0

I'm looking for a solution to the following problem. I've configured an AWS Managed Grafana workspace to work with Google's G Suite SSO as a custom SAML 2.0 authentication provider according to step 14 of these AWS directions. When I try to login to the managed AWS Grafana workspace I get the following error:

Failed to save the SAML received information

I've worked with Google support, and they assure me everything is set up correctly on their side. When using the Test SAML logon feature on the Web Application portal in G Suite I get this error:

corresponding relay state is not found: https://...

Note: Grafana is not in G Suite's Pre-Intergrated SAML Apps Catalog. Also, Oauth is not an option in Amazon's managed Grafana for authentication.

Micheletto
  • 1
  • 2
  • It is not clear from the description who/what generates error `Failed to save the SAML received information`. Debug logs are also missing. – Jan Garaj Sep 24 '21 at 07:49
  • It's a managed application, there are no debug logs available. The error message is from Grafana. – Micheletto Sep 28 '21 at 14:54
  • AMG is supported by AWS, so contact your AWS support. SAML SSO is enteprise feature, so source code for this feature is not availble,so it is hard to find root cause of `Failed to save the SAML received information` error. – Jan Garaj Sep 28 '21 at 16:32
  • SAML SSO is not an enterprise feature in AWS managed Grafana. – Micheletto Sep 28 '21 at 21:07
  • SAML SSO is Grafana enterprise feature - you can't find source code for this feature in https://github.com/grafana/grafana, so anything is just blind guess to find what is a problem. – Jan Garaj Sep 28 '21 at 21:14
  • Yep, I looked there too. Better news is the problem is solved: See Answer. Also in AWS Managed Grafana SAML is available without a Grafana Enterprise subscription. – Micheletto Sep 30 '21 at 13:30

2 Answers2

0

The problem was solved by unchecking the Signed Response checkbox in the G Suite Application console. The relevant AWS recipe is here.

Micheletto
  • 1
  • 2
0

There are two issues.

AWS Grafana does not support logging in from the IdP (identity provider) itself. So the link from Google Workspace will not sign you in. Login only works from the AWS Grafana landing page.

The 'Failed to Receive SAML' is due to a SAML attribute mixup. I had to manually set attribute mappings on both the Google Workspace SAML App configuration, as well as in the Grafana SAML configuration. There are a minimum of attributes that need to be mapped for it to work. (I set name, login (username), and email, which seemed to make it work)

Adam Gravitis
  • 1