Docs Home
Grafana v0.16.3 published on Monday, Apr 7, 2025 by pulumiverse
grafana.oss.SsoSettings
Explore with Pulumi AI
Manages Grafana SSO Settings for OAuth2, SAML and LDAP. Support for LDAP is currently in preview, it will be available in Grafana starting with v11.3.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as grafana from "@pulumiverse/grafana";
// Configure SSO for GitHub using OAuth2
const githubSsoSettings = new grafana.oss.SsoSettings("github_sso_settings", {
providerName: "github",
oauth2Settings: {
name: "Github",
clientId: "<your GitHub app client id>",
clientSecret: "<your GitHub app client secret>",
allowSignUp: true,
autoLogin: false,
scopes: "user:email,read:org",
teamIds: "150,300",
allowedOrganizations: "[\"My Organization\", \"Octocats\"]",
allowedDomains: "mycompany.com mycompany.org",
},
});
// Configure SSO using generic OAuth2
const genericSsoSettings = new grafana.oss.SsoSettings("generic_sso_settings", {
providerName: "generic_oauth",
oauth2Settings: {
name: "Auth0",
authUrl: "https://<domain>/authorize",
tokenUrl: "https://<domain>/oauth/token",
apiUrl: "https://<domain>/userinfo",
clientId: "<client id>",
clientSecret: "<client secret>",
allowSignUp: true,
autoLogin: false,
scopes: "openid profile email offline_access",
usePkce: true,
useRefreshToken: true,
},
});
// Configure SSO using SAML
const samlSsoSettings = new grafana.oss.SsoSettings("saml_sso_settings", {
providerName: "saml",
samlSettings: {
allowSignUp: true,
certificatePath: "devenv/docker/blocks/auth/saml-enterprise/cert.crt",
privateKeyPath: "devenv/docker/blocks/auth/saml-enterprise/key.pem",
idpMetadataUrl: "https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml",
signatureAlgorithm: "rsa-sha256",
assertionAttributeLogin: "login",
assertionAttributeEmail: "email",
nameIdFormat: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
},
});
// Configure SSO using LDAP
const ldapSsoSettings = new grafana.oss.SsoSettings("ldap_sso_settings", {
providerName: "ldap",
ldapSettings: {
enabled: true,
config: {
servers: [{
host: "127.0.0.1",
port: 389,
searchFilter: "(cn=%s)",
bindDn: "cn=admin,dc=grafana,dc=org",
bindPassword: "grafana",
searchBaseDns: ["dc=grafana,dc=org"],
attributes: {
name: "givenName",
surname: "sn",
username: "cn",
member_of: "memberOf",
email: "email",
},
groupMappings: [
{
groupDn: "cn=superadmins,dc=grafana,dc=org",
orgRole: "Admin",
orgId: 1,
grafanaAdmin: true,
},
{
groupDn: "cn=users,dc=grafana,dc=org",
orgRole: "Editor",
},
{
groupDn: "*",
orgRole: "Viewer",
},
],
}],
},
},
});
import pulumi
import pulumiverse_grafana as grafana
# Configure SSO for GitHub using OAuth2
github_sso_settings = grafana.oss.SsoSettings("github_sso_settings",
provider_name="github",
oauth2_settings={
"name": "Github",
"client_id": "<your GitHub app client id>",
"client_secret": "<your GitHub app client secret>",
"allow_sign_up": True,
"auto_login": False,
"scopes": "user:email,read:org",
"team_ids": "150,300",
"allowed_organizations": "[\"My Organization\", \"Octocats\"]",
"allowed_domains": "mycompany.com mycompany.org",
})
# Configure SSO using generic OAuth2
generic_sso_settings = grafana.oss.SsoSettings("generic_sso_settings",
provider_name="generic_oauth",
oauth2_settings={
"name": "Auth0",
"auth_url": "https://<domain>/authorize",
"token_url": "https://<domain>/oauth/token",
"api_url": "https://<domain>/userinfo",
"client_id": "<client id>",
"client_secret": "<client secret>",
"allow_sign_up": True,
"auto_login": False,
"scopes": "openid profile email offline_access",
"use_pkce": True,
"use_refresh_token": True,
})
# Configure SSO using SAML
saml_sso_settings = grafana.oss.SsoSettings("saml_sso_settings",
provider_name="saml",
saml_settings={
"allow_sign_up": True,
"certificate_path": "devenv/docker/blocks/auth/saml-enterprise/cert.crt",
"private_key_path": "devenv/docker/blocks/auth/saml-enterprise/key.pem",
"idp_metadata_url": "https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml",
"signature_algorithm": "rsa-sha256",
"assertion_attribute_login": "login",
"assertion_attribute_email": "email",
"name_id_format": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
})
# Configure SSO using LDAP
ldap_sso_settings = grafana.oss.SsoSettings("ldap_sso_settings",
provider_name="ldap",
ldap_settings={
"enabled": True,
"config": {
"servers": [{
"host": "127.0.0.1",
"port": 389,
"search_filter": "(cn=%s)",
"bind_dn": "cn=admin,dc=grafana,dc=org",
"bind_password": "grafana",
"search_base_dns": ["dc=grafana,dc=org"],
"attributes": {
"name": "givenName",
"surname": "sn",
"username": "cn",
"member_of": "memberOf",
"email": "email",
},
"group_mappings": [
{
"group_dn": "cn=superadmins,dc=grafana,dc=org",
"org_role": "Admin",
"org_id": 1,
"grafana_admin": True,
},
{
"group_dn": "cn=users,dc=grafana,dc=org",
"org_role": "Editor",
},
{
"group_dn": "*",
"org_role": "Viewer",
},
],
}],
},
})
package main
import (
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
"github.com/pulumiverse/pulumi-grafana/sdk/go/grafana/oss"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
// Configure SSO for GitHub using OAuth2
_, err := oss.NewSsoSettings(ctx, "github_sso_settings", &oss.SsoSettingsArgs{
ProviderName: pulumi.String("github"),
Oauth2Settings: &oss.SsoSettingsOauth2SettingsArgs{
Name: pulumi.String("Github"),
ClientId: pulumi.String("<your GitHub app client id>"),
ClientSecret: pulumi.String("<your GitHub app client secret>"),
AllowSignUp: pulumi.Bool(true),
AutoLogin: pulumi.Bool(false),
Scopes: pulumi.String("user:email,read:org"),
TeamIds: pulumi.String("150,300"),
AllowedOrganizations: pulumi.String("[\"My Organization\", \"Octocats\"]"),
AllowedDomains: pulumi.String("mycompany.com mycompany.org"),
},
})
if err != nil {
return err
}
// Configure SSO using generic OAuth2
_, err = oss.NewSsoSettings(ctx, "generic_sso_settings", &oss.SsoSettingsArgs{
ProviderName: pulumi.String("generic_oauth"),
Oauth2Settings: &oss.SsoSettingsOauth2SettingsArgs{
Name: pulumi.String("Auth0"),
AuthUrl: pulumi.String("https://<domain>/authorize"),
TokenUrl: pulumi.String("https://<domain>/oauth/token"),
ApiUrl: pulumi.String("https://<domain>/userinfo"),
ClientId: pulumi.String("<client id>"),
ClientSecret: pulumi.String("<client secret>"),
AllowSignUp: pulumi.Bool(true),
AutoLogin: pulumi.Bool(false),
Scopes: pulumi.String("openid profile email offline_access"),
UsePkce: pulumi.Bool(true),
UseRefreshToken: pulumi.Bool(true),
},
})
if err != nil {
return err
}
// Configure SSO using SAML
_, err = oss.NewSsoSettings(ctx, "saml_sso_settings", &oss.SsoSettingsArgs{
ProviderName: pulumi.String("saml"),
SamlSettings: &oss.SsoSettingsSamlSettingsArgs{
AllowSignUp: pulumi.Bool(true),
CertificatePath: pulumi.String("devenv/docker/blocks/auth/saml-enterprise/cert.crt"),
PrivateKeyPath: pulumi.String("devenv/docker/blocks/auth/saml-enterprise/key.pem"),
IdpMetadataUrl: pulumi.String("https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml"),
SignatureAlgorithm: pulumi.String("rsa-sha256"),
AssertionAttributeLogin: pulumi.String("login"),
AssertionAttributeEmail: pulumi.String("email"),
NameIdFormat: pulumi.String("urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"),
},
})
if err != nil {
return err
}
// Configure SSO using LDAP
_, err = oss.NewSsoSettings(ctx, "ldap_sso_settings", &oss.SsoSettingsArgs{
ProviderName: pulumi.String("ldap"),
LdapSettings: &oss.SsoSettingsLdapSettingsArgs{
Enabled: pulumi.Bool(true),
Config: &oss.SsoSettingsLdapSettingsConfigArgs{
Servers: oss.SsoSettingsLdapSettingsConfigServerArray{
&oss.SsoSettingsLdapSettingsConfigServerArgs{
Host: pulumi.String("127.0.0.1"),
Port: pulumi.Int(389),
SearchFilter: pulumi.String("(cn=%s)"),
BindDn: pulumi.String("cn=admin,dc=grafana,dc=org"),
BindPassword: pulumi.String("grafana"),
SearchBaseDns: pulumi.StringArray{
pulumi.String("dc=grafana,dc=org"),
},
Attributes: pulumi.StringMap{
"name": pulumi.String("givenName"),
"surname": pulumi.String("sn"),
"username": pulumi.String("cn"),
"member_of": pulumi.String("memberOf"),
"email": pulumi.String("email"),
},
GroupMappings: oss.SsoSettingsLdapSettingsConfigServerGroupMappingArray{
&oss.SsoSettingsLdapSettingsConfigServerGroupMappingArgs{
GroupDn: pulumi.String("cn=superadmins,dc=grafana,dc=org"),
OrgRole: pulumi.String("Admin"),
OrgId: pulumi.Int(1),
GrafanaAdmin: pulumi.Bool(true),
},
&oss.SsoSettingsLdapSettingsConfigServerGroupMappingArgs{
GroupDn: pulumi.String("cn=users,dc=grafana,dc=org"),
OrgRole: pulumi.String("Editor"),
},
&oss.SsoSettingsLdapSettingsConfigServerGroupMappingArgs{
GroupDn: pulumi.String("*"),
OrgRole: pulumi.String("Viewer"),
},
},
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Grafana = Pulumiverse.Grafana;
return await Deployment.RunAsync(() =>
{
// Configure SSO for GitHub using OAuth2
var githubSsoSettings = new Grafana.Oss.SsoSettings("github_sso_settings", new()
{
ProviderName = "github",
Oauth2Settings = new Grafana.Oss.Inputs.SsoSettingsOauth2SettingsArgs
{
Name = "Github",
ClientId = "<your GitHub app client id>",
ClientSecret = "<your GitHub app client secret>",
AllowSignUp = true,
AutoLogin = false,
Scopes = "user:email,read:org",
TeamIds = "150,300",
AllowedOrganizations = "[\"My Organization\", \"Octocats\"]",
AllowedDomains = "mycompany.com mycompany.org",
},
});
// Configure SSO using generic OAuth2
var genericSsoSettings = new Grafana.Oss.SsoSettings("generic_sso_settings", new()
{
ProviderName = "generic_oauth",
Oauth2Settings = new Grafana.Oss.Inputs.SsoSettingsOauth2SettingsArgs
{
Name = "Auth0",
AuthUrl = "https://<domain>/authorize",
TokenUrl = "https://<domain>/oauth/token",
ApiUrl = "https://<domain>/userinfo",
ClientId = "<client id>",
ClientSecret = "<client secret>",
AllowSignUp = true,
AutoLogin = false,
Scopes = "openid profile email offline_access",
UsePkce = true,
UseRefreshToken = true,
},
});
// Configure SSO using SAML
var samlSsoSettings = new Grafana.Oss.SsoSettings("saml_sso_settings", new()
{
ProviderName = "saml",
SamlSettings = new Grafana.Oss.Inputs.SsoSettingsSamlSettingsArgs
{
AllowSignUp = true,
CertificatePath = "devenv/docker/blocks/auth/saml-enterprise/cert.crt",
PrivateKeyPath = "devenv/docker/blocks/auth/saml-enterprise/key.pem",
IdpMetadataUrl = "https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml",
SignatureAlgorithm = "rsa-sha256",
AssertionAttributeLogin = "login",
AssertionAttributeEmail = "email",
NameIdFormat = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
},
});
// Configure SSO using LDAP
var ldapSsoSettings = new Grafana.Oss.SsoSettings("ldap_sso_settings", new()
{
ProviderName = "ldap",
LdapSettings = new Grafana.Oss.Inputs.SsoSettingsLdapSettingsArgs
{
Enabled = true,
Config = new Grafana.Oss.Inputs.SsoSettingsLdapSettingsConfigArgs
{
Servers = new[]
{
new Grafana.Oss.Inputs.SsoSettingsLdapSettingsConfigServerArgs
{
Host = "127.0.0.1",
Port = 389,
SearchFilter = "(cn=%s)",
BindDn = "cn=admin,dc=grafana,dc=org",
BindPassword = "grafana",
SearchBaseDns = new[]
{
"dc=grafana,dc=org",
},
Attributes =
{
{ "name", "givenName" },
{ "surname", "sn" },
{ "username", "cn" },
{ "member_of", "memberOf" },
{ "email", "email" },
},
GroupMappings = new[]
{
new Grafana.Oss.Inputs.SsoSettingsLdapSettingsConfigServerGroupMappingArgs
{
GroupDn = "cn=superadmins,dc=grafana,dc=org",
OrgRole = "Admin",
OrgId = 1,
GrafanaAdmin = true,
},
new Grafana.Oss.Inputs.SsoSettingsLdapSettingsConfigServerGroupMappingArgs
{
GroupDn = "cn=users,dc=grafana,dc=org",
OrgRole = "Editor",
},
new Grafana.Oss.Inputs.SsoSettingsLdapSettingsConfigServerGroupMappingArgs
{
GroupDn = "*",
OrgRole = "Viewer",
},
},
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.grafana.oss.SsoSettings;
import com.pulumi.grafana.oss.SsoSettingsArgs;
import com.pulumi.grafana.oss.inputs.SsoSettingsOauth2SettingsArgs;
import com.pulumi.grafana.oss.inputs.SsoSettingsSamlSettingsArgs;
import com.pulumi.grafana.oss.inputs.SsoSettingsLdapSettingsArgs;
import com.pulumi.grafana.oss.inputs.SsoSettingsLdapSettingsConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
// Configure SSO for GitHub using OAuth2
var githubSsoSettings = new SsoSettings("githubSsoSettings", SsoSettingsArgs.builder()
.providerName("github")
.oauth2Settings(SsoSettingsOauth2SettingsArgs.builder()
.name("Github")
.clientId("<your GitHub app client id>")
.clientSecret("<your GitHub app client secret>")
.allowSignUp(true)
.autoLogin(false)
.scopes("user:email,read:org")
.teamIds("150,300")
.allowedOrganizations("[\"My Organization\", \"Octocats\"]")
.allowedDomains("mycompany.com mycompany.org")
.build())
.build());
// Configure SSO using generic OAuth2
var genericSsoSettings = new SsoSettings("genericSsoSettings", SsoSettingsArgs.builder()
.providerName("generic_oauth")
.oauth2Settings(SsoSettingsOauth2SettingsArgs.builder()
.name("Auth0")
.authUrl("https://<domain>/authorize")
.tokenUrl("https://<domain>/oauth/token")
.apiUrl("https://<domain>/userinfo")
.clientId("<client id>")
