Manages Grafana SSO Settings for OAuth2 and SAML. Support for SAML is currently in preview, it will be available in Grafana Enterprise starting with v11.1.
resource "grafana_sso_settings" "github_sso_settings" {
provider_name = "github"
oauth2_settings {
client_id = "github_client_id"
client_secret = "github_client_secret"
team_ids = "12,50,123"
allowed_organizations = "organization1,organization2"
}
}
provider_name
(String) The name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml.oauth2_settings
(Block Set, Max: 1) The OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic_oauth providers. (see below for nested schema)saml_settings
(Block Set, Max: 1) The SAML settings set. Required for the saml provider. (see below for nested schema)id
(String) The ID of this resource.oauth2_settings
Required:
client_id
(String) The client Id of your OAuth2 app.Optional:
allow_assign_grafana_admin
(Boolean) If enabled, it will automatically sync the Grafana server administrator role.allow_sign_up
(Boolean) If not enabled, only existing Grafana users can log in using OAuth.allowed_domains
(String) List of comma- or space-separated domains. The user should belong to at least one domain to log in.allowed_groups
(String) List of comma- or space-separated groups. The user should be a member of at least one group to log in. For Generic OAuth, if you configure allowed_groups, you must also configure groups_attribute_path.allowed_organizations
(String) List of comma- or space-separated organizations. The user should be a member of at least one organization to log in.api_url
(String) The user information endpoint of your OAuth2 provider. Required for okta and generic_oauth providers.auth_style
(String) It determines how client_id and client_secret are sent to Oauth2 provider. Possible values are AutoDetect, InParams, InHeader. Default is AutoDetect.auth_url
(String) The authorization endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.auto_login
(Boolean) Log in automatically, skipping the login screen.client_secret
(String, Sensitive) The client secret of your OAuth2 app.custom
(Map of String) Custom fields to configure for OAuth2 such as the force_use_graph_api field.define_allowed_groups
(Boolean) Define allowed groups.define_allowed_teams_ids
(Boolean) Define allowed teams ids.email_attribute_name
(String) Name of the key to use for user email lookup within the attributes map of OAuth2 ID token. Only applicable to Generic OAuth.email_attribute_path
(String) JMESPath expression to use for user email lookup from the user information. Only applicable to Generic OAuth.empty_scopes
(Boolean) If enabled, no scopes will be sent to the OAuth2 provider.enabled
(Boolean) Define whether this configuration is enabled for the specified provider. Defaults to true
.groups_attribute_path
(String) JMESPath expression to use for user group lookup. If you configure allowed_groups, you must also configure groups_attribute_path.id_token_attribute_name
(String) The name of the key used to extract the ID token from the returned OAuth2 token. Only applicable to Generic OAuth.login_attribute_path
(String) JMESPath expression to use for user login lookup from the user ID token. Only applicable to Generic OAuth.name
(String) Helpful if you use more than one identity providers or SSO protocols.name_attribute_path
(String) JMESPath expression to use for user name lookup from the user ID token. This name will be used as the user’s display name. Only applicable to Generic OAuth.role_attribute_path
(String) JMESPath expression to use for Grafana role lookup.role_attribute_strict
(Boolean) If enabled, denies user login if the Grafana role cannot be extracted using Role attribute path.scopes
(String) List of comma- or space-separated OAuth2 scopes.signout_redirect_url
(String) The URL to redirect the user to after signing out from Grafana.skip_org_role_sync
(Boolean) Prevent synchronizing users’ organization roles from your IdP.team_ids
(String) String list of Team Ids. If set, the user must be a member of one of the given teams to log in. If you configure team_ids, you must also configure teams_url and team_ids_attribute_path.team_ids_attribute_path
(String) The JMESPath expression to use for Grafana Team Id lookup within the results returned by the teams_url endpoint. Only applicable to Generic OAuth.teams_url
(String) The URL used to query for Team Ids. If not set, the default value is /teams. If you configure teams_url, you must also configure team_ids_attribute_path. Only applicable to Generic OAuth.tls_client_ca
