By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Grafana + SAML failure: Failed to save the SAML received information

1

I tried setting up Managed Grafana, and used our corporate Active Directory as the IdP. As far as anyone can tell, the request to AD is authorized; the AD logs show that it succeds. I click on "Sign in with SAML", go through the AD login with 2FA, but the grafana login fails with the message "Failed to save the SAML received information" SAML failure.

Looking at the Network tab of the developer tools, the failure is in "writer", whatever that is: Request URL: https://g-4214ebe32a.grafana-workspace.us-east-2.amazonaws.com/api/recording-rules/writer Request Method: GET Status Code: 401 Unauthorized Remote Address: 3.137.70.86:443 Referrer Policy: strict-origin-when-cross-origin

As far as I can tell, I have followed https://aws.amazon.com/blogs/mt/amazon-managed-grafana-supports-direct-saml-integration-with-identity-providers/ to the letter. https://docs.aws.amazon.com/grafana/latest/userguide/security_iam_troubleshoot.html is not of any help either.

I have many skills, but Microsoft AD magic spells is not one of them. Help?

Thanks,

/ji

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
Security, Identity, & ComplianceAmazon Grafana
Language
English
ji
asked 10 months ago1013 views
2 Answers
0

Am I correct that you are using Azure Active Directory?
Have you reviewed the following documents?
https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/amazon-managed-grafana-tutorial

Basically, if you have followed the steps in the following document, there should be no problem on the AWS side.
https://docs.aws.amazon.com/grafana/latest/userguide/AMG-SAML-providers-Azure.html

profile picture
EXPERT
Riku_Kobayashi
answered 10 months ago
  • ji
    9 months ago

    I am following the instructions to the letter. I looked at the browser (Chrome) developer tools, and what is failing is a call to https://g-XXXXXXXXXX.grafana-workspace.us-east-1.amazonaws.com/api/recording-rules/writer with the following information:

    Request Method:
GET
Status Code:
401 Unauthorized
Remote Address:
44.197.41.214:443

    The role under which grafana is running has grafana:* in the actions, and "*" in the resources! How much more permissive can it get?

0

Hello @ji I'm having the same issue did you solved your issue?

mt
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content