.clientSecret("<client secret>")
.allowSignUp(true)
.autoLogin(false)
.scopes("openid profile email offline_access")
.usePkce(true)
.useRefreshToken(true)
.build())
.build());
// Configure SSO using SAML
var samlSsoSettings = new SsoSettings("samlSsoSettings", SsoSettingsArgs.builder()
.providerName("saml")
.samlSettings(SsoSettingsSamlSettingsArgs.builder()
.allowSignUp(true)
.certificatePath("devenv/docker/blocks/auth/saml-enterprise/cert.crt")
.privateKeyPath("devenv/docker/blocks/auth/saml-enterprise/key.pem")
.idpMetadataUrl("https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml")
.signatureAlgorithm("rsa-sha256")
.assertionAttributeLogin("login")
.assertionAttributeEmail("email")
.nameIdFormat("urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress")
.build())
.build());
// Configure SSO using LDAP
var ldapSsoSettings = new SsoSettings("ldapSsoSettings", SsoSettingsArgs.builder()
.providerName("ldap")
.ldapSettings(SsoSettingsLdapSettingsArgs.builder()
.enabled("true")
.config(SsoSettingsLdapSettingsConfigArgs.builder()
.servers(SsoSettingsLdapSettingsConfigServerArgs.builder()
.host("127.0.0.1")
.port(389)
.searchFilter("(cn=%s)")
.bindDn("cn=admin,dc=grafana,dc=org")
.bindPassword("grafana")
.searchBaseDns("dc=grafana,dc=org")
.attributes(Map.ofEntries(
Map.entry("name", "givenName"),
Map.entry("surname", "sn"),
Map.entry("username", "cn"),
Map.entry("member_of", "memberOf"),
Map.entry("email", "email")
))
.groupMappings(
SsoSettingsLdapSettingsConfigServerGroupMappingArgs.builder()
.groupDn("cn=superadmins,dc=grafana,dc=org")
.orgRole("Admin")
.orgId(1)
.grafanaAdmin(true)
.build(),
SsoSettingsLdapSettingsConfigServerGroupMappingArgs.builder()
.groupDn("cn=users,dc=grafana,dc=org")
.orgRole("Editor")
.build(),
SsoSettingsLdapSettingsConfigServerGroupMappingArgs.builder()
.groupDn("*")
.orgRole("Viewer")
.build())
.build())
.build())
.build())
.build());
}
}
resources:
# Configure SSO for GitHub using OAuth2
githubSsoSettings:
type: grafana:oss:SsoSettings
name: github_sso_settings
properties:
providerName: github
oauth2Settings:
name: Github
clientId: <your GitHub app client id>
clientSecret: <your GitHub app client secret>
allowSignUp: true
autoLogin: false
scopes: user:email,read:org
teamIds: 150,300
allowedOrganizations: '["My Organization", "Octocats"]'
allowedDomains: mycompany.com mycompany.org
# Configure SSO using generic OAuth2
genericSsoSettings:
type: grafana:oss:SsoSettings
name: generic_sso_settings
properties:
providerName: generic_oauth
oauth2Settings:
name: Auth0
authUrl: https://<domain>/authorize
tokenUrl: https://<domain>/oauth/token
apiUrl: https://<domain>/userinfo
clientId: <client id>
clientSecret: <client secret>
allowSignUp: true
autoLogin: false
scopes: openid profile email offline_access
usePkce: true
useRefreshToken: true
# Configure SSO using SAML
samlSsoSettings:
type: grafana:oss:SsoSettings
name: saml_sso_settings
properties:
providerName: saml
samlSettings:
allowSignUp: true
certificatePath: devenv/docker/blocks/auth/saml-enterprise/cert.crt
privateKeyPath: devenv/docker/blocks/auth/saml-enterprise/key.pem
idpMetadataUrl: https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml
signatureAlgorithm: rsa-sha256
assertionAttributeLogin: login
assertionAttributeEmail: email
nameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
# Configure SSO using LDAP
ldapSsoSettings:
type: grafana:oss:SsoSettings
name: ldap_sso_settings
properties:
providerName: ldap
ldapSettings:
enabled: 'true'
config:
servers:
- host: 127.0.0.1
port: 389
searchFilter: (cn=%s)
bindDn: cn=admin,dc=grafana,dc=org
bindPassword: grafana
searchBaseDns:
- dc=grafana,dc=org
attributes:
name: givenName
surname: sn
username: cn
member_of: memberOf
email: email
groupMappings:
- groupDn: cn=superadmins,dc=grafana,dc=org
orgRole: Admin
orgId: 1
grafanaAdmin: true
- groupDn: cn=users,dc=grafana,dc=org
orgRole: Editor
- groupDn: '*'
orgRole: Viewer
Create SsoSettings Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new SsoSettings(name: string, args: SsoSettingsArgs, opts?: CustomResourceOptions);@overload
def SsoSettings(resource_name: str,
args: SsoSettingsArgs,
opts: Optional[ResourceOptions] = None)
@overload
def SsoSettings(resource_name: str,
opts: Optional[ResourceOptions] = None,
provider_name: Optional[str] = None,
ldap_settings: Optional[SsoSettingsLdapSettingsArgs] = None,
oauth2_settings: Optional[SsoSettingsOauth2SettingsArgs] = None,
saml_settings: Optional[SsoSettingsSamlSettingsArgs] = None)func NewSsoSettings(ctx *Context, name string, args SsoSettingsArgs, opts ...ResourceOption) (*SsoSettings, error)public SsoSettings(string name, SsoSettingsArgs args, CustomResourceOptions? opts = null)public SsoSettings(String name, SsoSettingsArgs args)
public SsoSettings(String name, SsoSettingsArgs args, CustomResourceOptions options)
type: grafana:oss:SsoSettings
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name
This property is required. string - The unique name of the resource.
- args
This property is required. SsoSettingsArgs - The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name
This property is required. str - The unique name of the resource.
- args
This property is required. SsoSettingsArgs - The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name
This property is required. string - The unique name of the resource.
- args
This property is required. SsoSettingsArgs - The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name
This property is required. string - The unique name of the resource.
- args
This property is required. SsoSettingsArgs - The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name
This property is required. String - The unique name of the resource.
- args
This property is required. SsoSettingsArgs - The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var ssoSettingsResource = new Grafana.Oss.SsoSettings("ssoSettingsResource", new()
{
ProviderName = "string",
LdapSettings = new Grafana.Oss.Inputs.SsoSettingsLdapSettingsArgs
{
Config = new Grafana.Oss.Inputs.SsoSettingsLdapSettingsConfigArgs
{
Servers = new[]
{
new Grafana.Oss.Inputs.SsoSettingsLdapSettingsConfigServerArgs
{
Host = "string",
SearchFilter = "string",
SearchBaseDns = new[]
{
"string",
},
GroupSearchFilterUserAttribute = "string",
MinTlsVersion = "string",
ClientKey = "string",
ClientKeyValue = "string",
GroupMappings = new[]
{
new Grafana.Oss.Inputs.SsoSettingsLdapSettingsConfigServerGroupMappingArgs
{
GroupDn = "string",
OrgRole = "string",
GrafanaAdmin = false,
OrgId = 0,
},
},
GroupSearchBaseDns = new[]
{
"string",
},
GroupSearchFilter = "string",
Attributes =
{
{ "string", "string" },
},
ClientCert = "string",
ClientCertValue = "string",
Port = 0,
RootCaCert = "string",
RootCaCertValues = new[]
{
"string",
},
BindPassword = "string",
BindDn = "string",
SslSkipVerify = false,
StartTls = false,
Timeout = 0,
TlsCiphers = new[]
{
"string",
},
UseSsl = false,
},
},
},
AllowSignUp = false,
Enabled = false,
SkipOrgRoleSync = false,
},
Oauth2Settings = new Grafana.Oss.Inputs.SsoSettingsOauth2SettingsArgs
{
ClientId = "string",
LoginAttributePath = "string",
TlsClientCert = "string",
AllowedGroups = "string",
AllowedOrganizations = "string",
ApiUrl = "string",
AuthStyle = "string",
AuthUrl = "string",
AutoLogin = false,
AllowSignUp = false,
ClientSecret = "string",
Custom =
{
{ "string", "string" },
},
DefineAllowedGroups = false,
DefineAllowedTeamsIds = false,
Name = "string",
EmailAttributePath = "string",
EmptyScopes = false,
Enabled = false,
GroupsAttributePath = "string",
UsePkce = false,
AllowedDomains = "string",
EmailAttributeName = "string",
NameAttributePath = "string",
OrgAttributePath = "string",
OrgMapping = "string",
RoleAttributePath = "string",
RoleAttributeStrict = false,
Scopes = "string",
SignoutRedirectUrl = "string",
SkipOrgRoleSync = false,
TeamIds = "string",
TeamIdsAttributePath = "string",
TeamsUrl = "string",
TlsClientCa = "string",
AllowAssignGrafanaAdmin = false,
TlsClientKey = "string",
TlsSkipVerifyInsecure = false,
TokenUrl = "string",
IdTokenAttributeName = "string",
UseRefreshToken = false,
},
SamlSettings = new Grafana.Oss.Inputs.SsoSettingsSamlSettingsArgs
{
AllowIdpInitiated = false,
AllowSignUp = false,
AllowedOrganizations = "string",
AssertionAttributeEmail = "string",
AssertionAttributeGroups = "string",
AssertionAttributeLogin = "string",
AssertionAttributeName = "string",
AssertionAttributeOrg = "string",
AssertionAttributeRole = "string",
AutoLogin = false,
Certificate = "string",
CertificatePath = "string",
ClientId = "string",
ClientSecret = "string",
Enabled = false,
EntityId = "string",
ForceUseGraphApi = false,
IdpMetadata = "string",
IdpMetadataPath = "string",
IdpMetadataUrl = "string",
MaxIssueDelay = "string",
MetadataValidDuration = "string",
Name = "string",
NameIdFormat = "string",
OrgMapping = "string",
PrivateKey = "string",
PrivateKeyPath = "string",
RelayState = "string",
RoleValuesAdmin = "string",
RoleValuesEditor = "string",
RoleValuesGrafanaAdmin = "string",
RoleValuesNone = "string",
RoleValuesViewer = "string",
SignatureAlgorithm = "string",
SingleLogout = false,
SkipOrgRoleSync = false,
TokenUrl = "string",
},
});
example, err := oss.NewSsoSettings(ctx, "ssoSettingsResource", &oss.SsoSettingsArgs{
ProviderName: pulumi.String("string"),
LdapSettings: &oss.SsoSettingsLdapSettingsArgs{
Config: &oss.SsoSettingsLdapSettingsConfigArgs{
Servers: oss.SsoSettingsLdapSettingsConfigServerArray{
&oss.SsoSettingsLdapSettingsConfigServerArgs{
Host: pulumi.String("string"),
SearchFilter: pulumi.String("string"),
SearchBaseDns: pulumi.StringArray{
pulumi.String("string"),
},
GroupSearchFilterUserAttribute: pulumi.String("string"),
MinTlsVersion: pulumi.String("string"),
ClientKey: pulumi.String("string"),
ClientKeyValue: pulumi.String("string"),
GroupMappings: oss.SsoSettingsLdapSettingsConfigServerGroupMappingArray{
&oss.SsoSettingsLdapSettingsConfigServerGroupMappingArgs{
GroupDn: pulumi.String("string"),
OrgRole: pulumi.String("string"),
GrafanaAdmin: pulumi.Bool(false),
OrgId: pulumi.Int(0),
},
},
GroupSearchBaseDns: pulumi.StringArray{
pulumi.String("string"),
},
GroupSearchFilter: pulumi.String("string"),
Attributes: pulumi.StringMap{
"string": pulumi.String("string"),
},
ClientCert: pulumi.String("string"),
ClientCertValue: pulumi.String("string"),
Port: pulumi.Int(0),
RootCaCert: pulumi.String("string"),
RootCaCertValues: pulumi.StringArray{
pulumi.String("string"),
},
BindPassword: pulumi.String("string"),
BindDn: pulumi.String("string"),
SslSkipVerify: pulumi.Bool(false),
StartTls: pulumi.Bool(false),
Timeout: pulumi.Int(0),
TlsCiphers: pulumi.StringArray{
pulumi.String("string"),
},
UseSsl: pulumi.Bool(false),
},
},
},
AllowSignUp: pulumi.Bool(false),
Enabled: pulumi.Bool(false),
SkipOrgRoleSync: pulumi.Bool(false),
},
Oauth2Settings: &oss.SsoSettingsOauth2SettingsArgs{
ClientId: pulumi.String("string"),
LoginAttributePath: pulumi.String("string"),
TlsClientCert: pulumi.String("string"),
AllowedGroups: pulumi.String("string"),
AllowedOrganizations: pulumi.String("string"),
ApiUrl: pulumi.String("string"),
AuthStyle: pulumi.String("string"),
AuthUrl: pulumi.String("string"),
AutoLogin: pulumi.Bool(false),
AllowSignUp: pulumi.Bool(false),
ClientSecret: pulumi.String("string"),
Custom: pulumi.StringMap{
"string": pulumi.String("string"),
},
DefineAllowedGroups: pulumi.Bool(false),
DefineAllowedTeamsIds: pulumi.Bool(false),
Name: pulumi.String("string"),
EmailAttributePath: pulumi.String("string"),
EmptyScopes: pulumi.Bool(false),
Enabled: pulumi.Bool(false),
GroupsAttributePath: pulumi.String("string"),
UsePkce: pulumi.Bool(false),
AllowedDomains: pulumi.String("string"),
EmailAttributeName: pulumi.String("string"),
NameAttributePath: pulumi.String("string"),
OrgAttributePath: pulumi.String("string"),
OrgMapping: pulumi.String("string"),
RoleAttributePath: pulumi.String("string"),
RoleAttributeStrict: pulumi.Bool(false),
Scopes: pulumi.String("string"),
SignoutRedirectUrl: pulumi.String("string"),
SkipOrgRoleSync: pulumi.Bool(false),
TeamIds: pulumi.String("string"),
TeamIdsAttributePath: pulumi.String("string"),
TeamsUrl: pulumi.String("string"),
TlsClientCa: pulumi.String("string"),
AllowAssignGrafanaAdmin: pulumi.Bool(false),
TlsClientKey: pulumi.String("string"),
TlsSkipVerifyInsecure: pulumi.Bool(false),
TokenUrl: pulumi.String("string"),
IdTokenAttributeName: pulumi.String("string"),
UseRefreshToken: pulumi.Bool(false),
},
SamlSettings: &oss.SsoSettingsSamlSettingsArgs{
AllowIdpInitiated: pulumi.Bool(false),
AllowSignUp: pulumi.Bool(false),
AllowedOrganizations: pulumi.String("string"),
AssertionAttributeEmail: pulumi.String("string"),
AssertionAttributeGroups: pulumi.String("string"),
AssertionAttributeLogin: pulumi.String("string"),
AssertionAttributeName: pulumi.String("string"),
AssertionAttributeOrg: pulumi.String("string"),
AssertionAttributeRole: pulumi.String("string"),
AutoLogin: pulumi.Bool(false),
