Grafana v0.5.1, Jun 12 24

Grafana v0.5.1 published on Wednesday, Jun 12, 2024 by pulumiverse

grafana.SsoSettings

Explore with Pulumi AI

Grafana v0.5.1 published on Wednesday, Jun 12, 2024 by pulumiverse

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as grafana from "@pulumiverse/grafana";

// Configure SSO for GitHub using OAuth2
const githubSsoSettings = new grafana.SsoSettings("githubSsoSettings", {
    oauth2Settings: {
        allowSignUp: true,
        allowedDomains: "mycompany.com mycompany.org",
        allowedOrganizations: "[\"My Organization\", \"Octocats\"]",
        autoLogin: false,
        clientId: "<your GitHub app client id>",
        clientSecret: "<your GitHub app client secret>",
        name: "Github",
        scopes: "user:email,read:org",
        teamIds: "150,300",
    },
    providerName: "github",
});
// Configure SSO using generic OAuth2
const genericSsoSettings = new grafana.SsoSettings("genericSsoSettings", {
    oauth2Settings: {
        allowSignUp: true,
        apiUrl: "https://<domain>/userinfo",
        authUrl: "https://<domain>/authorize",
        autoLogin: false,
        clientId: "<client id>",
        clientSecret: "<client secret>",
        name: "Auth0",
        scopes: "openid profile email offline_access",
        tokenUrl: "https://<domain>/oauth/token",
        usePkce: true,
        useRefreshToken: true,
    },
    providerName: "generic_oauth",
});
// Configure SSO using SAML
const samlSsoSettings = new grafana.SsoSettings("samlSsoSettings", {
    providerName: "saml",
    samlSettings: {
        allowSignUp: true,
        assertionAttributeEmail: "email",
        assertionAttributeLogin: "login",
        certificatePath: "devenv/docker/blocks/auth/saml-enterprise/cert.crt",
        idpMetadataUrl: "https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml",
        nameIdFormat: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
        privateKeyPath: "devenv/docker/blocks/auth/saml-enterprise/key.pem",
        signatureAlgorithm: "rsa-sha256",
    },
});

import pulumi
import pulumiverse_grafana as grafana

# Configure SSO for GitHub using OAuth2
github_sso_settings = grafana.SsoSettings("githubSsoSettings",
    oauth2_settings=grafana.SsoSettingsOauth2SettingsArgs(
        allow_sign_up=True,
        allowed_domains="mycompany.com mycompany.org",
        allowed_organizations="[\"My Organization\", \"Octocats\"]",
        auto_login=False,
        client_id="<your GitHub app client id>",
        client_secret="<your GitHub app client secret>",
        name="Github",
        scopes="user:email,read:org",
        team_ids="150,300",
    ),
    provider_name="github")
# Configure SSO using generic OAuth2
generic_sso_settings = grafana.SsoSettings("genericSsoSettings",
    oauth2_settings=grafana.SsoSettingsOauth2SettingsArgs(
        allow_sign_up=True,
        api_url="https://<domain>/userinfo",
        auth_url="https://<domain>/authorize",
        auto_login=False,
        client_id="<client id>",
        client_secret="<client secret>",
        name="Auth0",
        scopes="openid profile email offline_access",
        token_url="https://<domain>/oauth/token",
        use_pkce=True,
        use_refresh_token=True,
    ),
    provider_name="generic_oauth")
# Configure SSO using SAML
saml_sso_settings = grafana.SsoSettings("samlSsoSettings",
    provider_name="saml",
    saml_settings=grafana.SsoSettingsSamlSettingsArgs(
        allow_sign_up=True,
        assertion_attribute_email="email",
        assertion_attribute_login="login",
        certificate_path="devenv/docker/blocks/auth/saml-enterprise/cert.crt",
        idp_metadata_url="https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml",
        name_id_format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
        private_key_path="devenv/docker/blocks/auth/saml-enterprise/key.pem",
        signature_algorithm="rsa-sha256",
    ))

