AWS Open Source Blog

Integrating identity providers, such as OneLogin, Ping Identity, Okta, and Azure AD, to SSO into Amazon Managed Grafana

November 8, 2022: This blog post was written prior to AWS renaming AWS Single Sign-On. The new name is AWS IAM Identity Center (successor to AWS Single Sign-On). Please consider all references, in this blog, to AWS Single Sign-On or AWS SSO as being AWS IAM Identity Center.

September 8, 2021: Amazon Elasticsearch Service has been renamed to Amazon OpenSearch Service. Visit the website to learn more.

In December 2020, AWS announced Amazon Managed Grafana, a fully managed service that is developed together with Grafana Labs and based on open source Grafana. Enhanced with enterprise capabilities, Amazon Managed Grafana makes it easier to visualize and analyze operational data at scale. In the blog post Amazon Managed Grafana – Getting Started, we also explained how Amazon Managed Grafana can be used with various data sources, such as Amazon CloudWatch, Amazon Elasticsearch Service (Amazon ES), Amazon Timestream, AWS IoT SiteWise, AWS X-Ray, and Amazon Managed Service for Prometheus (AMP).

Amazon Managed Grafana supports a single sign-on experience with AWS Single Sign-On (AWS SSO) authentication. External identity providers (IDP), such as OneLogin, Ping Identity, Okta, and Azure Active Directory (Azure AD), can be integrated with AWS SSO to verify login identity for Amazon Managed Grafana. Users are given access to Amazon Managed Grafana via a unique login URL that directly navigates into the environment, and they can sign in with their existing corporate credentials. Administrators can continue to manage users and groups in their existing identity systems, which can be seamlessly synchronized with AWS SSO by using System for Cross Domain Identity Management (SCIM).

In this blog post, we explain how to integrate external identity providers, such as OneLogin, Ping Identity, Okta and Azure AD, with Amazon Managed Grafana, which enables a single sign-on into an Amazon Managed Grafana environment via AWS SSO. We also demonstrate the AWS SSO experience for system administrators and Amazon Managed Grafana users.

Solution overview

By integrating existing identity providers with Amazon Managed Grafana, users within an organization who don’t have access to the AWS Management Console can access Amazon Managed Grafana dashboards that query metrics and logs from a variety of data sources, including Amazon CloudWatch, Amazon Managed Service for Prometheus, AWS IoT SiteWise, Amazon Elasticsearch Service, Amazon Timestream, AWS X-Ray, and others. This allows organizations to enforce existing login security requirements, such as two-factor authentication and password complexity, without having to make drastic changes.

Flow chart showing User, AMG console, AMG worspace, AWS SSO, and IDP Login page

Prerequisites

To follow this walkthrough, you must have the following:

Setup

For demonstrating this scenario, we will be referencing Okta, but we have successfully tested the similar integration with OneLogin and Azure AD to achieve the desired end goal.

Step 1: Set up the AWS Application in Okta.

Via the Okta console, log into the account as an admin and add the AWS SSO app.

Okta login screen

Navigate to Sign On and download and save the Identity Provider Metadata as okta-aws.xml.

Download the Identity Provider metadata

Step 2: Enable AWS SSO and set up SCIM (optional).

On the AWS console, navigate to the AWS SSO service. Enable AWS SSO if it is not already enabled. AWS SSO provides support for the System for Cross-domain Identity Management (SCIM) v2.0 standard. SCIM keeps AWS SSO identities in sync with identities from IDP, which includes any provisioning, updates, and deprovisioning of users between IDP and AWS SSO. Using SCIM integration saves IT and admin teams the time and effort of implementing custom solutions to cross-replicate user names and email addresses between AWS SSO and IDPs.

Navigate to Settings and change the Identity source from the default AWS SSO by clicking Change and choose External identity provider.

Select Change to change the identity source

Using the Okta Metadata XML downloaded previously, browse and upload IdP SAML metadata in the Identity provider SAML metadata section.

Using the Okta Metadata XML downloaded previously, browse and upload IdP SAML metadata in the Identity provider SAML metadata section.

Change the provisioning from Manual to SCIM by clicking the Enable automatic provisioning.

Change the provisioning from Manual to SCIM by clicking the Enable automatic provisioning.

Copy the SCIM endpoint (also known as the SCIM Base URL) and the Access token (also known as a SCIM Bearer token).

Copy the SCIM endpoint (also known as the SCIM Base URL) and the Access token (also known as a SCIM Bearer token).

Select View details in the Authentication SAML 2.0 part and copy the AWS SSO ACS URL and AWS SSO issuer URL. Having gathered these four pieces of information, now it’s time to go to Okta (or your IDP) to finalize the integration.

Step 3: Establish SAML authentication between Okta (IDP) and AWS SSO.

Log back into the Okta portal (as admin) and into the previously configured AWS SSO app. Select Sign On and enter the AWS SSO issuer URL and AWS SSO ACS URL details gathered from AWS SSO in the previous section.

Select Sign On and enter the AWS SSO issuer URL and AWS SSO ACS URL details gathered from AWS SSO in the previous section.