Certificate: pulumi.String("string"),
CertificatePath: pulumi.String("string"),
ClientId: pulumi.String("string"),
ClientSecret: pulumi.String("string"),
Enabled: pulumi.Bool(false),
EntityId: pulumi.String("string"),
ForceUseGraphApi: pulumi.Bool(false),
IdpMetadata: pulumi.String("string"),
IdpMetadataPath: pulumi.String("string"),
IdpMetadataUrl: pulumi.String("string"),
MaxIssueDelay: pulumi.String("string"),
MetadataValidDuration: pulumi.String("string"),
Name: pulumi.String("string"),
NameIdFormat: pulumi.String("string"),
OrgMapping: pulumi.String("string"),
PrivateKey: pulumi.String("string"),
PrivateKeyPath: pulumi.String("string"),
RelayState: pulumi.String("string"),
RoleValuesAdmin: pulumi.String("string"),
RoleValuesEditor: pulumi.String("string"),
RoleValuesGrafanaAdmin: pulumi.String("string"),
RoleValuesNone: pulumi.String("string"),
RoleValuesViewer: pulumi.String("string"),
SignatureAlgorithm: pulumi.String("string"),
SingleLogout: pulumi.Bool(false),
SkipOrgRoleSync: pulumi.Bool(false),
TokenUrl: pulumi.String("string"),
},
})
var ssoSettingsResource = new SsoSettings("ssoSettingsResource", SsoSettingsArgs.builder()
.providerName("string")
.ldapSettings(SsoSettingsLdapSettingsArgs.builder()
.config(SsoSettingsLdapSettingsConfigArgs.builder()
.servers(SsoSettingsLdapSettingsConfigServerArgs.builder()
.host("string")
.searchFilter("string")
.searchBaseDns("string")
.groupSearchFilterUserAttribute("string")
.minTlsVersion("string")
.clientKey("string")
.clientKeyValue("string")
.groupMappings(SsoSettingsLdapSettingsConfigServerGroupMappingArgs.builder()
.groupDn("string")
.orgRole("string")
.grafanaAdmin(false)
.orgId(0)
.build())
.groupSearchBaseDns("string")
.groupSearchFilter("string")
.attributes(Map.of("string", "string"))
.clientCert("string")
.clientCertValue("string")
.port(0)
.rootCaCert("string")
.rootCaCertValues("string")
.bindPassword("string")
.bindDn("string")
.sslSkipVerify(false)
.startTls(false)
.timeout(0)
.tlsCiphers("string")
.useSsl(false)
.build())
.build())
.allowSignUp(false)
.enabled(false)
.skipOrgRoleSync(false)
.build())
.oauth2Settings(SsoSettingsOauth2SettingsArgs.builder()
.clientId("string")
.loginAttributePath("string")
.tlsClientCert("string")
.allowedGroups("string")
.allowedOrganizations("string")
.apiUrl("string")
.authStyle("string")
.authUrl("string")
.autoLogin(false)
.allowSignUp(false)
.clientSecret("string")
.custom(Map.of("string", "string"))
.defineAllowedGroups(false)
.defineAllowedTeamsIds(false)
.name("string")
.emailAttributePath("string")
.emptyScopes(false)
.enabled(false)
.groupsAttributePath("string")
.usePkce(false)
.allowedDomains("string")
.emailAttributeName("string")
.nameAttributePath("string")
.orgAttributePath("string")
.orgMapping("string")
.roleAttributePath("string")
.roleAttributeStrict(false)
.scopes("string")
.signoutRedirectUrl("string")
.skipOrgRoleSync(false)
.teamIds("string")
.teamIdsAttributePath("string")
.teamsUrl("string")
.tlsClientCa("string")
.allowAssignGrafanaAdmin(false)
.tlsClientKey("string")
.tlsSkipVerifyInsecure(false)
.tokenUrl("string")
.idTokenAttributeName("string")
.useRefreshToken(false)
.build())
.samlSettings(SsoSettingsSamlSettingsArgs.builder()
.allowIdpInitiated(false)
.allowSignUp(false)
.allowedOrganizations("string")
.assertionAttributeEmail("string")
.assertionAttributeGroups("string")
.assertionAttributeLogin("string")
.assertionAttributeName("string")
.assertionAttributeOrg("string")
.assertionAttributeRole("string")
.autoLogin(false)
.certificate("string")
.certificatePath("string")
.clientId("string")
.clientSecret("string")
.enabled(false)
.entityId("string")
.forceUseGraphApi(false)
.idpMetadata("string")
.idpMetadataPath("string")
.idpMetadataUrl("string")
.maxIssueDelay("string")
.metadataValidDuration("string")
.name("string")
.nameIdFormat("string")
.orgMapping("string")
.privateKey("string")
.privateKeyPath("string")
.relayState("string")
.roleValuesAdmin("string")
.roleValuesEditor("string")
.roleValuesGrafanaAdmin("string")
.roleValuesNone("string")
.roleValuesViewer("string")
.signatureAlgorithm("string")
.singleLogout(false)
.skipOrgRoleSync(false)
.tokenUrl("string")
.build())
.build());
sso_settings_resource = grafana.oss.SsoSettings("ssoSettingsResource",
provider_name="string",
ldap_settings={
"config": {
"servers": [{
"host": "string",
"search_filter": "string",
"search_base_dns": ["string"],
"group_search_filter_user_attribute": "string",
"min_tls_version": "string",
"client_key": "string",
"client_key_value": "string",
"group_mappings": [{
"group_dn": "string",
"org_role": "string",
"grafana_admin": False,
"org_id": 0,
}],
"group_search_base_dns": ["string"],
"group_search_filter": "string",
"attributes": {
"string": "string",
},
"client_cert": "string",
"client_cert_value": "string",
"port": 0,
"root_ca_cert": "string",
"root_ca_cert_values": ["string"],
"bind_password": "string",
"bind_dn": "string",
"ssl_skip_verify": False,
"start_tls": False,
"timeout": 0,
"tls_ciphers": ["string"],
"use_ssl": False,
}],
},
"allow_sign_up": False,
"enabled": False,
"skip_org_role_sync": False,
},
oauth2_settings={
"client_id": "string",
"login_attribute_path": "string",
"tls_client_cert": "string",
"allowed_groups": "string",
"allowed_organizations": "string",
"api_url": "string",
"auth_style": "string",
"auth_url": "string",
"auto_login": False,
"allow_sign_up": False,
"client_secret": "string",
"custom": {
"string": "string",
},
"define_allowed_groups": False,
"define_allowed_teams_ids": False,
"name": "string",
"email_attribute_path": "string",
"empty_scopes": False,
"enabled": False,
"groups_attribute_path": "string",
"use_pkce": False,
"allowed_domains": "string",
"email_attribute_name": "string",
"name_attribute_path": "string",
"org_attribute_path": "string",
"org_mapping": "string",
"role_attribute_path": "string",
"role_attribute_strict": False,
"scopes": "string",
"signout_redirect_url": "string",
"skip_org_role_sync": False,
"team_ids": "string",
"team_ids_attribute_path": "string",
"teams_url": "string",
"tls_client_ca": "string",
"allow_assign_grafana_admin": False,
"tls_client_key": "string",
"tls_skip_verify_insecure": False,
"token_url": "string",
"id_token_attribute_name": "string",
"use_refresh_token": False,
},
saml_settings={
"allow_idp_initiated": False,
"allow_sign_up": False,
"allowed_organizations": "string",
"assertion_attribute_email": "string",
"assertion_attribute_groups": "string",
"assertion_attribute_login": "string",
"assertion_attribute_name": "string",
"assertion_attribute_org": "string",
"assertion_attribute_role": "string",
"auto_login": False,
"certificate": "string",
"certificate_path": "string",
"client_id": "string",
"client_secret": "string",
"enabled": False,
"entity_id": "string",
"force_use_graph_api": False,
"idp_metadata": "string",
"idp_metadata_path": "string",
"idp_metadata_url": "string",
"max_issue_delay": "string",
"metadata_valid_duration": "string",
"name": "string",
"name_id_format": "string",
"org_mapping": "string",
"private_key": "string",
"private_key_path": "string",
"relay_state": "string",
"role_values_admin": "string",
"role_values_editor": "string",
"role_values_grafana_admin": "string",
"role_values_none": "string",
"role_values_viewer": "string",
"signature_algorithm": "string",
"single_logout": False,
"skip_org_role_sync": False,
"token_url": "string",
})
const ssoSettingsResource = new grafana.oss.SsoSettings("ssoSettingsResource", {
providerName: "string",
ldapSettings: {
config: {
servers: [{
host: "string",
searchFilter: "string",
searchBaseDns: ["string"],
groupSearchFilterUserAttribute: "string",
minTlsVersion: "string",
clientKey: "string",
clientKeyValue: "string",
groupMappings: [{
groupDn: "string",
orgRole: "string",
grafanaAdmin: false,
orgId: 0,
}],
groupSearchBaseDns: ["string"],
groupSearchFilter: "string",
attributes: {
string: "string",
},
clientCert: "string",
clientCertValue: "string",
port: 0,
rootCaCert: "string",
rootCaCertValues: ["string"],
bindPassword: "string",
bindDn: "string",
sslSkipVerify: false,
startTls: false,
timeout: 0,
tlsCiphers: ["string"],
useSsl: false,
}],
},
allowSignUp: false,
enabled: false,
skipOrgRoleSync: false,
},
oauth2Settings: {
clientId: "string",
loginAttributePath: "string",
tlsClientCert: "string",
allowedGroups: "string",
allowedOrganizations: "string",
apiUrl: "string",
authStyle: "string",
authUrl: "string",
autoLogin: false,
allowSignUp: false,
clientSecret: "string",
custom: {
string: "string",
},
defineAllowedGroups: false,
defineAllowedTeamsIds: false,
name: "string",
emailAttributePath: "string",
emptyScopes: false,
enabled: false,
groupsAttributePath: "string",
usePkce: false,
allowedDomains: "string",
emailAttributeName: "string",
nameAttributePath: "string",
orgAttributePath: "string",
orgMapping: "string",
roleAttributePath: "string",
roleAttributeStrict: false,
scopes: "string",
signoutRedirectUrl: "string",
skipOrgRoleSync: false,
teamIds: "string",
teamIdsAttributePath: "string",
teamsUrl: "string",
tlsClientCa: "string",
allowAssignGrafanaAdmin: false,
tlsClientKey: "string",
tlsSkipVerifyInsecure: false,
tokenUrl: "string",
idTokenAttributeName: "string",
useRefreshToken: false,
},
samlSettings: {
allowIdpInitiated: false,
allowSignUp: false,
allowedOrganizations: "string",
assertionAttributeEmail: "string",
assertionAttributeGroups: "string",
assertionAttributeLogin: "string",
assertionAttributeName: "string",
assertionAttributeOrg: "string",
assertionAttributeRole: "string",
autoLogin: false,
certificate: "string",
certificatePath: "string",
clientId: "string",
clientSecret: "string",
enabled: false,
entityId: "string",
forceUseGraphApi: false,
idpMetadata: "string",
idpMetadataPath: "string",
idpMetadataUrl: "string",
maxIssueDelay: "string",
metadataValidDuration: "string",
name: "string",
nameIdFormat: "string",
orgMapping: "string",
privateKey: "string",
privateKeyPath: "string",
relayState: "string",
roleValuesAdmin: "string",
roleValuesEditor: "string",
roleValuesGrafanaAdmin: "string",
roleValuesNone: "string",
roleValuesViewer: "string",
signatureAlgorithm: "string",
singleLogout: false,
skipOrgRoleSync: false,
tokenUrl: "string",
},
});
type: grafana:oss:SsoSettings
properties:
ldapSettings:
allowSignUp: false
config:
servers:
- attributes:
string: string
bindDn: string
bindPassword: string
clientCert: string
clientCertValue: string
clientKey: string
clientKeyValue: string
groupMappings:
- grafanaAdmin: false
groupDn: string
orgId: 0
orgRole: string
groupSearchBaseDns:
- string
groupSearchFilter: string
groupSearchFilterUserAttribute: string
host: string
minTlsVersion: string
port: 0
rootCaCert: string
rootCaCertValues:
- string
searchBaseDns:
- string
searchFilter: string
sslSkipVerify: false
startTls: false
timeout: 0
tlsCiphers:
- string
useSsl: false
enabled: false
skipOrgRoleSync: false
oauth2Settings:
allowAssignGrafanaAdmin: false
allowSignUp: false
allowedDomains: string
allowedGroups: string
allowedOrganizations: string
apiUrl: string
authStyle: string
authUrl: string
autoLogin: false
clientId: string
clientSecret: string
custom:
string: string
defineAllowedGroups: false
defineAllowedTeamsIds: false
emailAttributeName: string
emailAttributePath: string
emptyScopes: false
enabled: false
groupsAttributePath: string
idTokenAttributeName: string
loginAttributePath: string
name: string
nameAttributePath: string
orgAttributePath: string
orgMapping: string
roleAttributePath: string
roleAttributeStrict: false
scopes: string
signoutRedirectUrl: string
skipOrgRoleSync: false
teamIds: string
teamIdsAttributePath: string
teamsUrl: string
tlsClientCa: string
tlsClientCert: string
tlsClientKey: string
tlsSkipVerifyInsecure: false
tokenUrl: string
usePkce: false
useRefreshToken: false
providerName: string
samlSettings:
allowIdpInitiated: false
allowSignUp: false
allowedOrganizations: string
assertionAttributeEmail: string
assertionAttributeGroups: string
assertionAttributeLogin: string
assertionAttributeName: string
assertionAttributeOrg: string
assertionAttributeRole: string
autoLogin: false
certificate: string
certificatePath: string
clientId: string
clientSecret: string
enabled: false
entityId: string
forceUseGraphApi: false
idpMetadata: string
idpMetadataPath: string
idpMetadataUrl: string
maxIssueDelay: string
metadataValidDuration: string
name: string
nameIdFormat: string
orgMapping: string
privateKey: string
privateKeyPath: string
relayState: string
roleValuesAdmin: string
roleValuesEditor: string
roleValuesGrafanaAdmin: string
roleValuesNone: string
roleValuesViewer: string
signatureAlgorithm: string
singleLogout: false
skipOrgRoleSync: false
tokenUrl: string
SsoSettings Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The SsoSettings resource accepts the following input properties:
- Provider
Name This property is required. string - The name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml, ldap.
