Grafana - SSO configuration
Please note that this application has not been formally tested by Kelvin Zero Inc. It is provided solely as a reference guide. If you encounter any issues, kindly submit a ticket directly through the support desk.
This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Grafana using MPAS. SSO simplifies user authentication by allowing access to multiple applications with a single set of credentials. This integration enhances security and improves user experience across your organization
To set up Multi-Pass with Grafana, ensure you meet the following requirements:
- Grafana admin rights
- MPAS Admin rights
- Make sure that all users intended to use SSO in Grafana are registered in your IdP and have the necessary permissions to access Grafana.
Important: Custom elements in URLs (like realm names) are case sensitive. Make sure to match the exact casing from your environment.
Grafana - SSO configuration
Step 1 - Grafana Configuration (Service Provider)
- Sign in to Grafana as an administrator.
- Go to Administration, click on Authentication
- Select SAML and enable SAML Authentication.
- In Service Provider, note the values below (you will need them in MPAS):
| Field | Value |
|---|---|
| SP Entity ID | grafana-saml (or a custom value). Some setups use the metadata URL: https://<grafana-domain>/saml/metadata |
| Assertion Consumer Service (ACS) URL | https://<grafana-domain>/login/saml |
| SP Metadata URL | https://<grafana-domain>/saml/metadata (optional to share with MPAS) |
| Single Logout URL (optional) | (optional) |
- In Identity Provider (IdP) Settings, provide MPAS details when available:
- IdP Metadata URL or upload the IdP Metadata XML from MPAS
- IdP Entity ID, SSO URL, and X.509 Certificate (PEM)
- Save configuration.
Section 2 — Multi‑Pass (MPAS) Configuration (Identity Provider)
- Select your tenant, on the left click on Integrations and then on Applications
- Scroll to select SAML
- Fill in the SAML app using the Grafana SP values:
| Field | Value |
|---|---|
| SP Entity ID | grafana-saml (or a custom value). Some setups use the metadata URL: https://<grafana-domain>/saml/metadata |
Name | For example "Grafana" |
Description | For example "SSO integration" |
| Assertion Consumer Service (ACS) URL | https://<grafana-domain>/login/saml |
| SP Metadata URL | https://<grafana-domain>/saml/metadata |
- Or click on the right top corner of your form on "upload" and add the metadata from Grafana that you can find :
- https://<grafana-domain>/saml/metadata
- Now click on add integration.
- Move to the advanced console by clicking on "Advanced console" on the right side.
- Click on Client and use the search bar to find Grafana
- Make sure all the fields are completed :
General access
| Field | Value |
|---|---|
| Client ID | https://grafana-domain.com |
| Name | grafana |
| Description | SSO integration |
| Always display in UI | On |
Access Settings
| Field | Value |
|---|---|
| Home URL | https://ca.auth.kzero.com/realms/Randintegration/protocol/saml/clients/grafana |
| Valid redirect URIs | https://grafana-domain/login/saml |
| IDP-Initiated SSO URL name | grafana |
SAML Capabilities
| Field | Value |
|---|---|
| Name ID format | |
| Force name ID format | On |
| Force POST binding | On |
| Include AuthnStatement | On |
Signature and Encryption
| Field | Value |
|---|---|
| Sign Assertions | On |
| Sign Documents | Off |
- Move to the tab called "keys" and make sure that both parameters are switched to OFF
- Move to the tab "advanced"
- Assertion Consumer Service POST Binding URL = Valid redirect URIs = https://grafana-domain/login/saml
- Under Client Scopes / Mappers, add user attribute mappers if needed:
- username → SAML Attribute username
- email → SAML Attribute email
- FirstName / lastName → SAML Attributes firstName / lastName
- groups → SAML Attribute groups
Attribute Mapping
| MPAS Attribute | Grafana Mapping |
|---|---|
| username | NameID / assertion_attribute_login |
| assertion_attribute_email (recommended) | |
| firstName + lastName | assertion_attribute_name (ex: “FirstName LastName”) |
| groups | assertion_attribute_groups (for role/team mapping in Grafana) |
Test & Troubleshooting
- From Grafana login page, initiate SSO and verify redirection to MPAS, then back to Grafana.
- Check that the created user in Grafana has the expected login/email/name and (optionally) groups.
- If login fails, verify:
- SP Entity ID and ACS URL match between Grafana and MPAS
- X.509 certificate (PEM) validity
- NameID format consistency (username vs email)
- Bindings (POST) and signing options
Related Articles
Wrike - SSO configuration
This documentation has been tested and approved by Kelvin Zero's team This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Wrike using MPAS. SSO simplifies user authentication by allowing access to multiple ...SAML SSO Integration Guide
This guide provides an overview of how to configure SAML Single Sign-On (SSO) between Multi-Pass and a third-party Service Provider (SP). Multi-Pass acts as the Identity Provider (IdP) in this federation model. Multi-Pass is working on SCIM support ...Slack - SSO configuration
Please note that this application has not been formally tested by Kelvin Zero Inc. It is provided solely as a reference guide. If you encounter any issues, kindly submit a ticket directly through the support desk. This documentation provides a ...Notion - SSO configuration
Please note that this application has not been formally tested by Kelvin Zero Inc. It is provided solely as a reference guide. If you encounter any issues, kindly submit a ticket directly through the support desk. This documentation provides a ...Addigy - SSO configuration
This documentation has been tested and approved by Kelvin Zero's team This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Addigy using MPAS. SSO simplifies user authentication by allowing access to multiple ...