package main

import (
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
	"github.com/pulumiverse/pulumi-grafana/sdk/go/grafana"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		// Configure SSO for GitHub using OAuth2
		_, err := grafana.NewSsoSettings(ctx, "githubSsoSettings", &grafana.SsoSettingsArgs{
			Oauth2Settings: &grafana.SsoSettingsOauth2SettingsArgs{
				AllowSignUp:          pulumi.Bool(true),
				AllowedDomains:       pulumi.String("mycompany.com mycompany.org"),
				AllowedOrganizations: pulumi.String("[\"My Organization\", \"Octocats\"]"),
				AutoLogin:            pulumi.Bool(false),
				ClientId:             pulumi.String("<your GitHub app client id>"),
				ClientSecret:         pulumi.String("<your GitHub app client secret>"),
				Name:                 pulumi.String("Github"),
				Scopes:               pulumi.String("user:email,read:org"),
				TeamIds:              pulumi.String("150,300"),
			},
			ProviderName: pulumi.String("github"),
		})
		if err != nil {
			return err
		}
		// Configure SSO using generic OAuth2
		_, err = grafana.NewSsoSettings(ctx, "genericSsoSettings", &grafana.SsoSettingsArgs{
			Oauth2Settings: &grafana.SsoSettingsOauth2SettingsArgs{
				AllowSignUp:     pulumi.Bool(true),
				ApiUrl:          pulumi.String("https://<domain>/userinfo"),
				AuthUrl:         pulumi.String("https://<domain>/authorize"),
				AutoLogin:       pulumi.Bool(false),
				ClientId:        pulumi.String("<client id>"),
				ClientSecret:    pulumi.String("<client secret>"),
				Name:            pulumi.String("Auth0"),
				Scopes:          pulumi.String("openid profile email offline_access"),
				TokenUrl:        pulumi.String("https://<domain>/oauth/token"),
				UsePkce:         pulumi.Bool(true),
				UseRefreshToken: pulumi.Bool(true),
			},
			ProviderName: pulumi.String("generic_oauth"),
		})
		if err != nil {
			return err
		}
		// Configure SSO using SAML
		_, err = grafana.NewSsoSettings(ctx, "samlSsoSettings", &grafana.SsoSettingsArgs{
			ProviderName: pulumi.String("saml"),
			SamlSettings: &grafana.SsoSettingsSamlSettingsArgs{
				AllowSignUp:             pulumi.Bool(true),
				AssertionAttributeEmail: pulumi.String("email"),
				AssertionAttributeLogin: pulumi.String("login"),
				CertificatePath:         pulumi.String("devenv/docker/blocks/auth/saml-enterprise/cert.crt"),
				IdpMetadataUrl:          pulumi.String("https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml"),
				NameIdFormat:            pulumi.String("urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"),
				PrivateKeyPath:          pulumi.String("devenv/docker/blocks/auth/saml-enterprise/key.pem"),
				SignatureAlgorithm:      pulumi.String("rsa-sha256"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Grafana = Pulumiverse.Grafana;

return await Deployment.RunAsync(() => 
{
    // Configure SSO for GitHub using OAuth2
    var githubSsoSettings = new Grafana.SsoSettings("githubSsoSettings", new()
    {
        Oauth2Settings = new Grafana.Inputs.SsoSettingsOauth2SettingsArgs
        {
            AllowSignUp = true,
            AllowedDomains = "mycompany.com mycompany.org",
            AllowedOrganizations = "[\"My Organization\", \"Octocats\"]",
            AutoLogin = false,
            ClientId = "<your GitHub app client id>",
            ClientSecret = "<your GitHub app client secret>",
            Name = "Github",
            Scopes = "user:email,read:org",
            TeamIds = "150,300",
        },
        ProviderName = "github",
    });

    // Configure SSO using generic OAuth2
    var genericSsoSettings = new Grafana.SsoSettings("genericSsoSettings", new()
    {
        Oauth2Settings = new Grafana.Inputs.SsoSettingsOauth2SettingsArgs
        {
            AllowSignUp = true,
            ApiUrl = "https://<domain>/userinfo",
            AuthUrl = "https://<domain>/authorize",
            AutoLogin = false,
            ClientId = "<client id>",
            ClientSecret = "<client secret>",
            Name = "Auth0",
            Scopes = "openid profile email offline_access",
            TokenUrl = "https://<domain>/oauth/token",
            UsePkce = true,
            UseRefreshToken = true,
        },
        ProviderName = "generic_oauth",
    });