- Ldap
Settings Pulumiverse.Grafana. Oss. Inputs. Sso Settings Ldap Settings - The LDAP settings set. Required for the ldap provider.
- Oauth2Settings
Pulumiverse.
Grafana. Oss. Inputs. Sso Settings Oauth2Settings - The OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic*oauth providers.
- Saml
Settings Pulumiverse.Grafana. Oss. Inputs. Sso Settings Saml Settings - The SAML settings set. Required for the saml provider.
- Provider
Name This property is required. string - The name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml, ldap.
- Ldap
Settings SsoSettings Ldap Settings Args - The LDAP settings set. Required for the ldap provider.
- Oauth2Settings
Sso
Settings Oauth2Settings Args - The OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic*oauth providers.
- Saml
Settings SsoSettings Saml Settings Args - The SAML settings set. Required for the saml provider.
- provider
Name This property is required. String - The name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml, ldap.
- ldap
Settings SsoSettings Ldap Settings - The LDAP settings set. Required for the ldap provider.
- oauth2Settings
Sso
Settings Oauth2Settings - The OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic*oauth providers.
- saml
Settings SsoSettings Saml Settings - The SAML settings set. Required for the saml provider.
- provider
Name This property is required. string - The name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml, ldap.
- ldap
Settings SsoSettings Ldap Settings - The LDAP settings set. Required for the ldap provider.
- oauth2Settings
Sso
Settings Oauth2Settings - The OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic*oauth providers.
- saml
Settings SsoSettings Saml Settings - The SAML settings set. Required for the saml provider.
- provider_
name This property is required. str - The name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml, ldap.
- ldap_
settings SsoSettings Ldap Settings Args - The LDAP settings set. Required for the ldap provider.
- oauth2_
settings SsoSettings Oauth2Settings Args - The OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic*oauth providers.
- saml_
settings SsoSettings Saml Settings Args - The SAML settings set. Required for the saml provider.
- provider
Name This property is required. String - The name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml, ldap.
- ldap
Settings Property Map - The LDAP settings set. Required for the ldap provider.
- oauth2Settings Property Map
- The OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic*oauth providers.
- saml
Settings Property Map - The SAML settings set. Required for the saml provider.
Outputs
All input properties are implicitly available as output properties. Additionally, the SsoSettings resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing SsoSettings Resource
Get an existing SsoSettings resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: SsoSettingsState, opts?: CustomResourceOptions): SsoSettings@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
ldap_settings: Optional[SsoSettingsLdapSettingsArgs] = None,
oauth2_settings: Optional[SsoSettingsOauth2SettingsArgs] = None,
provider_name: Optional[str] = None,
saml_settings: Optional[SsoSettingsSamlSettingsArgs] = None) -> SsoSettingsfunc GetSsoSettings(ctx *Context, name string, id IDInput, state *SsoSettingsState, opts ...ResourceOption) (*SsoSettings, error)public static SsoSettings Get(string name, Input<string> id, SsoSettingsState? state, CustomResourceOptions? opts = null)public static SsoSettings get(String name, Output<String> id, SsoSettingsState state, CustomResourceOptions options)resources: _: type: grafana:oss:SsoSettings get: id: ${id}- name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
The following state arguments are supported:
- Ldap
Settings Pulumiverse.Grafana. Oss. Inputs. Sso Settings Ldap Settings - The LDAP settings set. Required for the ldap provider.
- Oauth2Settings
Pulumiverse.
Grafana. Oss. Inputs. Sso Settings Oauth2Settings - The OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic*oauth providers.
- Provider
Name string - The name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml, ldap.
- Saml
Settings Pulumiverse.Grafana. Oss. Inputs. Sso Settings Saml Settings - The SAML settings set. Required for the saml provider.
- Ldap
Settings SsoSettings Ldap Settings Args - The LDAP settings set. Required for the ldap provider.
- Oauth2Settings
Sso
Settings Oauth2Settings Args - The OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic*oauth providers.
- Provider
Name string - The name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml, ldap.
- Saml
Settings SsoSettings Saml Settings Args - The SAML settings set. Required for the saml provider.
- ldap
Settings SsoSettings Ldap Settings - The LDAP settings set. Required for the ldap provider.
- oauth2Settings
Sso
Settings Oauth2Settings - The OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic*oauth providers.
- provider
Name String - The name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml, ldap.
- saml
Settings SsoSettings Saml Settings - The SAML settings set. Required for the saml provider.
- ldap
Settings SsoSettings Ldap Settings - The LDAP settings set. Required for the ldap provider.
- oauth2Settings
Sso
Settings Oauth2Settings - The OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic*oauth providers.
- provider
Name string - The name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml, ldap.
- saml
Settings SsoSettings Saml Settings - The SAML settings set. Required for the saml provider.
- ldap_
settings SsoSettings Ldap Settings Args - The LDAP settings set. Required for the ldap provider.
- oauth2_
settings SsoSettings Oauth2Settings Args - The OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic*oauth providers.
- provider_
name str - The name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml, ldap.
- saml_
settings SsoSettings Saml Settings Args - The SAML settings set. Required for the saml provider.
- ldap
Settings Property Map - The LDAP settings set. Required for the ldap provider.
- oauth2Settings Property Map
- The OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic*oauth providers.
- provider
Name String - The name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml, ldap.
- saml
Settings Property Map - The SAML settings set. Required for the saml provider.
Supporting Types
SsoSettingsLdapSettings, SsoSettingsLdapSettingsArgs
, SsoSettingsLdapSettingsArgs
- Config
This property is required. Pulumiverse.Grafana. Oss. Inputs. Sso Settings Ldap Settings Config - The LDAP configuration.
- Allow
Sign boolUp - Whether to allow new Grafana user creation through LDAP login. If set to false, then only existing Grafana users can log in with LDAP.
- Enabled bool
- Define whether this configuration is enabled for LDAP. Defaults to
true. - Skip
Org boolRole Sync - Prevent synchronizing users’ organization roles from LDAP.
- Config
This property is required. SsoSettings Ldap Settings Config - The LDAP configuration.
- Allow
Sign boolUp - Whether to allow new Grafana user creation through LDAP login. If set to false, then only existing Grafana users can log in with LDAP.
- Enabled bool
- Define whether this configuration is enabled for LDAP. Defaults to
true. - Skip
Org boolRole Sync - Prevent synchronizing users’ organization roles from LDAP.
- config
This property is required. SsoSettings Ldap Settings Config - The LDAP configuration.
- allow
Sign BooleanUp - Whether to allow new Grafana user creation through LDAP login. If set to false, then only existing Grafana users can log in with LDAP.
- enabled Boolean
- Define whether this configuration is enabled for LDAP. Defaults to
true. - skip
Org BooleanRole Sync - Prevent synchronizing users’ organization roles from LDAP.
- config
This property is required. SsoSettings Ldap Settings Config - The LDAP configuration.
- allow
Sign booleanUp - Whether to allow new Grafana user creation through LDAP login. If set to false, then only existing Grafana users can log in with LDAP.
- enabled boolean
- Define whether this configuration is enabled for LDAP. Defaults to
true. - skip
Org booleanRole Sync - Prevent synchronizing users’ organization roles from LDAP.
- config
This property is required. SsoSettings Ldap Settings Config - The LDAP configuration.
- allow_
sign_ boolup - Whether to allow new Grafana user creation through LDAP login. If set to false, then only existing Grafana users can log in with LDAP.
- enabled bool
- Define whether this configuration is enabled for LDAP. Defaults to
true. - skip_
org_ boolrole_ sync - Prevent synchronizing users’ organization roles from LDAP.
- config
This property is required. Property Map - The LDAP configuration.
- allow
Sign BooleanUp - Whether to allow new Grafana user creation through LDAP login. If set to false, then only existing Grafana users can log in with LDAP.
- enabled Boolean
- Define whether this configuration is enabled for LDAP. Defaults to
true. - skip
Org BooleanRole Sync - Prevent synchronizing users’ organization roles from LDAP.
SsoSettingsLdapSettingsConfig, SsoSettingsLdapSettingsConfigArgs
, SsoSettingsLdapSettingsConfigArgs
- Servers
This property is required. List<Pulumiverse.Grafana. Oss. Inputs. Sso Settings Ldap Settings Config Server> - The LDAP servers configuration.
- Servers
This property is required. []SsoSettings Ldap Settings Config Server - The LDAP servers configuration.
- servers
This property is required. List<SsoSettings Ldap Settings Config Server> - The LDAP servers configuration.
- servers
This property is required. SsoSettings Ldap Settings Config Server[] - The LDAP servers configuration.
- servers
This property is required. Sequence[SsoSettings Ldap Settings Config Server] - The LDAP servers configuration.
- servers
This property is required. List<Property Map> - The LDAP servers configuration.
SsoSettingsLdapSettingsConfigServer, SsoSettingsLdapSettingsConfigServerArgs
, SsoSettingsLdapSettingsConfigServerArgs
- Host
This property is required. string - The LDAP server host.
- Search
Base Dns This property is required. List<string> - An array of base DNs to search through.
- Search
Filter This property is required. string - The user search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)".
- Attributes Dictionary<string, string>
- The LDAP server attributes. The following attributes can be configured: email, member_of, name, surname, username.
- Bind
Dn string - The search user bind DN.
- Bind
Password string - The search user bind password.
- Client
Cert string - The path to the client certificate.
- Client
Cert stringValue - The Base64 encoded value of the client certificate.
- Client
Key string - The path to the client private key.
- Client
Key stringValue - The Base64 encoded value of the client private key.
- Group
Mappings List<Pulumiverse.Grafana. Oss. Inputs. Sso Settings Ldap Settings Config Server Group Mapping> - For mapping an LDAP group to a Grafana organization and role.
- Group
Search List<string>Base Dns - An array of the base DNs to search through for groups. Typically uses ou=groups.
- Group
Search stringFilter - Group search filter, to retrieve the groups of which the user is a member (only set if memberOf attribute is not available).
- Group
Search stringFilter User Attribute - The %s in the search filter will be replaced with the attribute defined in this field.
- Min
Tls stringVersion - Minimum TLS version allowed. Accepted values are: TLS1.2, TLS1.3.
- Port int
- The LDAP server port.
- Root
Ca stringCert - The path to the root CA certificate.
- Root
Ca List<string>Cert Values - The Base64 encoded values of the root CA certificates.
- Ssl
Skip boolVerify - If set to true, the SSL cert validation will be skipped.
- Start
Tls bool - If set to true, use LDAP with STARTTLS instead of LDAPS.
- Timeout int
- The timeout in seconds for connecting to the LDAP host.
- Tls
Ciphers List<string> - Accepted TLS ciphers. For a complete list of supported ciphers, refer to: https://go.dev/src/crypto/tls/cipher_suites.go.
- Use
Ssl bool - Set to true if LDAP server should use an encrypted TLS connection (either with STARTTLS or LDAPS).
- Host
This property is required. string - The LDAP server host.
- Search
Base Dns This property is required. []string - An array of base DNs to search through.
- Search
Filter This property is required. string - The user search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)".
- Attributes map[string]string
- The LDAP server attributes. The following attributes can be configured: email, member_of, name, surname, username.
- Bind
Dn string - The search user bind DN.
- Bind
Password string - The search user bind password.
- Client
Cert string - The path to the client certificate.
- Client
Cert stringValue - The Base64 encoded value of the client certificate.
- Client
Key string - The path to the client private key.
- Client
Key stringValue - The Base64 encoded value of the client private key.
- Group
Mappings []SsoSettings Ldap Settings Config Server Group Mapping - For mapping an LDAP group to a Grafana organization and role.
- Group
Search []stringBase Dns - An array of the base DNs to search through for groups. Typically uses ou=groups.
- Group
Search stringFilter - Group search filter, to retrieve the groups of which the user is a member (only set if memberOf attribute is not available).
- Group
Search stringFilter User Attribute - The %s in the search filter will be replaced with the attribute defined in this field.
- Min
Tls stringVersion - Minimum TLS version allowed. Accepted values are: TLS1.2, TLS1.3.
- Port int
- The LDAP server port.
- Root
Ca stringCert - The path to the root CA certificate.
- Root
Ca []stringCert Values - The Base64 encoded values of the root CA certificates.
- Ssl
Skip boolVerify - If set to true, the SSL cert validation will be skipped.
- Start
Tls bool - If set to true, use LDAP with STARTTLS instead of LDAPS.
- Timeout int
- The timeout in seconds for connecting to the LDAP host.
- Tls
Ciphers []string - Accepted TLS ciphers. For a complete list of supported ciphers, refer to: https://go.dev/src/crypto/tls/cipher_suites.go.
- Use
Ssl bool - Set to true if LDAP server should use an encrypted TLS connection (either with STARTTLS or LDAPS).
- host
This property is required. String - The LDAP server host.
- search
Base Dns This property is required. List<String> - An array of base DNs to search through.
- search
Filter This property is required. String - The user search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)".
- attributes Map<String,String>
- The LDAP server attributes. The following attributes can be configured: email, member_of, name, surname, username.
- bind
Dn String - The search user bind DN.
- bind
Password String - The search user bind password.
- client
Cert String - The path to the client certificate.
- client
Cert StringValue - The Base64 encoded value of the client certificate.
- client
Key String - The path to the client private key.
- client
Key StringValue - The Base64 encoded value of the client private key.
- group
Mappings List<SsoSettings Ldap Settings Config Server Group Mapping> - For mapping an LDAP group to a Grafana organization and role.
- group
Search List<String>Base Dns - An array of the base DNs to search through for groups. Typically uses ou=groups.
- group
Search StringFilter - Group search filter, to retrieve the groups of which the user is a member (only set if memberOf attribute is not available).
