I tried setting up Managed Grafana, and used our corporate Active Directory as the IdP. As far as anyone can tell, the request to AD is authorized; the AD logs show that it succeds. I click on "Sign in with SAML", go through the AD login with 2FA, but the grafana login fails with the message "Failed to save the SAML received information" SAML failure.
Looking at the Network tab of the developer tools, the failure is in "writer", whatever that is:
Request URL: https://g-4214ebe32a.grafana-workspace.us-east-2.amazonaws.com/api/recording-rules/writer Request Method: GET Status Code: 401 Unauthorized Remote Address: 3.137.70.86:443 Referrer Policy: strict-origin-when-cross-origin
As far as I can tell, I have followed https://aws.amazon.com/blogs/mt/amazon-managed-grafana-supports-direct-saml-integration-with-identity-providers/ to the letter. https://docs.aws.amazon.com/grafana/latest/userguide/security_iam_troubleshoot.html is not of any help either.
I have many skills, but Microsoft AD magic spells is not one of them. Help?
Thanks,
/ji
I am following the instructions to the letter. I looked at the browser (Chrome) developer tools, and what is failing is a call to
https://g-XXXXXXXXXX.grafana-workspace.us-east-1.amazonaws.com/api/recording-rules/writer
with the following information:The role under which grafana is running has
grafana:*
in the actions, and"*"
in the resources! How much more permissive can it get?