253 Commits

Author	SHA1	Message	Date
Vardan Torosyan	f06a12717b	Docs: Add a note about email being required and the usage of sub claim (#112065) ... * Docs: Add a note about email being required and the usage of sub claim * Update docs/sources/setup-grafana/configure-security/configure-authentication/generic-oauth/index.md Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> --------- Co-authored-by: Misi <mgyongyosi@users.noreply.github.com>	2025-10-07 17:40:50 +02:00
Misi	0b639bd1f9	Chore: Rename Azure AD to Entra ID in the authentication-related docs and on the auth UIs (#111887) ... * Chore: Rename Azure AD to Entra ID in the docs and on the UI * lint * i18n update	2025-10-03 12:35:03 +00:00
Misi	54eda07b2e	Docs: Cookie samesite setting clarification (#111730)	2025-09-29 16:17:28 +02:00
John Troy	004f30fcb7	Docs: Fix broken links in SAML docs (#111039) ... * Rename this heading to match the link in 'Request Initiation' * Fix link to 'Configure SAML using the Grafana configuration file' and make the link text match	2025-09-26 13:33:29 -04:00
Andrew Hackmann	47e6528c74	Docs: Fix link reference in Generic OAuth documentation (#111647) ... Corrected the link reference for examples of setting up Generic OAuth.	2025-09-26 11:14:58 +02:00
linoman	8fb2b5022b	SAML Catalog: Add documentation for OIN (#111193) ... * Improve docs for consistency * Add docs for Okta catalog application * Add supported features * Fix Markdown formatting in SAML with Okta guide --------- Co-authored-by: Irene Rodríguez <irene.rodriguez@grafana.com>	2025-09-17 13:47:22 +02:00
Zachary Sistrunk	ac1cd43fac	Documentation: Fix inconsistency in Entra SAML docs (#110314) ... Co-authored-by: Irene Rodríguez <irene.rodriguez@grafana.com>	2025-09-09 09:09:39 +00:00
xavi	f09f77ced4	fix(docs): Fix broken link in Entra ID SAML docs (#110367)	2025-09-01 11:29:00 +02:00
Steffen Baarsgaard	b047175330	Auth: Support JWT configs `tls_client_ca` and `jwk_set_bearer_token_file` (#109095) ... * Auth.jwt: Support config tls_client_ca * Auth.jwt: Support config jwk_set_bearer_token_file * Docs: Document new JWKS url options and mention tls_skip_verify_insecure * Docs: Fix note on JWKS response caching * chore: Refactor getBearerToken into standalone function * docs: Apply wording/formatting suggestions Co-authored-by: Victor Cinaglia <victorcinaglia@gmail.com> * chore: Simplify ca helper function using testcerts Co-authored-by: Victor Cinaglia <victorcinaglia@gmail.com> * chore: Update doc and add comment preventing potential erroneous optimization Co-authored-by: Victor Cinaglia <victorcinaglia@gmail.com> chore: Reword comment prevent an erroneous refactor * docs: Update casing Co-authored-by: Victor Cinaglia <victorcinaglia@gmail.com> --------- Co-authored-by: Victor Cinaglia <victorcinaglia@gmail.com>	2025-08-26 09:50:06 -03:00
linoman	da93f58921	SAML: graph api documentation (#109272) ... * minor fixes * Add Graph API troubleshooting guide * Improve writing * address PR comments	2025-08-07 11:46:12 +02:00
Eve Meelan	147df3de08	Pricing update: no more Cloud Advanced (#109056) ... * scrub Cloud Advanced * prettier edit	2025-08-01 16:23:58 +00:00
renovate[bot]	c94f930950	Update dependency prettier to v3.6.2 (#108689) ... * Update dependency prettier to v3.6.2 * run prettier --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Ashley Harrison <ashley.harrison@grafana.com>	2025-07-25 17:47:44 +01:00
Mihai Doarna	eeb44c1d63	Docs: Remove LDAP debug view section (#108214) ... remove LDAP debug view section from docs	2025-07-22 12:32:24 +03:00
Misi	0cb6e3fe93	Docs: Add custom fields to Azure/Entra Terraform example (#108222) ... Add custom fields to Azure/Entra TF example	2025-07-18 13:00:31 +02:00
Mihai Doarna	8dfb4cdfc9	SSO: Add prompt param to SSO settings (#107969) ... * add prompt param to AzureAD oauth config * yarn i18n-extract * validate auth prompt value * make login_prompt available for all SSO providers * use base authCodeURL for azure and google * add docs for the new field for azure and generic oauth * fix typo * fix frontend unit test * add prompt parameter to docs for the other providers * remove prompt from okta * add unit tests for the other providers * address feedback * add back translations for prompt labels	2025-07-17 14:40:48 +03:00