- group
Search StringFilter User Attribute - The %s in the search filter will be replaced with the attribute defined in this field.
- min
Tls StringVersion - Minimum TLS version allowed. Accepted values are: TLS1.2, TLS1.3.
- port Integer
- The LDAP server port.
- root
Ca StringCert - The path to the root CA certificate.
- root
Ca List<String>Cert Values - The Base64 encoded values of the root CA certificates.
- ssl
Skip BooleanVerify - If set to true, the SSL cert validation will be skipped.
- start
Tls Boolean - If set to true, use LDAP with STARTTLS instead of LDAPS.
- timeout Integer
- The timeout in seconds for connecting to the LDAP host.
- tls
Ciphers List<String> - Accepted TLS ciphers. For a complete list of supported ciphers, refer to: https://go.dev/src/crypto/tls/cipher_suites.go.
- use
Ssl Boolean - Set to true if LDAP server should use an encrypted TLS connection (either with STARTTLS or LDAPS).
- host
This property is required. string - The LDAP server host.
- search
Base Dns This property is required. string[] - An array of base DNs to search through.
- search
Filter This property is required. string - The user search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)".
- attributes {[key: string]: string}
- The LDAP server attributes. The following attributes can be configured: email, member_of, name, surname, username.
- bind
Dn string - The search user bind DN.
- bind
Password string - The search user bind password.
- client
Cert string - The path to the client certificate.
- client
Cert stringValue - The Base64 encoded value of the client certificate.
- client
Key string - The path to the client private key.
- client
Key stringValue - The Base64 encoded value of the client private key.
- group
Mappings SsoSettings Ldap Settings Config Server Group Mapping[] - For mapping an LDAP group to a Grafana organization and role.
- group
Search string[]Base Dns - An array of the base DNs to search through for groups. Typically uses ou=groups.
- group
Search stringFilter - Group search filter, to retrieve the groups of which the user is a member (only set if memberOf attribute is not available).
- group
Search stringFilter User Attribute - The %s in the search filter will be replaced with the attribute defined in this field.
- min
Tls stringVersion - Minimum TLS version allowed. Accepted values are: TLS1.2, TLS1.3.
- port number
- The LDAP server port.
- root
Ca stringCert - The path to the root CA certificate.
- root
Ca string[]Cert Values - The Base64 encoded values of the root CA certificates.
- ssl
Skip booleanVerify - If set to true, the SSL cert validation will be skipped.
- start
Tls boolean - If set to true, use LDAP with STARTTLS instead of LDAPS.
- timeout number
- The timeout in seconds for connecting to the LDAP host.
- tls
Ciphers string[] - Accepted TLS ciphers. For a complete list of supported ciphers, refer to: https://go.dev/src/crypto/tls/cipher_suites.go.
- use
Ssl boolean - Set to true if LDAP server should use an encrypted TLS connection (either with STARTTLS or LDAPS).
- host
This property is required. str - The LDAP server host.
- search_
base_ dns This property is required. Sequence[str] - An array of base DNs to search through.
- search_
filter This property is required. str - The user search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)".
- attributes Mapping[str, str]
- The LDAP server attributes. The following attributes can be configured: email, member_of, name, surname, username.
- bind_
dn str - The search user bind DN.
- bind_
password str - The search user bind password.
- client_
cert str - The path to the client certificate.
- client_
cert_ strvalue - The Base64 encoded value of the client certificate.
- client_
key str - The path to the client private key.
- client_
key_ strvalue - The Base64 encoded value of the client private key.
- group_
mappings Sequence[SsoSettings Ldap Settings Config Server Group Mapping] - For mapping an LDAP group to a Grafana organization and role.
- group_
search_ Sequence[str]base_ dns - An array of the base DNs to search through for groups. Typically uses ou=groups.
- group_
search_ strfilter - Group search filter, to retrieve the groups of which the user is a member (only set if memberOf attribute is not available).
- group_
search_ strfilter_ user_ attribute - The %s in the search filter will be replaced with the attribute defined in this field.
- min_
tls_ strversion - Minimum TLS version allowed. Accepted values are: TLS1.2, TLS1.3.
- port int
- The LDAP server port.
- root_
ca_ strcert - The path to the root CA certificate.
- root_
ca_ Sequence[str]cert_ values - The Base64 encoded values of the root CA certificates.
- ssl_
skip_ boolverify - If set to true, the SSL cert validation will be skipped.
- start_
tls bool - If set to true, use LDAP with STARTTLS instead of LDAPS.
- timeout int
- The timeout in seconds for connecting to the LDAP host.
- tls_
ciphers Sequence[str] - Accepted TLS ciphers. For a complete list of supported ciphers, refer to: https://go.dev/src/crypto/tls/cipher_suites.go.
- use_
ssl bool - Set to true if LDAP server should use an encrypted TLS connection (either with STARTTLS or LDAPS).
- host
This property is required. String - The LDAP server host.
- search
Base Dns This property is required. List<String> - An array of base DNs to search through.
- search
Filter This property is required. String - The user search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)".
- attributes Map<String>
- The LDAP server attributes. The following attributes can be configured: email, member_of, name, surname, username.
- bind
Dn String - The search user bind DN.
- bind
Password String - The search user bind password.
- client
Cert String - The path to the client certificate.
- client
Cert StringValue - The Base64 encoded value of the client certificate.
- client
Key String - The path to the client private key.
- client
Key StringValue - The Base64 encoded value of the client private key.
- group
Mappings List<Property Map> - For mapping an LDAP group to a Grafana organization and role.
- group
Search List<String>Base Dns - An array of the base DNs to search through for groups. Typically uses ou=groups.
- group
Search StringFilter - Group search filter, to retrieve the groups of which the user is a member (only set if memberOf attribute is not available).
- group
Search StringFilter User Attribute - The %s in the search filter will be replaced with the attribute defined in this field.
- min
Tls StringVersion - Minimum TLS version allowed. Accepted values are: TLS1.2, TLS1.3.
- port Number
- The LDAP server port.
- root
Ca StringCert - The path to the root CA certificate.
- root
Ca List<String>Cert Values - The Base64 encoded values of the root CA certificates.
- ssl
Skip BooleanVerify - If set to true, the SSL cert validation will be skipped.
- start
Tls Boolean - If set to true, use LDAP with STARTTLS instead of LDAPS.
- timeout Number
- The timeout in seconds for connecting to the LDAP host.
- tls
Ciphers List<String> - Accepted TLS ciphers. For a complete list of supported ciphers, refer to: https://go.dev/src/crypto/tls/cipher_suites.go.
- use
Ssl Boolean - Set to true if LDAP server should use an encrypted TLS connection (either with STARTTLS or LDAPS).
SsoSettingsLdapSettingsConfigServerGroupMapping, SsoSettingsLdapSettingsConfigServerGroupMappingArgs
, SsoSettingsLdapSettingsConfigServerGroupMappingArgs
- Group
Dn This property is required. string - LDAP distinguished name (DN) of LDAP group. If you want to match all (or no LDAP groups) then you can use wildcard ("*").
- Org
Role This property is required. string - Assign users of group_dn the organization role Admin, Editor, or Viewer.
- Grafana
Admin bool - If set to true, it makes the user of group_dn Grafana server admin.
- Org
Id int - The Grafana organization database id.
- Group
Dn This property is required. string - LDAP distinguished name (DN) of LDAP group. If you want to match all (or no LDAP groups) then you can use wildcard ("*").
- Org
Role This property is required. string - Assign users of group_dn the organization role Admin, Editor, or Viewer.
- Grafana
Admin bool - If set to true, it makes the user of group_dn Grafana server admin.
- Org
Id int - The Grafana organization database id.
- group
Dn This property is required. String - LDAP distinguished name (DN) of LDAP group. If you want to match all (or no LDAP groups) then you can use wildcard ("*").
- org
Role This property is required. String - Assign users of group_dn the organization role Admin, Editor, or Viewer.
- grafana
Admin Boolean - If set to true, it makes the user of group_dn Grafana server admin.
- org
Id Integer - The Grafana organization database id.
- group
Dn This property is required. string - LDAP distinguished name (DN) of LDAP group. If you want to match all (or no LDAP groups) then you can use wildcard ("*").
- org
Role This property is required. string - Assign users of group_dn the organization role Admin, Editor, or Viewer.
- grafana
Admin boolean - If set to true, it makes the user of group_dn Grafana server admin.
- org
Id number - The Grafana organization database id.
- group_
dn This property is required. str - LDAP distinguished name (DN) of LDAP group. If you want to match all (or no LDAP groups) then you can use wildcard ("*").
- org_
role This property is required. str - Assign users of group_dn the organization role Admin, Editor, or Viewer.
- grafana_
admin bool - If set to true, it makes the user of group_dn Grafana server admin.
- org_
id int - The Grafana organization database id.
- group
Dn This property is required. String - LDAP distinguished name (DN) of LDAP group. If you want to match all (or no LDAP groups) then you can use wildcard ("*").
- org
Role This property is required. String - Assign users of group_dn the organization role Admin, Editor, or Viewer.
- grafana
Admin Boolean - If set to true, it makes the user of group_dn Grafana server admin.
- org
Id Number - The Grafana organization database id.
SsoSettingsOauth2Settings, SsoSettingsOauth2SettingsArgs
, SsoSettingsOauth2SettingsArgs
- Client
Id This property is required. string - The client Id of your OAuth2 app.
- Allow
Assign boolGrafana Admin - If enabled, it will automatically sync the Grafana server administrator role.
- Allow
Sign boolUp - If not enabled, only existing Grafana users can log in using OAuth.
- Allowed
Domains string - List of comma- or space-separated domains. The user should belong to at least one domain to log in.
- Allowed
Groups string - List of comma- or space-separated groups. The user should be a member of at least one group to log in. For Generic OAuth, if you configure allowedgroups, you must also configure groupsattribute_path.
- Allowed
Organizations string - List of comma- or space-separated organizations. The user should be a member of at least one organization to log in.
- Api
Url string - The user information endpoint of your OAuth2 provider. Required for okta and generic_oauth providers.
- Auth
Style string - It determines how clientid and clientsecret are sent to Oauth2 provider. Possible values are AutoDetect, InParams, InHeader. Default is AutoDetect.
- Auth
Url string - The authorization endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.
- Auto
Login bool - Log in automatically, skipping the login screen.
- Client
Secret string - The client secret of your OAuth2 app.
- Custom Dictionary<string, string>
- Custom fields to configure for OAuth2 such as the forceusegraph_api field.
- Define
Allowed boolGroups - Define allowed groups.
- Define
Allowed boolTeams Ids - Define allowed teams ids.
- Email
Attribute stringName - Name of the key to use for user email lookup within the attributes map of OAuth2 ID token. Only applicable to Generic OAuth.
- Email
Attribute stringPath - JMESPath expression to use for user email lookup from the user information. Only applicable to Generic OAuth.
- Empty
Scopes bool - If enabled, no scopes will be sent to the OAuth2 provider.
- Enabled bool
- Define whether this configuration is enabled for the specified provider. Defaults to
true. - Groups
Attribute stringPath - JMESPath expression to use for user group lookup. If you configure allowedgroups, you must also configure groupsattribute_path.
- Id
Token stringAttribute Name - The name of the key used to extract the ID token from the returned OAuth2 token. Only applicable to Generic OAuth.
- Login
Attribute stringPath - JMESPath expression to use for user login lookup from the user ID token. Only applicable to Generic OAuth.
- Name string
- Helpful if you use more than one identity providers or SSO protocols.
- Name
Attribute stringPath - JMESPath expression to use for user name lookup from the user ID token. This name will be used as the user’s display name. Only applicable to Generic OAuth.
- Org
Attribute stringPath - JMESPath expression to use for the organization mapping lookup from the user ID token. The extracted list will be used for the organization mapping (to match "Organization" in the "org_mapping"). Only applicable to Generic OAuth and Okta.
- Org
Mapping string - List of comma- or space-separated Organization:OrgIdOrOrgName:Role mappings. Organization can be * meaning “All users”. Role is optional and can have the following values: None, Viewer, Editor or Admin.
- Role
Attribute stringPath - JMESPath expression to use for Grafana role lookup.
- Role
Attribute boolStrict - If enabled, denies user login if the Grafana role cannot be extracted using Role attribute path.
- Scopes string
- List of comma- or space-separated OAuth2 scopes.
- Signout
Redirect stringUrl - The URL to redirect the user to after signing out from Grafana.
- Skip
Org boolRole Sync - Prevent synchronizing users’ organization roles from your IdP.
- Team
Ids string - String list of Team Ids. If set, the user must be a member of one of the given teams to log in. If you configure teamids, you must also configure teamsurl and teamidsattribute_path.
- Team
Ids stringAttribute Path - The JMESPath expression to use for Grafana Team Id lookup within the results returned by the teams_url endpoint. Only applicable to Generic OAuth.
- Teams
Url string - The URL used to query for Team Ids. If not set, the default value is /teams. If you configure teamsurl, you must also configure teamidsattributepath. Only applicable to Generic OAuth.
- Tls
Client stringCa - The path to the trusted certificate authority list. Is not applicable on Grafana Cloud.
- Tls
Client stringCert - The path to the certificate. Is not applicable on Grafana Cloud.
- Tls
Client stringKey - The path to the key. Is not applicable on Grafana Cloud.
- Tls
Skip boolVerify Insecure - If enabled, the client accepts any certificate presented by the server and any host name in that certificate. You should only use this for testing, because this mode leaves SSL/TLS susceptible to man-in-the-middle attacks.
- Token
Url string - The token endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.
- Use
Pkce bool - If enabled, Grafana will use Proof Key for Code Exchange (PKCE) with the OAuth2 Authorization Code Grant.
- Use
Refresh boolToken - If enabled, Grafana will fetch a new access token using the refresh token provided by the OAuth2 provider.
- Client
Id This property is required. string - The client Id of your OAuth2 app.
- Allow
Assign boolGrafana Admin - If enabled, it will automatically sync the Grafana server administrator role.
- Allow
Sign boolUp - If not enabled, only existing Grafana users can log in using OAuth.
- Allowed
Domains string - List of comma- or space-separated domains. The user should belong to at least one domain to log in.
- Allowed
Groups string - List of comma- or space-separated groups. The user should be a member of at least one group to log in. For Generic OAuth, if you configure allowedgroups, you must also configure groupsattribute_path.
- Allowed
Organizations string - List of comma- or space-separated organizations. The user should be a member of at least one organization to log in.
- Api
Url string - The user information endpoint of your OAuth2 provider. Required for okta and generic_oauth providers.
- Auth
Style string - It determines how clientid and clientsecret are sent to Oauth2 provider. Possible values are AutoDetect, InParams, InHeader. Default is AutoDetect.
- Auth
Url string - The authorization endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.
