grafana/configure-security/configure-authentication/saml/). +Learn more about SAML setup in our [SAML configuration guide](../../setup-grafana/configure-access/configure-authentication/saml/). ## Auditing and Usage Insights: Support for Loki multi-tenancy