Next, select Provisioning under Settings, navigate to To App and check the boxes for enable Create Users, Update User Attributes, Deactivate users, and Save. This is important for SCIM integration to work.

Next, select Integration under Settings, Edit, Enable API Integration, and set up the SCIM Integration by :

  • Pasting the previously gathered SCIM Endpoint for Base URL and Access Token for API Token, respectively.
  • Select Test API Credentials and, if the integration is set up correctly, a message that says Provisioning Certification: Okta Verified is shown.

Select Test API Credentials and, if the integration is set up correctly, a message that says Okta Verified is shown.

Step 4: Assign and sync users from Okta to AWS SSO to access Amazon Managed Grafana.

In the Okta portal, navigate to Assignments under the AWS Single Sign-On and assign the users in the organization who should have access to Amazon Managed Grafana.

In the Okta portal, navigate to Assignments under the AWS Single Sign-On and assign the users in the organization who should have access to AMG.

Verify whether a user or group has synced into AWS SSO via SCIM by logging into AWS SSO service via the AWS Console.

Verify whether this user or group has synced into AWS SSO via SCIM by logging into AWS SSO service via the AWS Console.

Step 5: Create Amazon Managed Grafana Workspace and assign users created via the identity provider.

We can spin up on-demand, autoscaled Grafana workspaces (virtual Grafana servers) that enable us to create unified dashboards across multiple data sources. In the following instructions, we use the AWS console to walk through the required steps and comment on what to consider when performing each step.

Navigate to AWS Grafana on the AWS account. After selecting the Create new workspace option in the right upper corner of the Amazon Managed Grafana console landing page, name the new workspace and add a description (optional).

After selecting the "Create new workspace" option in the right upper corner of the AMG console landing page, name the new workspace and add a description

Next configure the settings to use AWS Single Sign-On and under service managed permission settings, choose service managed permission type (because we intend to use external IDP integration with Amazon Managed Grafana), and select the data sources as per your requirement.

Next configure the settings to use AWS Single Sign-On and under service managed permission settings, choose service managed permission type (because we intend to use external IDP integration with AMG), and select the data sources as per your requirement.

Once the Amazon Managed Grafana workspace is created, select Assign user to assign the user you had provisioned via Okta into AWS SSO. Also take note of the Grafana workspace URL.

Once the AMG workspace is created, select Assign user to assign the user you had provisioned via Okta into AWS SSO. Also take note of the Grafana workspace URL.

Here we are assigning the user to Amazon Managed Grafana, which we previously created through our Okta – AWS SSO SCIM integration.

Here we are assigning the user to AMG, which we previously created through our Okta - AWS SSO SCIM integration.

To verify, we can navigate to AWS SSO service and Applications to view the Amazon Grafana application. Now the set up, including user and application provisioning, is complete. Let’s proceed to access the Amazon Managed Grafana workspace.

To verify, we can navigate to AWS SSO service and Applications to view the AMG app.

Step 6: Access the Amazon Managed Grafana workspace.

We can access Amazon Managed Grafana in one of three ways:

1. Start from the Okta user portal, select the AWS SSO application, and choose Amazon Grafana.

Start from the Okta user portal, select the AWS SSO application, and choose Amazon Grafana.

2. Start from the AWS SSO user portal (the URL is on the AWS SSO Settings page), redirect to Okta login page, and choose Amazon Grafana.

Start from the AWS SSO user portal (the URL is on the AWS SSO Settings page), redirect to Okta login page, and choose Amazon Grafana.

3. Bookmark the Grafana Workspace URL (the URL is on the Amazon Managed Grafana service).

Bookmark the Grafana Workspace URL (the URL is on the AMG service).

The page redirects automatically to the Okta login page.

the Okta login page

After entering credentials, we are then authenticated into Amazon Managed Grafana environment.

After entering credentials, we are then authenticated into AMG environment.

Conclusion

In this blog post, we walked through how to integrate your identity provider (IDP) with Amazon Managed Grafana. We also explained how to assign users via your IDP so that your users can seamlessly authenticate into the Amazon Managed Grafana environment to visualize and monitor your workloads and logs. Administrators can now use a single source of truth to manage their users, and users no longer need to manage an additional identity and password to sign in to their AWS accounts and applications.

Sunil Ramachandra

Sunil Ramachandra

Sunil is a Senior Solutions Architect enabling hyper-growth SaaS ISVs to innovate and accelerate on AWS. He partners with customers to design highly scalable and resilient cloud architectures. When not collaborating with customers, Sunil enjoys spending time with family, running, meditating, and watching Prime Video.

Imaya Kumar Jagannathan

Imaya Kumar Jagannathan

Imaya Kumar Jagannathan is a Principal Solution Architect focused on AWS Observability services including Amazon CloudWatch, AWS X-Ray, Amazon Managed Service for Prometheus, Amazon Managed Grafana and AWS Distro for Open Telemetry. He is passionate about monitoring and observability and has a strong application development and architecture background. He likes working on distributed systems and is excited to talk about microservice architecture design. He loves programming in C#, working with containers and serverless technologies. LinkedIn: /imaya.