- Auto
Login bool - Log in automatically, skipping the login screen.
- Client
Secret string - The client secret of your OAuth2 app.
- Custom map[string]string
- Custom fields to configure for OAuth2 such as the forceusegraph_api field.
- Define
Allowed boolGroups - Define allowed groups.
- Define
Allowed boolTeams Ids - Define allowed teams ids.
- Email
Attribute stringName - Name of the key to use for user email lookup within the attributes map of OAuth2 ID token. Only applicable to Generic OAuth.
- Email
Attribute stringPath - JMESPath expression to use for user email lookup from the user information. Only applicable to Generic OAuth.
- Empty
Scopes bool - If enabled, no scopes will be sent to the OAuth2 provider.
- Enabled bool
- Define whether this configuration is enabled for the specified provider. Defaults to
true. - Groups
Attribute stringPath - JMESPath expression to use for user group lookup. If you configure allowedgroups, you must also configure groupsattribute_path.
- Id
Token stringAttribute Name - The name of the key used to extract the ID token from the returned OAuth2 token. Only applicable to Generic OAuth.
- Login
Attribute stringPath - JMESPath expression to use for user login lookup from the user ID token. Only applicable to Generic OAuth.
- Name string
- Helpful if you use more than one identity providers or SSO protocols.
- Name
Attribute stringPath - JMESPath expression to use for user name lookup from the user ID token. This name will be used as the user’s display name. Only applicable to Generic OAuth.
- Org
Attribute stringPath - JMESPath expression to use for the organization mapping lookup from the user ID token. The extracted list will be used for the organization mapping (to match "Organization" in the "org_mapping"). Only applicable to Generic OAuth and Okta.
- Org
Mapping string - List of comma- or space-separated Organization:OrgIdOrOrgName:Role mappings. Organization can be * meaning “All users”. Role is optional and can have the following values: None, Viewer, Editor or Admin.
- Role
Attribute stringPath - JMESPath expression to use for Grafana role lookup.
- Role
Attribute boolStrict - If enabled, denies user login if the Grafana role cannot be extracted using Role attribute path.
- Scopes string
- List of comma- or space-separated OAuth2 scopes.
- Signout
Redirect stringUrl - The URL to redirect the user to after signing out from Grafana.
- Skip
Org boolRole Sync - Prevent synchronizing users’ organization roles from your IdP.
- Team
Ids string - String list of Team Ids. If set, the user must be a member of one of the given teams to log in. If you configure teamids, you must also configure teamsurl and teamidsattribute_path.
- Team
Ids stringAttribute Path - The JMESPath expression to use for Grafana Team Id lookup within the results returned by the teams_url endpoint. Only applicable to Generic OAuth.
- Teams
Url string - The URL used to query for Team Ids. If not set, the default value is /teams. If you configure teamsurl, you must also configure teamidsattributepath. Only applicable to Generic OAuth.
- Tls
Client stringCa - The path to the trusted certificate authority list. Is not applicable on Grafana Cloud.
- Tls
Client stringCert - The path to the certificate. Is not applicable on Grafana Cloud.
- Tls
Client stringKey - The path to the key. Is not applicable on Grafana Cloud.
- Tls
Skip boolVerify Insecure - If enabled, the client accepts any certificate presented by the server and any host name in that certificate. You should only use this for testing, because this mode leaves SSL/TLS susceptible to man-in-the-middle attacks.
- Token
Url string - The token endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.
- Use
Pkce bool - If enabled, Grafana will use Proof Key for Code Exchange (PKCE) with the OAuth2 Authorization Code Grant.
- Use
Refresh boolToken - If enabled, Grafana will fetch a new access token using the refresh token provided by the OAuth2 provider.
- client
Id This property is required. String - The client Id of your OAuth2 app.
- allow
Assign BooleanGrafana Admin - If enabled, it will automatically sync the Grafana server administrator role.
- allow
Sign BooleanUp - If not enabled, only existing Grafana users can log in using OAuth.
- allowed
Domains String - List of comma- or space-separated domains. The user should belong to at least one domain to log in.
- allowed
Groups String - List of comma- or space-separated groups. The user should be a member of at least one group to log in. For Generic OAuth, if you configure allowedgroups, you must also configure groupsattribute_path.
- allowed
Organizations String - List of comma- or space-separated organizations. The user should be a member of at least one organization to log in.
- api
Url String - The user information endpoint of your OAuth2 provider. Required for okta and generic_oauth providers.
- auth
Style String - It determines how clientid and clientsecret are sent to Oauth2 provider. Possible values are AutoDetect, InParams, InHeader. Default is AutoDetect.
- auth
Url String - The authorization endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.
- auto
Login Boolean - Log in automatically, skipping the login screen.
- client
Secret String - The client secret of your OAuth2 app.
- custom Map<String,String>
- Custom fields to configure for OAuth2 such as the forceusegraph_api field.
- define
Allowed BooleanGroups - Define allowed groups.
- define
Allowed BooleanTeams Ids - Define allowed teams ids.
- email
Attribute StringName - Name of the key to use for user email lookup within the attributes map of OAuth2 ID token. Only applicable to Generic OAuth.
- email
Attribute StringPath - JMESPath expression to use for user email lookup from the user information. Only applicable to Generic OAuth.
- empty
Scopes Boolean - If enabled, no scopes will be sent to the OAuth2 provider.
- enabled Boolean
- Define whether this configuration is enabled for the specified provider. Defaults to
true. - groups
Attribute StringPath - JMESPath expression to use for user group lookup. If you configure allowedgroups, you must also configure groupsattribute_path.
- id
Token StringAttribute Name - The name of the key used to extract the ID token from the returned OAuth2 token. Only applicable to Generic OAuth.
- login
Attribute StringPath - JMESPath expression to use for user login lookup from the user ID token. Only applicable to Generic OAuth.
- name String
- Helpful if you use more than one identity providers or SSO protocols.
- name
Attribute StringPath - JMESPath expression to use for user name lookup from the user ID token. This name will be used as the user’s display name. Only applicable to Generic OAuth.
- org
Attribute StringPath - JMESPath expression to use for the organization mapping lookup from the user ID token. The extracted list will be used for the organization mapping (to match "Organization" in the "org_mapping"). Only applicable to Generic OAuth and Okta.
- org
Mapping String - List of comma- or space-separated Organization:OrgIdOrOrgName:Role mappings. Organization can be * meaning “All users”. Role is optional and can have the following values: None, Viewer, Editor or Admin.
- role
Attribute StringPath - JMESPath expression to use for Grafana role lookup.
- role
Attribute BooleanStrict - If enabled, denies user login if the Grafana role cannot be extracted using Role attribute path.
- scopes String
- List of comma- or space-separated OAuth2 scopes.
- signout
Redirect StringUrl - The URL to redirect the user to after signing out from Grafana.
- skip
Org BooleanRole Sync - Prevent synchronizing users’ organization roles from your IdP.
- team
Ids String - String list of Team Ids. If set, the user must be a member of one of the given teams to log in. If you configure teamids, you must also configure teamsurl and teamidsattribute_path.
- team
Ids StringAttribute Path - The JMESPath expression to use for Grafana Team Id lookup within the results returned by the teams_url endpoint. Only applicable to Generic OAuth.
- teams
Url String - The URL used to query for Team Ids. If not set, the default value is /teams. If you configure teamsurl, you must also configure teamidsattributepath. Only applicable to Generic OAuth.
- tls
Client StringCa - The path to the trusted certificate authority list. Is not applicable on Grafana Cloud.
- tls
Client StringCert - The path to the certificate. Is not applicable on Grafana Cloud.
- tls
Client StringKey - The path to the key. Is not applicable on Grafana Cloud.
- tls
Skip BooleanVerify Insecure - If enabled, the client accepts any certificate presented by the server and any host name in that certificate. You should only use this for testing, because this mode leaves SSL/TLS susceptible to man-in-the-middle attacks.
- token
Url String - The token endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.
- use
Pkce Boolean - If enabled, Grafana will use Proof Key for Code Exchange (PKCE) with the OAuth2 Authorization Code Grant.
- use
Refresh BooleanToken - If enabled, Grafana will fetch a new access token using the refresh token provided by the OAuth2 provider.
- client
Id This property is required. string - The client Id of your OAuth2 app.
- allow
Assign booleanGrafana Admin - If enabled, it will automatically sync the Grafana server administrator role.
- allow
Sign booleanUp - If not enabled, only existing Grafana users can log in using OAuth.
- allowed
Domains string - List of comma- or space-separated domains. The user should belong to at least one domain to log in.
- allowed
Groups string - List of comma- or space-separated groups. The user should be a member of at least one group to log in. For Generic OAuth, if you configure allowedgroups, you must also configure groupsattribute_path.
- allowed
Organizations string - List of comma- or space-separated organizations. The user should be a member of at least one organization to log in.
- api
Url string - The user information endpoint of your OAuth2 provider. Required for okta and generic_oauth providers.
- auth
Style string - It determines how clientid and clientsecret are sent to Oauth2 provider. Possible values are AutoDetect, InParams, InHeader. Default is AutoDetect.
- auth
Url string - The authorization endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.
- auto
Login boolean - Log in automatically, skipping the login screen.
- client
Secret string - The client secret of your OAuth2 app.
- custom {[key: string]: string}
- Custom fields to configure for OAuth2 such as the forceusegraph_api field.
- define
Allowed booleanGroups - Define allowed groups.
- define
Allowed booleanTeams Ids - Define allowed teams ids.
- email
Attribute stringName - Name of the key to use for user email lookup within the attributes map of OAuth2 ID token. Only applicable to Generic OAuth.
- email
Attribute stringPath - JMESPath expression to use for user email lookup from the user information. Only applicable to Generic OAuth.
- empty
Scopes boolean - If enabled, no scopes will be sent to the OAuth2 provider.
- enabled boolean
- Define whether this configuration is enabled for the specified provider. Defaults to
true. - groups
Attribute stringPath - JMESPath expression to use for user group lookup. If you configure allowedgroups, you must also configure groupsattribute_path.
- id
Token stringAttribute Name - The name of the key used to extract the ID token from the returned OAuth2 token. Only applicable to Generic OAuth.
- login
Attribute stringPath - JMESPath expression to use for user login lookup from the user ID token. Only applicable to Generic OAuth.
- name string
- Helpful if you use more than one identity providers or SSO protocols.
- name
Attribute stringPath - JMESPath expression to use for user name lookup from the user ID token. This name will be used as the user’s display name. Only applicable to Generic OAuth.
- org
Attribute stringPath - JMESPath expression to use for the organization mapping lookup from the user ID token. The extracted list will be used for the organization mapping (to match "Organization" in the "org_mapping"). Only applicable to Generic OAuth and Okta.
- org
Mapping string - List of comma- or space-separated Organization:OrgIdOrOrgName:Role mappings. Organization can be * meaning “All users”. Role is optional and can have the following values: None, Viewer, Editor or Admin.
- role
Attribute stringPath - JMESPath expression to use for Grafana role lookup.
- role
Attribute booleanStrict - If enabled, denies user login if the Grafana role cannot be extracted using Role attribute path.
- scopes string
- List of comma- or space-separated OAuth2 scopes.
- signout
Redirect stringUrl - The URL to redirect the user to after signing out from Grafana.
- skip
Org booleanRole Sync - Prevent synchronizing users’ organization roles from your IdP.
- team
Ids string - String list of Team Ids. If set, the user must be a member of one of the given teams to log in. If you configure teamids, you must also configure teamsurl and teamidsattribute_path.
- team
Ids stringAttribute Path - The JMESPath expression to use for Grafana Team Id lookup within the results returned by the teams_url endpoint. Only applicable to Generic OAuth.
- teams
Url string - The URL used to query for Team Ids. If not set, the default value is /teams. If you configure teamsurl, you must also configure teamidsattributepath. Only applicable to Generic OAuth.
- tls
Client stringCa - The path to the trusted certificate authority list. Is not applicable on Grafana Cloud.
- tls
Client stringCert - The path to the certificate. Is not applicable on Grafana Cloud.
- tls
Client stringKey - The path to the key. Is not applicable on Grafana Cloud.
- tls
Skip booleanVerify Insecure - If enabled, the client accepts any certificate presented by the server and any host name in that certificate. You should only use this for testing, because this mode leaves SSL/TLS susceptible to man-in-the-middle attacks.
- token
Url string - The token endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.
- use
Pkce boolean - If enabled, Grafana will use Proof Key for Code Exchange (PKCE) with the OAuth2 Authorization Code Grant.
- use
Refresh booleanToken - If enabled, Grafana will fetch a new access token using the refresh token provided by the OAuth2 provider.
- client_
id This property is required. str - The client Id of your OAuth2 app.
- allow_
assign_ boolgrafana_ admin - If enabled, it will automatically sync the Grafana server administrator role.
- allow_
sign_ boolup - If not enabled, only existing Grafana users can log in using OAuth.
- allowed_
domains str - List of comma- or space-separated domains. The user should belong to at least one domain to log in.
- allowed_
groups str - List of comma- or space-separated groups. The user should be a member of at least one group to log in. For Generic OAuth, if you configure allowedgroups, you must also configure groupsattribute_path.
- allowed_
organizations str - List of comma- or space-separated organizations. The user should be a member of at least one organization to log in.
- api_
url str - The user information endpoint of your OAuth2 provider. Required for okta and generic_oauth providers.
- auth_
style str - It determines how clientid and clientsecret are sent to Oauth2 provider. Possible values are AutoDetect, InParams, InHeader. Default is AutoDetect.
- auth_
url str - The authorization endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.
- auto_
login bool - Log in automatically, skipping the login screen.
- client_
secret str - The client secret of your OAuth2 app.
- custom Mapping[str, str]
- Custom fields to configure for OAuth2 such as the forceusegraph_api field.
- define_
allowed_ boolgroups - Define allowed groups.
- define_
allowed_ boolteams_ ids - Define allowed teams ids.
- email_
attribute_ strname - Name of the key to use for user email lookup within the attributes map of OAuth2 ID token. Only applicable to Generic OAuth.
- email_
attribute_ strpath - JMESPath expression to use for user email lookup from the user information. Only applicable to Generic OAuth.
- empty_
scopes bool - If enabled, no scopes will be sent to the OAuth2 provider.
- enabled bool
- Define whether this configuration is enabled for the specified provider. Defaults to
true. - groups_
attribute_ strpath - JMESPath expression to use for user group lookup. If you configure allowedgroups, you must also configure groupsattribute_path.
- id_
token_ strattribute_ name - The name of the key used to extract the ID token from the returned OAuth2 token. Only applicable to Generic OAuth.
- login_
attribute_ strpath - JMESPath expression to use for user login lookup from the user ID token. Only applicable to Generic OAuth.