linoman	807264428e	SAML: Revert SAML assertion default names in documentation (#108212) ... Revert SAML assertion default names in documentation	2025-07-17 13:11:48 +02:00
Misi	a94647d5cc	Auth: Remove ssoSettingsSAML feature toggle (#108109) ... * Remove ssoSettingsSAML feature toggle * Remove from docs + align tests * Update workspace * revert go.mod go.sum change * make update-workspace without enterprise linked	2025-07-16 21:13:31 +02:00
linoman	032ea5d5b8	Update SAML configuration options (#108178)	2025-07-16 20:39:28 +02:00
Misi	92d098fdfd	Auth: Make domain_hint configurable for the Azure AD/Entra ID connector (#108061) ... * Make domain_hint configurable for Entra ID/Azure AD * Add docs * Fix + i18n gen * Add validation to domain hint * Remove unnecessary change	2025-07-15 12:53:19 +02:00
Jacob Valdez	39d7fbd66e	Docs: Updating team sync admonition wording (#107990)	2025-07-11 07:25:43 -05:00
Misi	1d252de1e9	Docs: Clean up ssoSettingsApi references from docs (#107896) ... * Clean up ssoSettingsApi references from docs * lint	2025-07-09 14:22:07 +00:00
Jo	1e1fd3db38	OAuth: Add access token as third source for user info extraction (#107636) ... * Add access token as third source for user info extraction - Add extractFromAccessToken method to extract user info from JWT access tokens - Mutualize code by creating parseUserInfoFromJSON helper method - Rename methods for clarity: extractFromToken -> extractFromIDToken, retrieveRawIDToken -> retrieveRawJWTPayload - Update test suite to include comprehensive access token retrieval scenarios - Support three sources in priority order: ID token, API response, access token - Maintain backward compatibility while adding new functionality * Update Generic OAuth documentation to reflect access token support - Add access token as a third source for user information extraction - Update configuration sections to mention access tokens alongside ID tokens and UserInfo endpoint - Document the priority order: ID token → UserInfo endpoint → access token - Update configuration option descriptions to reflect new functionality - Maintain consistency with implementation changes * Refactor access token test cases to use parameter instead of hardcoded logic - Add AccessToken field to test case struct for explicit access token specification - Remove hardcoded string matching logic that determined access token based on test name - Update all access token test cases to include the AccessToken field with appropriate JWT values - Improve test maintainability and clarity by making access tokens explicit parameters - Remove unused strings import that was only needed for the hardcoded logic * fix doc lint * reduce cyclomatic complexity	2025-07-08 15:38:11 +02:00
Jacob Valdez	6c2574848f	Docs: Updating team sync availability (#107721)	2025-07-07 16:07:50 -05:00
linoman	dbef739814	SCIM: Update authentication features table (#107299) ... * Update authentication features table	2025-06-27 16:58:29 +02:00
Jack Baldry	244ffad99d	Fix all the old usage of admonition syntax (#106984)	2025-06-19 17:31:13 +01:00
linoman	3f2d2ec38c	SAML catalog: Set default values for SAML assertion - docs (#106773) ... Update documnetation references	2025-06-16 17:50:29 +02:00
linoman	9717d04039	SCIM: Add IDP specific SAML configuration (#106327) ... * Add assertion_attrbiute_external_uid definition * Add Okta specific configuration * Add Azure AD configuration * Expand definition and reference idp specific configuration	2025-06-05 10:50:28 +02:00
Mykhailo Zahlada	fc988c8771	Auth: Add Azure/Entra workload identity support (#104807) ... * fixes/adds azure workload identity authentication. Issue #78249 * Updates default values. Adds `workload_identity_token_file` defaults * Updates example config. Adds `workload_identity_token_file` * Updates docummentation: adds Federated credentials for Workload Identity * Update docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> * Update docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> * Docs: add link to official documentation. Clarifies example. * 1. Add workload_identity_enabled and workload_identity_token_file settings to [auth.azuread] for workload identity support. 2. Extend OAuthInfo struct to include workload identity fields. 