(String) The path to the trusted certificate authority list. Is not applicable on Grafana Cloud.tls_client_cert
(String) The path to the certificate. Is not applicable on Grafana Cloud.tls_client_key
(String) The path to the key. Is not applicable on Grafana Cloud.tls_skip_verify_insecure
(Boolean) If enabled, the client accepts any certificate presented by the server and any host name in that certificate. You should only use this for testing, because this mode leaves SSL/TLS susceptible to man-in-the-middle attacks.token_url
(String) The token endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.use_pkce
(Boolean) If enabled, Grafana will use Proof Key for Code Exchange (PKCE) with the OAuth2 Authorization Code Grant.use_refresh_token
(Boolean) If enabled, Grafana will fetch a new access token using the refresh token provided by the OAuth2 provider.saml_settings
Optional:
allow_idp_initiated
(Boolean) Whether SAML IdP-initiated login is allowed.allow_sign_up
(Boolean) Whether to allow new Grafana user creation through SAML login. If set to false, then only existing Grafana users can log in with SAML.allowed_organizations
(String) List of comma- or space-separated organizations. User should be a member of at least one organization to log in.assertion_attribute_email
(String) Friendly name or name of the attribute within the SAML assertion to use as the user email.assertion_attribute_groups
(String) Friendly name or name of the attribute within the SAML assertion to use as the user groups.assertion_attribute_login
(String) Friendly name or name of the attribute within the SAML assertion to use as the user login handle.assertion_attribute_name
(String) Friendly name or name of the attribute within the SAML assertion to use as the user name. Alternatively, this can be a template with variables that match the names of attributes within the SAML assertion.assertion_attribute_org
(String) Friendly name or name of the attribute within the SAML assertion to use as the user organization.assertion_attribute_role
(String) Friendly name or name of the attribute within the SAML assertion to use as the user roles.auto_login
(Boolean) Whether SAML auto login is enabled.certificate
(String, Sensitive) Base64-encoded string for the SP X.509 certificate.certificate_path
(String) Path for the SP X.509 certificate.enabled
(Boolean) Define whether this configuration is enabled for SAML. Defaults to true
.idp_metadata
(String) Base64-encoded string for the IdP SAML metadata XML.idp_metadata_path
(String) Path for the IdP SAML metadata XML.idp_metadata_url
(String) URL for the IdP SAML metadata XML.max_issue_delay
(String) Duration, since the IdP issued a response and the SP is allowed to process it. For example: 90s, 1h.metadata_valid_duration
(String) Duration, for how long the SP metadata is valid. For example: 48h, 5d.name
(String) Name used to refer to the SAML authentication.name_id_format
(String) The Name ID Format to request within the SAML assertion. Defaults to urn:oasis:names:tc:SAML:2.0:nameid-format:transientorg_mapping
(String) List of comma- or space-separated Organization:OrgId:Role mappings. Organization can be * meaning “All users”. Role is optional and can have the following values: Viewer, Editor or Admin.private_key
(String, Sensitive) Base64-encoded string for the SP private key.private_key_path
(String) Path for the SP private key.relay_state
(String) Relay state for IdP-initiated login. Should match relay state configured in IdP.role_values_admin
(String) List of comma- or space-separated roles which will be mapped into the Admin role.role_values_editor
(String) List of comma- or space-separated roles which will be mapped into the Editor role.role_values_grafana_admin
(String) List of comma- or space-separated roles which will be mapped into the Grafana Admin (Super Admin) role.role_values_none
(String) List of comma- or space-separated roles which will be mapped into the None role.signature_algorithm
(String) Signature algorithm used for signing requests to the IdP. Supported values are rsa-sha1, rsa-sha256, rsa-sha512.single_logout
(Boolean) Whether SAML Single Logout is enabled.skip_org_role_sync
(Boolean) Prevent synchronizing users’ organization roles from your IdP.Import is supported using the following syntax:
terraform import grafana_sso_settings.name "{{ provider }}"
terraform import grafana_sso_settings.name "{{ orgID }}:{{ provider }}"