- name str
- Helpful if you use more than one identity providers or SSO protocols.
- name_
attribute_ strpath - JMESPath expression to use for user name lookup from the user ID token. This name will be used as the user’s display name. Only applicable to Generic OAuth.
- org_
attribute_ strpath - JMESPath expression to use for the organization mapping lookup from the user ID token. The extracted list will be used for the organization mapping (to match "Organization" in the "org_mapping"). Only applicable to Generic OAuth and Okta.
- org_
mapping str - List of comma- or space-separated Organization:OrgIdOrOrgName:Role mappings. Organization can be * meaning “All users”. Role is optional and can have the following values: None, Viewer, Editor or Admin.
- role_
attribute_ strpath - JMESPath expression to use for Grafana role lookup.
- role_
attribute_ boolstrict - If enabled, denies user login if the Grafana role cannot be extracted using Role attribute path.
- scopes str
- List of comma- or space-separated OAuth2 scopes.
- signout_
redirect_ strurl - The URL to redirect the user to after signing out from Grafana.
- skip_
org_ boolrole_ sync - Prevent synchronizing users’ organization roles from your IdP.
- team_
ids str - String list of Team Ids. If set, the user must be a member of one of the given teams to log in. If you configure teamids, you must also configure teamsurl and teamidsattribute_path.
- team_
ids_ strattribute_ path - The JMESPath expression to use for Grafana Team Id lookup within the results returned by the teams_url endpoint. Only applicable to Generic OAuth.
- teams_
url str - The URL used to query for Team Ids. If not set, the default value is /teams. If you configure teamsurl, you must also configure teamidsattributepath. Only applicable to Generic OAuth.
- tls_
client_ strca - The path to the trusted certificate authority list. Is not applicable on Grafana Cloud.
- tls_
client_ strcert - The path to the certificate. Is not applicable on Grafana Cloud.
- tls_
client_ strkey - The path to the key. Is not applicable on Grafana Cloud.
- tls_
skip_ boolverify_ insecure - If enabled, the client accepts any certificate presented by the server and any host name in that certificate. You should only use this for testing, because this mode leaves SSL/TLS susceptible to man-in-the-middle attacks.
- token_
url str - The token endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.
- use_
pkce bool - If enabled, Grafana will use Proof Key for Code Exchange (PKCE) with the OAuth2 Authorization Code Grant.
- use_
refresh_ booltoken - If enabled, Grafana will fetch a new access token using the refresh token provided by the OAuth2 provider.
- client
Id This property is required. String - The client Id of your OAuth2 app.
- allow
Assign BooleanGrafana Admin - If enabled, it will automatically sync the Grafana server administrator role.
- allow
Sign BooleanUp - If not enabled, only existing Grafana users can log in using OAuth.
- allowed
Domains String - List of comma- or space-separated domains. The user should belong to at least one domain to log in.
- allowed
Groups String - List of comma- or space-separated groups. The user should be a member of at least one group to log in. For Generic OAuth, if you configure allowedgroups, you must also configure groupsattribute_path.
- allowed
Organizations String - List of comma- or space-separated organizations. The user should be a member of at least one organization to log in.
- api
Url String - The user information endpoint of your OAuth2 provider. Required for okta and generic_oauth providers.
- auth
Style String - It determines how clientid and clientsecret are sent to Oauth2 provider. Possible values are AutoDetect, InParams, InHeader. Default is AutoDetect.
- auth
Url String - The authorization endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.
- auto
Login Boolean - Log in automatically, skipping the login screen.
- client
Secret String - The client secret of your OAuth2 app.
- custom Map<String>
- Custom fields to configure for OAuth2 such as the forceusegraph_api field.
- define
Allowed BooleanGroups - Define allowed groups.
- define
Allowed BooleanTeams Ids - Define allowed teams ids.
- email
Attribute StringName - Name of the key to use for user email lookup within the attributes map of OAuth2 ID token. Only applicable to Generic OAuth.
- email
Attribute StringPath - JMESPath expression to use for user email lookup from the user information. Only applicable to Generic OAuth.
- empty
Scopes Boolean - If enabled, no scopes will be sent to the OAuth2 provider.
- enabled Boolean
- Define whether this configuration is enabled for the specified provider. Defaults to
true. - groups
Attribute StringPath - JMESPath expression to use for user group lookup. If you configure allowedgroups, you must also configure groupsattribute_path.
- id
Token StringAttribute Name - The name of the key used to extract the ID token from the returned OAuth2 token. Only applicable to Generic OAuth.
- login
Attribute StringPath - JMESPath expression to use for user login lookup from the user ID token. Only applicable to Generic OAuth.
- name String
- Helpful if you use more than one identity providers or SSO protocols.
- name
Attribute StringPath - JMESPath expression to use for user name lookup from the user ID token. This name will be used as the user’s display name. Only applicable to Generic OAuth.
- org
Attribute StringPath - JMESPath expression to use for the organization mapping lookup from the user ID token. The extracted list will be used for the organization mapping (to match "Organization" in the "org_mapping"). Only applicable to Generic OAuth and Okta.
- org
Mapping String - List of comma- or space-separated Organization:OrgIdOrOrgName:Role mappings. Organization can be * meaning “All users”. Role is optional and can have the following values: None, Viewer, Editor or Admin.
- role
Attribute StringPath - JMESPath expression to use for Grafana role lookup.
- role
Attribute BooleanStrict - If enabled, denies user login if the Grafana role cannot be extracted using Role attribute path.
- scopes String
- List of comma- or space-separated OAuth2 scopes.
- signout
Redirect StringUrl - The URL to redirect the user to after signing out from Grafana.
- skip
Org BooleanRole Sync - Prevent synchronizing users’ organization roles from your IdP.
- team
Ids String - String list of Team Ids. If set, the user must be a member of one of the given teams to log in. If you configure teamids, you must also configure teamsurl and teamidsattribute_path.
- team
Ids StringAttribute Path - The JMESPath expression to use for Grafana Team Id lookup within the results returned by the teams_url endpoint. Only applicable to Generic OAuth.
- teams
Url String - The URL used to query for Team Ids. If not set, the default value is /teams. If you configure teamsurl, you must also configure teamidsattributepath. Only applicable to Generic OAuth.
- tls
Client StringCa - The path to the trusted certificate authority list. Is not applicable on Grafana Cloud.
- tls
Client StringCert - The path to the certificate. Is not applicable on Grafana Cloud.
- tls
Client StringKey - The path to the key. Is not applicable on Grafana Cloud.
- tls
Skip BooleanVerify Insecure - If enabled, the client accepts any certificate presented by the server and any host name in that certificate. You should only use this for testing, because this mode leaves SSL/TLS susceptible to man-in-the-middle attacks.
- token
Url String - The token endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.
- use
Pkce Boolean - If enabled, Grafana will use Proof Key for Code Exchange (PKCE) with the OAuth2 Authorization Code Grant.
- use
Refresh BooleanToken - If enabled, Grafana will fetch a new access token using the refresh token provided by the OAuth2 provider.
SsoSettingsSamlSettings, SsoSettingsSamlSettingsArgs
, SsoSettingsSamlSettingsArgs
- Allow
Idp boolInitiated - Whether SAML IdP-initiated login is allowed.
- Allow
Sign boolUp - Whether to allow new Grafana user creation through SAML login. If set to false, then only existing Grafana users can log in with SAML.
- Allowed
Organizations string - List of comma- or space-separated organizations. User should be a member of at least one organization to log in.
- Assertion
Attribute stringEmail - Friendly name or name of the attribute within the SAML assertion to use as the user email.
- Assertion
Attribute stringGroups - Friendly name or name of the attribute within the SAML assertion to use as the user groups.
- Assertion
Attribute stringLogin - Friendly name or name of the attribute within the SAML assertion to use as the user login handle.
- Assertion
Attribute stringName - Friendly name or name of the attribute within the SAML assertion to use as the user name. Alternatively, this can be a template with variables that match the names of attributes within the SAML assertion.
- Assertion
Attribute stringOrg - Friendly name or name of the attribute within the SAML assertion to use as the user organization.
- Assertion
Attribute stringRole - Friendly name or name of the attribute within the SAML assertion to use as the user roles.
- Auto
Login bool - Whether SAML auto login is enabled.
- Certificate string
- Base64-encoded string for the SP X.509 certificate.
- Certificate
Path string - Path for the SP X.509 certificate.
- Client
Id string - The client Id of your OAuth2 app.
- Client
Secret string - The client secret of your OAuth2 app.
- Enabled bool
- Define whether this configuration is enabled for SAML. Defaults to
true. - Entity
Id string - The entity ID is a globally unique identifier for the service provider. It is used to identify the service provider to the identity provider. Defaults to the URL of the Grafana instance if not set.
- Force
Use boolGraph Api - If enabled, Grafana will fetch groups from Microsoft Graph API instead of using the groups claim from the ID token.
- Idp
Metadata string - Base64-encoded string for the IdP SAML metadata XML.
- Idp
Metadata stringPath - Path for the IdP SAML metadata XML.
- Idp
Metadata stringUrl - URL for the IdP SAML metadata XML.
- Max
Issue stringDelay - Duration, since the IdP issued a response and the SP is allowed to process it. For example: 90s, 1h.
- Metadata
Valid stringDuration - Duration, for how long the SP metadata is valid. For example: 48h, 5d.
- Name string
- Name used to refer to the SAML authentication.
- Name
Id stringFormat - The Name ID Format to request within the SAML assertion. Defaults to urn:oasis:names:tc:SAML:2.0:nameid-format:transient
- Org
Mapping string - List of comma- or space-separated Organization:OrgId:Role mappings. Organization can be * meaning “All users”. Role is optional and can have the following values: Viewer, Editor or Admin.
- Private
Key string - Base64-encoded string for the SP private key.
- Private
Key stringPath - Path for the SP private key.
- Relay
State string - Relay state for IdP-initiated login. Should match relay state configured in IdP.
- Role
Values stringAdmin - List of comma- or space-separated roles which will be mapped into the Admin role.
- Role
Values stringEditor - List of comma- or space-separated roles which will be mapped into the Editor role.
- Role
Values stringGrafana Admin - List of comma- or space-separated roles which will be mapped into the Grafana Admin (Super Admin) role.
- Role
Values stringNone - List of comma- or space-separated roles which will be mapped into the None role.
- Role
Values stringViewer - List of comma- or space-separated roles which will be mapped into the Viewer role.
- Signature
Algorithm string - Signature algorithm used for signing requests to the IdP. Supported values are rsa-sha1, rsa-sha256, rsa-sha512.
- Single
Logout bool - Whether SAML Single Logout is enabled.
- Skip
Org boolRole Sync - Prevent synchronizing users’ organization roles from your IdP.
- Token
Url string - The token endpoint of your OAuth2 provider. Required for Azure AD providers.
- Allow
Idp boolInitiated - Whether SAML IdP-initiated login is allowed.
- Allow
Sign boolUp - Whether to allow new Grafana user creation through SAML login. If set to false, then only existing Grafana users can log in with SAML.
- Allowed
Organizations string - List of comma- or space-separated organizations. User should be a member of at least one organization to log in.
- Assertion
Attribute stringEmail - Friendly name or name of the attribute within the SAML assertion to use as the user email.
- Assertion
Attribute stringGroups - Friendly name or name of the attribute within the SAML assertion to use as the user groups.
- Assertion
Attribute stringLogin - Friendly name or name of the attribute within the SAML assertion to use as the user login handle.
- Assertion
Attribute stringName - Friendly name or name of the attribute within the SAML assertion to use as the user name. Alternatively, this can be a template with variables that match the names of attributes within the SAML assertion.
- Assertion
Attribute stringOrg - Friendly name or name of the attribute within the SAML assertion to use as the user organization.
- Assertion
Attribute stringRole - Friendly name or name of the attribute within the SAML assertion to use as the user roles.
- Auto
Login bool - Whether SAML auto login is enabled.
- Certificate string
- Base64-encoded string for the SP X.509 certificate.
- Certificate
Path string - Path for the SP X.509 certificate.
- Client
Id string - The client Id of your OAuth2 app.
- Client
Secret string - The client secret of your OAuth2 app.
- Enabled bool
- Define whether this configuration is enabled for SAML. Defaults to
true. - Entity
Id string - The entity ID is a globally unique identifier for the service provider. It is used to identify the service provider to the identity provider. Defaults to the URL of the Grafana instance if not set.
- Force
Use boolGraph Api - If enabled, Grafana will fetch groups from Microsoft Graph API instead of using the groups claim from the ID token.
- Idp
Metadata string - Base64-encoded string for the IdP SAML metadata XML.
- Idp
Metadata stringPath - Path for the IdP SAML metadata XML.
- Idp
Metadata stringUrl - URL for the IdP SAML metadata XML.
- Max
Issue stringDelay - Duration, since the IdP issued a response and the SP is allowed to process it. For example: 90s, 1h.
- Metadata
Valid stringDuration - Duration, for how long the SP metadata is valid. For example: 48h, 5d.
- Name string
- Name used to refer to the SAML authentication.
- Name
Id stringFormat - The Name ID Format to request within the SAML assertion. Defaults to urn:oasis:names:tc:SAML:2.0:nameid-format:transient
- Org
Mapping string - List of comma- or space-separated Organization:OrgId:Role mappings. Organization can be * meaning “All users”. Role is optional and can have the following values: Viewer, Editor or Admin.
- Private
Key string - Base64-encoded string for the SP private key.
- Private
Key stringPath - Path for the SP private key.
- Relay
State string - Relay state for IdP-initiated login. Should match relay state configured in IdP.
- Role
Values stringAdmin - List of comma- or space-separated roles which will be mapped into the Admin role.
- Role
Values stringEditor - List of comma- or space-separated roles which will be mapped into the Editor role.
- Role
Values stringGrafana Admin - List of comma- or space-separated roles which will be mapped into the Grafana Admin (Super Admin) role.
- Role
Values stringNone - List of comma- or space-separated roles which will be mapped into the None role.
- Role
Values stringViewer - List of comma- or space-separated roles which will be mapped into the Viewer role.
- Signature
Algorithm string - Signature algorithm used for signing requests to the IdP. Supported values are rsa-sha1, rsa-sha256, rsa-sha512.
- Single
Logout bool - Whether SAML Single Logout is enabled.
- Skip
Org boolRole Sync - Prevent synchronizing users’ organization roles from your IdP.
- Token
Url string - The token endpoint of your OAuth2 provider. Required for Azure AD providers.
- allow
Idp BooleanInitiated - Whether SAML IdP-initiated login is allowed.
- allow
Sign BooleanUp - Whether to allow new Grafana user creation through SAML login. If set to false, then only existing Grafana users can log in with SAML.
