Unable to integrate Amazon Managed Grafana on Azure

Question

Hello everyone,I am struggling here with Amazon Managed Grafana on Azure (the one available on Gallery).Have checked https://learn.microsoft.com/en-us/entra/identity/saas-apps/amazon-managed-grafana-tutorialand https://docs.aws.amazon.com/grafana/latest/userguide/AMG-SAML-providers-Azure.html#:~:text=mail%20is%20set%20with%20user.userprincipalname. and isn't clear regarding assertion mappings.Currently we are able to reach this error, when logging in with a user that do part of a group that was included on that AMG app in Azure (have test with another user account not there and gets blocked):From Entra ID sign in logs, is all good.So I think that could be related with AWS side, mostly assertion attributes that I have tried with what I have on Attributes &amp; Claims on Azure app, but no luck :(.What I have on Azure app:What I have on AMG:&nbsp;

kidd_ip · Answer

I did try below, hope it works for your case:
&nbsp;

Verify Assertion Attributes:

Ensure that the attributes in the Attributes &amp; Claims section of your Azure app match the expected attributes on the AMG side. For example:

mail should map to user.userprincipalname.
displayName should map to user.displayname.
Unique User Identifier should map to user.userprincipalname.

Check Group Mappings:

If you're using group-based access control, ensure that the group claims are correctly configured in Azure. You might need to include the group attribute in the SAML assertion and ensure it matches the group settings in AMG.

Test with Different Users:

Since one user is able to log in while another is blocked, compare the attributes of both users in Azure AD. Look for discrepancies in group memberships or attribute values.

Enable Debugging:

On the AWS side, enable logging for the SAML integration to get more detailed error messages. This can help pinpoint the exact issue with the assertion.

Forum Discussion

Unable to integrate Amazon Managed Grafana on Azure

1 Reply

Resources