3. Update OAuth authentication logic to handle Azure AD workload identity using federated token as client assertion. 4. Update sample configuration and documentation for new settings. * ensure environment variable overrides are respected for OAuth SSO settings - Ensure that settings loaded in pkg/services/ssosettings/strategies/oauth_strategy.go correctly reflect environment variable overrides, matching Grafana's config behavior. - Align config loading logic with main config loader to prevent issues where INI values would override environment variables. * updates documentation * test: add workload identity configuration tests for Azure AD OAuth strategy. Add test coverage for workload_identity_enabled and workload_identity_token_file settings * feat: add workload identity support to Azure AD SSO configuration UI * updates documentation * Simplify OAuth flow by removing unnecessary switch-case structure * Small changes * Lint + i18n gen * refactor: remove redundant workload_identity_enabled setting as auth method gets defined by client_authentication * update documentation * refactor: remove redundant workload_identity_enabled setting as auth method gets defined by client_authentication * updates documentation - configuration options table: adds `client_authentication`, `workload_identity_token_file`, and `federated_credential_audience` * Small changes, lint, i18n --------- Co-authored-by: Misi <mgyongyosi@users.noreply.github.com>	2025-05-29 14:09:18 +02:00
song2park	e572af4562	docs: fix keycloak signout_redirect_url (#106191)	2025-05-29 07:00:50 +00:00
Jacob Hands	8734b54f90	Docs: document required return type for org_attribute_path (#105946) ... Co-authored-by: linoman <2051016+linoman@users.noreply.github.com> Co-authored-by: Irene Rodríguez <irene.rodriguez@grafana.com>	2025-05-23 13:48:10 +00:00
Jack Baldry	39e7804557	Add comments explaining what pages the aliases redirect and fix broken aliases (#105408)	2025-05-14 19:45:35 +03:00
colin-stuart	d05b2862b6	SCIM: update docs with externalId field & correct endpoint (#105026) ... * SCIM: update docs with externalId field * better phrasing * vale warning fix * explain where mapping is configured * clarify assertion_attribute_login * better phrasing * even better explanation * remove confusing step * remove confusing line * linter fixes * improve Integrating with SCIM Provisioning section * bigger warning about scim/saml unique identifier mismatch * lint * vale fixes * Add Integrating with SCIM Provisioning part --------- Co-authored-by: Vardan Torosyan <vardants@gmail.com>	2025-05-07 09:45:11 -04:00
Vardan Torosyan	08d7e75b5c	Docs: SAML docs refactoring (#103450) ... * Docs: SAML docs refactoring * Cleanup the root page * Update the root file * Refactor Azure AD guide * Change the order of the tree * Remove the index file again, back from main * SAML UI page review and editing * Review and edit SAML config options page * SAML signing and encryption edit/review * Remaining pages and aliases * Fix PR comments * More fixes * Update _index.md * Update _index.md * Update _index.md * Apply suggestions from code review Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> * Handle PR comments --------- Co-authored-by: Misi <mgyongyosi@users.noreply.github.com>	2025-05-07 10:07:57 +02:00
Jacob Valdez	8dfb0874a0	Docs: removing docs debt in install docs (#101750) ... * Docs: removing docs debt in install docs * cleaning up set up docs debt * fixing some vale errors * fixing broken admonition shortcode * fixing broken shortcode * fixing broken shortcode * working to the grafana authentication config * updating some more files * editing down to ldap in the repo * editing ldap doc except final section with link needed * Finishing doc debt cleanup through configure authetication * fixing shortcodes reverted by merge conflict fix * fixing admonition * fixing more broken shortcodes * adjusting some wordings ot make vale happy * updating feature toggle info	2025-04-09 09:02:51 -05:00
Eric Leijonmarck	180f579f18	Revert "Anonymous: Enforce org role Viewer setting (#102070)" (#103043) ... This reverts commit e216c2f29d.	2025-03-31 10:31:53 +01:00
Vardan Torosyan	73e0db452b	Docs: Add a section to clarify how sessions are handled with SSO (#102694) ... * Docs: Add a section to clarify how sessions are handled with SSO * Add a link to SAML SLO setup	2025-03-27 16:40:57 +01:00