- allowed
Organizations String - List of comma- or space-separated organizations. User should be a member of at least one organization to log in.
- assertion
Attribute StringEmail - Friendly name or name of the attribute within the SAML assertion to use as the user email.
- assertion
Attribute StringGroups - Friendly name or name of the attribute within the SAML assertion to use as the user groups.
- assertion
Attribute StringLogin - Friendly name or name of the attribute within the SAML assertion to use as the user login handle.
- assertion
Attribute StringName - Friendly name or name of the attribute within the SAML assertion to use as the user name. Alternatively, this can be a template with variables that match the names of attributes within the SAML assertion.
- assertion
Attribute StringOrg - Friendly name or name of the attribute within the SAML assertion to use as the user organization.
- assertion
Attribute StringRole - Friendly name or name of the attribute within the SAML assertion to use as the user roles.
- auto
Login Boolean - Whether SAML auto login is enabled.
- certificate String
- Base64-encoded string for the SP X.509 certificate.
- certificate
Path String - Path for the SP X.509 certificate.
- client
Id String - The client Id of your OAuth2 app.
- client
Secret String - The client secret of your OAuth2 app.
- enabled Boolean
- Define whether this configuration is enabled for SAML. Defaults to
true. - entity
Id String - The entity ID is a globally unique identifier for the service provider. It is used to identify the service provider to the identity provider. Defaults to the URL of the Grafana instance if not set.
- force
Use BooleanGraph Api - If enabled, Grafana will fetch groups from Microsoft Graph API instead of using the groups claim from the ID token.
- idp
Metadata String - Base64-encoded string for the IdP SAML metadata XML.
- idp
Metadata StringPath - Path for the IdP SAML metadata XML.
- idp
Metadata StringUrl - URL for the IdP SAML metadata XML.
- max
Issue StringDelay - Duration, since the IdP issued a response and the SP is allowed to process it. For example: 90s, 1h.
- metadata
Valid StringDuration - Duration, for how long the SP metadata is valid. For example: 48h, 5d.
- name String
- Name used to refer to the SAML authentication.
- name
Id StringFormat - The Name ID Format to request within the SAML assertion. Defaults to urn:oasis:names:tc:SAML:2.0:nameid-format:transient
- org
Mapping String - List of comma- or space-separated Organization:OrgId:Role mappings. Organization can be * meaning “All users”. Role is optional and can have the following values: Viewer, Editor or Admin.
- private
Key String - Base64-encoded string for the SP private key.
- private
Key StringPath - Path for the SP private key.
- relay
State String - Relay state for IdP-initiated login. Should match relay state configured in IdP.
- role
Values StringAdmin - List of comma- or space-separated roles which will be mapped into the Admin role.
- role
Values StringEditor - List of comma- or space-separated roles which will be mapped into the Editor role.
- role
Values StringGrafana Admin - List of comma- or space-separated roles which will be mapped into the Grafana Admin (Super Admin) role.
- role
Values StringNone - List of comma- or space-separated roles which will be mapped into the None role.
- role
Values StringViewer - List of comma- or space-separated roles which will be mapped into the Viewer role.
- signature
Algorithm String - Signature algorithm used for signing requests to the IdP. Supported values are rsa-sha1, rsa-sha256, rsa-sha512.
- single
Logout Boolean - Whether SAML Single Logout is enabled.
- skip
Org BooleanRole Sync - Prevent synchronizing users’ organization roles from your IdP.
- token
Url String - The token endpoint of your OAuth2 provider. Required for Azure AD providers.
- allow
Idp booleanInitiated - Whether SAML IdP-initiated login is allowed.
- allow
Sign booleanUp - Whether to allow new Grafana user creation through SAML login. If set to false, then only existing Grafana users can log in with SAML.
- allowed
Organizations string - List of comma- or space-separated organizations. User should be a member of at least one organization to log in.
- assertion
Attribute stringEmail - Friendly name or name of the attribute within the SAML assertion to use as the user email.
- assertion
Attribute stringGroups - Friendly name or name of the attribute within the SAML assertion to use as the user groups.
- assertion
Attribute stringLogin - Friendly name or name of the attribute within the SAML assertion to use as the user login handle.
- assertion
Attribute stringName - Friendly name or name of the attribute within the SAML assertion to use as the user name. Alternatively, this can be a template with variables that match the names of attributes within the SAML assertion.
- assertion
Attribute stringOrg - Friendly name or name of the attribute within the SAML assertion to use as the user organization.
- assertion
Attribute stringRole - Friendly name or name of the attribute within the SAML assertion to use as the user roles.
- auto
Login boolean - Whether SAML auto login is enabled.
- certificate string
- Base64-encoded string for the SP X.509 certificate.
- certificate
Path string - Path for the SP X.509 certificate.
- client
Id string - The client Id of your OAuth2 app.
- client
Secret string - The client secret of your OAuth2 app.
- enabled boolean
- Define whether this configuration is enabled for SAML. Defaults to
true. - entity
Id string - The entity ID is a globally unique identifier for the service provider. It is used to identify the service provider to the identity provider. Defaults to the URL of the Grafana instance if not set.
- force
Use booleanGraph Api - If enabled, Grafana will fetch groups from Microsoft Graph API instead of using the groups claim from the ID token.
- idp
Metadata string - Base64-encoded string for the IdP SAML metadata XML.
- idp
Metadata stringPath - Path for the IdP SAML metadata XML.
- idp
Metadata stringUrl - URL for the IdP SAML metadata XML.
- max
Issue stringDelay - Duration, since the IdP issued a response and the SP is allowed to process it. For example: 90s, 1h.
- metadata
Valid stringDuration - Duration, for how long the SP metadata is valid. For example: 48h, 5d.
- name string
- Name used to refer to the SAML authentication.
- name
Id stringFormat - The Name ID Format to request within the SAML assertion. Defaults to urn:oasis:names:tc:SAML:2.0:nameid-format:transient
- org
Mapping string - List of comma- or space-separated Organization:OrgId:Role mappings. Organization can be * meaning “All users”. Role is optional and can have the following values: Viewer, Editor or Admin.
- private
Key string - Base64-encoded string for the SP private key.
- private
Key stringPath - Path for the SP private key.
- relay
State string - Relay state for IdP-initiated login. Should match relay state configured in IdP.
- role
Values stringAdmin - List of comma- or space-separated roles which will be mapped into the Admin role.
- role
Values stringEditor - List of comma- or space-separated roles which will be mapped into the Editor role.
- role
Values stringGrafana Admin - List of comma- or space-separated roles which will be mapped into the Grafana Admin (Super Admin) role.
- role
Values stringNone - List of comma- or space-separated roles which will be mapped into the None role.
- role
Values stringViewer - List of comma- or space-separated roles which will be mapped into the Viewer role.
- signature
Algorithm string - Signature algorithm used for signing requests to the IdP. Supported values are rsa-sha1, rsa-sha256, rsa-sha512.
- single
Logout boolean - Whether SAML Single Logout is enabled.
- skip
Org booleanRole Sync - Prevent synchronizing users’ organization roles from your IdP.
- token
Url string - The token endpoint of your OAuth2 provider. Required for Azure AD providers.
- allow_
idp_ boolinitiated - Whether SAML IdP-initiated login is allowed.
- allow_
sign_ boolup - Whether to allow new Grafana user creation through SAML login. If set to false, then only existing Grafana users can log in with SAML.
- allowed_
organizations str - List of comma- or space-separated organizations. User should be a member of at least one organization to log in.
- assertion_
attribute_ stremail - Friendly name or name of the attribute within the SAML assertion to use as the user email.
- assertion_
attribute_ strgroups - Friendly name or name of the attribute within the SAML assertion to use as the user groups.
- assertion_
attribute_ strlogin - Friendly name or name of the attribute within the SAML assertion to use as the user login handle.
- assertion_
attribute_ strname - Friendly name or name of the attribute within the SAML assertion to use as the user name. Alternatively, this can be a template with variables that match the names of attributes within the SAML assertion.
- assertion_
attribute_ strorg - Friendly name or name of the attribute within the SAML assertion to use as the user organization.
- assertion_
attribute_ strrole - Friendly name or name of the attribute within the SAML assertion to use as the user roles.
- auto_
login bool - Whether SAML auto login is enabled.
- certificate str
- Base64-encoded string for the SP X.509 certificate.
- certificate_
path str - Path for the SP X.509 certificate.
- client_
id str - The client Id of your OAuth2 app.
- client_
secret str - The client secret of your OAuth2 app.
- enabled bool
- Define whether this configuration is enabled for SAML. Defaults to
true. - entity_
id str - The entity ID is a globally unique identifier for the service provider. It is used to identify the service provider to the identity provider. Defaults to the URL of the Grafana instance if not set.
- force_
use_ boolgraph_ api - If enabled, Grafana will fetch groups from Microsoft Graph API instead of using the groups claim from the ID token.
- idp_
metadata str - Base64-encoded string for the IdP SAML metadata XML.
- idp_
metadata_ strpath - Path for the IdP SAML metadata XML.
- idp_
metadata_ strurl - URL for the IdP SAML metadata XML.
- max_
issue_ strdelay - Duration, since the IdP issued a response and the SP is allowed to process it. For example: 90s, 1h.
- metadata_
valid_ strduration - Duration, for how long the SP metadata is valid. For example: 48h, 5d.
- name str
- Name used to refer to the SAML authentication.
- name_
id_ strformat - The Name ID Format to request within the SAML assertion. Defaults to urn:oasis:names:tc:SAML:2.0:nameid-format:transient
- org_
mapping str - List of comma- or space-separated Organization:OrgId:Role mappings. Organization can be * meaning “All users”. Role is optional and can have the following values: Viewer, Editor or Admin.
- private_
key str - Base64-encoded string for the SP private key.
- private_
key_ strpath - Path for the SP private key.
- relay_
state str - Relay state for IdP-initiated login. Should match relay state configured in IdP.
- role_
values_ stradmin - List of comma- or space-separated roles which will be mapped into the Admin role.
- role_
values_ streditor - List of comma- or space-separated roles which will be mapped into the Editor role.
- role_
values_ strgrafana_ admin - List of comma- or space-separated roles which will be mapped into the Grafana Admin (Super Admin) role.
- role_
values_ strnone - List of comma- or space-separated roles which will be mapped into the None role.
- role_
values_ strviewer - List of comma- or space-separated roles which will be mapped into the Viewer role.
- signature_
algorithm str - Signature algorithm used for signing requests to the IdP. Supported values are rsa-sha1, rsa-sha256, rsa-sha512.
- single_
logout bool - Whether SAML Single Logout is enabled.
- skip_
org_ boolrole_ sync - Prevent synchronizing users’ organization roles from your IdP.
- token_
url str - The token endpoint of your OAuth2 provider. Required for Azure AD providers.
- allow
Idp BooleanInitiated - Whether SAML IdP-initiated login is allowed.
- allow
Sign BooleanUp - Whether to allow new Grafana user creation through SAML login. If set to false, then only existing Grafana users can log in with SAML.
- allowed
Organizations String - List of comma- or space-separated organizations. User should be a member of at least one organization to log in.
- assertion
Attribute StringEmail - Friendly name or name of the attribute within the SAML assertion to use as the user email.
- assertion
Attribute StringGroups - Friendly name or name of the attribute within the SAML assertion to use as the user groups.
- assertion
Attribute StringLogin - Friendly name or name of the attribute within the SAML assertion to use as the user login handle.
- assertion
Attribute StringName - Friendly name or name of the attribute within the SAML assertion to use as the user name. Alternatively, this can be a template with variables that match the names of attributes within the SAML assertion.
- assertion
Attribute StringOrg - Friendly name or name of the attribute within the SAML assertion to use as the user organization.
- assertion
Attribute StringRole - Friendly name or name of the attribute within the SAML assertion to use as the user roles.
- auto
Login Boolean - Whether SAML auto login is enabled.
- certificate String
- Base64-encoded string for the SP X.509 certificate.
- certificate
Path String - Path for the SP X.509 certificate.
- client
Id String - The client Id of your OAuth2 app.
- client
Secret String - The client secret of your OAuth2 app.
- enabled Boolean
- Define whether this configuration is enabled for SAML. Defaults to
true. - entity
Id String - The entity ID is a globally unique identifier for the service provider. It is used to identify the service provider to the identity provider. Defaults to the URL of the Grafana instance if not set.
- force
Use BooleanGraph Api - If enabled, Grafana will fetch groups from Microsoft Graph API instead of using the groups claim from the ID token.
- idp
Metadata String - Base64-encoded string for the IdP SAML metadata XML.
- idp
Metadata StringPath - Path for the IdP SAML metadata XML.
- idp
Metadata StringUrl - URL for the IdP SAML metadata XML.
- max
Issue StringDelay - Duration, since the IdP issued a response and the SP is allowed to process it. For example: 90s, 1h.
- metadata
Valid StringDuration - Duration, for how long the SP metadata is valid. For example: 48h, 5d.
- name String
- Name used to refer to the SAML authentication.
- name
Id StringFormat - The Name ID Format to request within the SAML assertion. Defaults to urn:oasis:names:tc:SAML:2.0:nameid-format:transient
- org
Mapping String - List of comma- or space-separated Organization:OrgId:Role mappings. Organization can be * meaning “All users”. Role is optional and can have the following values: Viewer, Editor or Admin.
- private
Key String - Base64-encoded string for the SP private key.
- private
Key StringPath - Path for the SP private key.
- relay
State String - Relay state for IdP-initiated login. Should match relay state configured in IdP.
- role
Values StringAdmin - List of comma- or space-separated roles which will be mapped into the Admin role.
- role
Values StringEditor - List of comma- or space-separated roles which will be mapped into the Editor role.
- role
Values StringGrafana Admin - List of comma- or space-separated roles which will be mapped into the Grafana Admin (Super Admin) role.
- role
Values StringNone - List of comma- or space-separated roles which will be mapped into the None role.
- role
Values StringViewer - List of comma- or space-separated roles which will be mapped into the Viewer role.
- signature
Algorithm String - Signature algorithm used for signing requests to the IdP. Supported values are rsa-sha1, rsa-sha256, rsa-sha512.
- single
Logout Boolean - Whether SAML Single Logout is enabled.
- skip
Org BooleanRole Sync - Prevent synchronizing users’ organization roles from your IdP.
- token
Url String - The token endpoint of your OAuth2 provider. Required for Azure AD providers.
Import
$ pulumi import grafana:oss/ssoSettings:SsoSettings name "{{ provider }}"
$ pulumi import grafana:oss/ssoSettings:SsoSettings name "{{ orgID }}:{{ provider }}"
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- grafana pulumiverse/pulumi-grafana
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
grafanaTerraform Provider.