Eric Leijonmarck	e216c2f29d	Anonymous: Enforce org role Viewer setting (#102070) ... * Anon: Remove org role setting * remove from ini * remove setting from documentation	2025-03-27 09:10:30 +00:00
Ieva	8af271187c	Docs: Remove references to group sync (#102599) ... * remove references to group sync * remove relfref and add new link * remove relfref * Update relfref * remove relrefs and add admonitions * fix URL * remove relrefs * replace relrefs * replace relrefs * replace relrefs * replace relrefs * replace relrefs * replace relrefs * replace relrefs * replace relrefs * run prettier --------- Co-authored-by: Irene Rodríguez <irene.rodriguez@grafana.com>	2025-03-21 16:13:44 +00:00
Misi	874751d9da	Docs: AzureAD + SAML improvements (#102623) ... * Docs: AzureAD + SAML improvements * Fix	2025-03-21 17:00:12 +01:00
Quentin Bisson	aeca9a80a4	JWT: Add org role mapping support to the JWT provider (#101584) ... * add org role mapping to the jwt provider * Fix indentation for OrgMapping assignment * add-test * fix linting * add org_attribute_path * fix test * update doc * update doc * Update pkg/services/authn/clients/jwt.go * Update docs --------- Co-authored-by: Mihaly Gyongyosi <mgyongyosi@users.noreply.github.com>	2025-03-21 14:18:53 +01:00
linoman	afb058c40a	Fix URL rendering typo (#102346) ... * Fix URL rendering typo * run prettier --------- Co-authored-by: Irene Rodriguez <irene.rodriguez@grafana.com>	2025-03-18 11:42:25 +01:00
Beverly Buchanan	cf60c4e77f	Update SAML configuration steps (#101663) ... * replace relrefs and minor edits * add new content and links * Update docs/sources/setup-grafana/configure-security/configure-authentication/saml/index.md Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> * Update docs/sources/setup-grafana/configure-security/configure-authentication/saml/index.md Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> * changes from linter and content suggestions * Update docs/sources/setup-grafana/configure-security/configure-authentication/saml/index.md Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> * Update docs/sources/setup-grafana/configure-security/configure-authentication/saml/index.md Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> * Update docs/sources/setup-grafana/configure-security/configure-authentication/saml/index.md Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> * Update docs/sources/setup-grafana/configure-security/configure-authentication/saml/index.md Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> * run prettier --------- Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> Co-authored-by: Irene Rodriguez <irene.rodriguez@grafana.com>	2025-03-10 13:04:27 +00:00
Robby Milo	13cf67de53	Remove relref shortcodes (#101694) ... * manually replce all shared relrefs * relref replace - grafana next * Merge branch 'master' into robbymilo/relref-replace-grafana-next * manual fixes * remove ref shortcode * Merge branch 'master' into robbymilo/relref-replace-grafana-next * prettier * fix test * update readme	2025-03-06 13:59:08 +01:00
Vardan Torosyan	801ffea206	Docs: Passwordless auth is not available in cloud (#100825) ... * Docs: Passwordless auth is not available in cloud * Update index.md --------- Co-authored-by: Irene Rodríguez <irene.rodriguez@grafana.com>	2025-02-20 12:07:31 -05:00
Ariana	d81c4b3c42	Docs: Updating SAML UI Docs for Azure specific attributes (#100565) ... * Updating SAML for Azure specific attribute structures Adding additional context surrounding SAML via Azure where the full attribute URL needs to be specified or it will not map correctly. This generates a lot of support contacts and isn't documented causing friction when organizations can't set it up themselves or lack the technical staff to self manage. * run prettier --------- Co-authored-by: Irene Rodriguez <irene.rodriguez@grafana.com>	2025-02-13 19:46:38 +01:00
colin-stuart	d58dec7951	Docs: Add docs for Passwordless Authentication Using Magic Links (#96877) ... * Docs: Add docs for Passwordless Authentication Using Magic Links * Update docs/sources/setup-grafana/configure-security/configure-authentication/passwordless/index.md Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> * Update docs/sources/setup-grafana/configure-security/configure-authentication/passwordless/index.md Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> * Update docs/sources/setup-grafana/configure-security/configure-authentication/passwordless/index.md Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> * match Writer's Toolkit style * Update docs/sources/setup-grafana/configure-security/configure-authentication/passwordless/index.md Co-authored-by: Jack Baldry <jack.baldry@grafana.com> --------- Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> Co-authored-by: Jack Baldry <jack.baldry@grafana.com>	2025-02-05 17:58:14 +00:00
Misi	9df20eda77	Docs: Update SAML docs (#98809) ... * Update feature toggle name in SAML docs * Update SAML docs	2025-01-10 17:32:49 +01:00
John Naizer	79d565f285	OAuth: Support client_secret_jwt for oauth providers when doing token exchange (#95455) ... * added backend support for client_secret_jwt * added backend support for client_secret_jwt * added all logic to the exchange function (overloaded social exchange in azuread_oauth to handle managed identity client id) * ran yarn install to update lock file * added support for client_secret_jwt when managed_identity_client_id is null * added audience flag and changed exchange to directly access oauth config using .info * added logic in setting oauth.Config for supported client authentication values * added client_authentication, managed_identity_client_id, and audience to sample.ini file * using provided ctx in ManagedIdentityCallback function * added frontend support for federated identity credential auth * added client authentication field * added Azure AD documentation for Grafana * added bold font to "Add" keyword in documentation * minor wording change relating to previous commit * addressed changing audience to federated_credential_audience, moving validation, and changing managedIdentityCallback to private function * correction to audience name changing * fixed orgMappingClientAuthentication function name, and added in logic into validateFederatedCredentialAudience function * Change docs * Add iam team as owner of azcore pkg * added backend support for client_secret_jwt * added all logic to the exchange function (overloaded social exchange in azuread_oauth to handle managed identity client id) * ran yarn install to update lock file * added support for client_secret_jwt when managed_identity_client_id is null * added audience flag and changed exchange to directly access oauth config using .info * added logic in setting oauth.Config for supported client authentication values * added client_authentication, managed_identity_client_id, and audience to sample.ini file * using provided ctx in ManagedIdentityCallback function * added frontend support for federated identity credential auth * added client authentication field * added Azure AD documentation for Grafana * added bold font to "Add" keyword in documentation * minor wording change relating to previous commit * addressed changing audience to federated_credential_audience, moving validation, and changing managedIdentityCallback to private function * correction to audience name changing * fixed orgMappingClientAuthentication function name, and added in logic into validateFederatedCredentialAudience function * Change docs * Add iam team as owner of azcore pkg * updated yarn lock file * updated doc for correction * removed wrong changes in pkg directory * removed newline in dashboard-generate.yaml and unified.ts * updated yarn.lock to match upstream * Lint Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * removing unwanted changes * added back removed newline * fixed failing test in azuread_oauth_test.go * Update azuread_oauth.go removed unnecessary newline, fixed lint --------- Signed-off-by: Jack Baldry <jack.baldry@grafana.com> Co-authored-by: Mihaly Gyongyosi <mgyongyosi@users.noreply.github.com> Co-authored-by: Jack Baldry <jack.baldry@grafana.com>	2025-01-07 10:42:52 +01:00
Misi	123c860293	Docs: Configure SAML SLO properly with NameID and SessionIndex support (#98207) ... * Docs: SAML proper NameID and SessionIndex support * Address feedback * update link	2024-12-19 16:47:02 +00:00
Misi	5ecc3343db	Docs: Add org role mapping improvements to SAML docs (#98178) ... Docs: Add org role mapping improvements	2024-12-18 16:12:50 +01:00