    // Configure SSO using SAML
    var samlSsoSettings = new Grafana.SsoSettings("samlSsoSettings", new()
    {
        ProviderName = "saml",
        SamlSettings = new Grafana.Inputs.SsoSettingsSamlSettingsArgs
        {
            AllowSignUp = true,
            AssertionAttributeEmail = "email",
            AssertionAttributeLogin = "login",
            CertificatePath = "devenv/docker/blocks/auth/saml-enterprise/cert.crt",
            IdpMetadataUrl = "https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml",
            NameIdFormat = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
            PrivateKeyPath = "devenv/docker/blocks/auth/saml-enterprise/key.pem",
            SignatureAlgorithm = "rsa-sha256",
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.grafana.SsoSettings;
import com.pulumi.grafana.SsoSettingsArgs;
import com.pulumi.grafana.inputs.SsoSettingsOauth2SettingsArgs;
import com.pulumi.grafana.inputs.SsoSettingsSamlSettingsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        // Configure SSO for GitHub using OAuth2
        var githubSsoSettings = new SsoSettings("githubSsoSettings", SsoSettingsArgs.builder()        
            .oauth2Settings(SsoSettingsOauth2SettingsArgs.builder()
                .allowSignUp(true)
                .allowedDomains("mycompany.com mycompany.org")
                .allowedOrganizations("[\"My Organization\", \"Octocats\"]")
                .autoLogin(false)
                .clientId("<your GitHub app client id>")
                .clientSecret("<your GitHub app client secret>")
                .name("Github")
                .scopes("user:email,read:org")
                .teamIds("150,300")
                .build())
            .providerName("github")
            .build());

        // Configure SSO using generic OAuth2
        var genericSsoSettings = new SsoSettings("genericSsoSettings", SsoSettingsArgs.builder()        
            .oauth2Settings(SsoSettingsOauth2SettingsArgs.builder()
                .allowSignUp(true)
                .apiUrl("https://<domain>/userinfo")
                .authUrl("https://<domain>/authorize")
                .autoLogin(false)
                .clientId("<client id>")
                .clientSecret("<client secret>")
                .name("Auth0")
                .scopes("openid profile email offline_access")
                .tokenUrl("https://<domain>/oauth/token")
                .usePkce(true)
                .useRefreshToken(true)
                .build())
            .providerName("generic_oauth")
            .build());

        // Configure SSO using SAML
        var samlSsoSettings = new SsoSettings("samlSsoSettings", SsoSettingsArgs.builder()        
            .providerName("saml")
            .samlSettings(SsoSettingsSamlSettingsArgs.builder()
                .allowSignUp(true)
                .assertionAttributeEmail("email")
                .assertionAttributeLogin("login")
                .certificatePath("devenv/docker/blocks/auth/saml-enterprise/cert.crt")
                .idpMetadataUrl("https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml")
                .nameIdFormat("urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress")
                .privateKeyPath("devenv/docker/blocks/auth/saml-enterprise/key.pem")
                .signatureAlgorithm("rsa-sha256")
                .build())
            .build());

    }
}

resources:
  # Configure SSO for GitHub using OAuth2
  githubSsoSettings:
    type: grafana:SsoSettings
    properties:
      oauth2Settings:
        allowSignUp: true
        allowedDomains: mycompany.com mycompany.org
        allowedOrganizations: '["My Organization", "Octocats"]'
        autoLogin: false
        clientId: <your GitHub app client id>
        clientSecret: <your GitHub app client secret>
        name: Github
        scopes: user:email,read:org
        teamIds: 150,300
      providerName: github
  # Configure SSO using generic OAuth2
  genericSsoSettings:
    type: grafana:SsoSettings
    properties:
      oauth2Settings:
        allowSignUp: true
        apiUrl: https://<domain>/userinfo
        authUrl: https://<domain>/authorize
        autoLogin: false
        clientId: <client id>
        clientSecret: <client secret>
        name: Auth0
        scopes: openid profile email offline_access
        tokenUrl: https://<domain>/oauth/token
        usePkce: true
        useRefreshToken: true
      providerName: generic_oauth
  # Configure SSO using SAML
  samlSsoSettings:
    type: grafana:SsoSettings
    properties:
      providerName: saml
      samlSettings:
        allowSignUp: true
        assertionAttributeEmail: email
        assertionAttributeLogin: login
        certificatePath: devenv/docker/blocks/auth/saml-enterprise/cert.crt
        idpMetadataUrl: https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml
        nameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
        privateKeyPath: devenv/docker/blocks/auth/saml-enterprise/key.pem
        signatureAlgorithm: rsa-sha256

Create SsoSettings Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new SsoSettings(name: string, args: SsoSettingsArgs, opts?: CustomResourceOptions);

@overload
def SsoSettings(resource_name: str,
                args: SsoSettingsArgs,
                opts: Optional[ResourceOptions] = None)

@overload
def SsoSettings(resource_name: str,
                opts: Optional[ResourceOptions] = None,
                provider_name: Optional[str] = None,
                oauth2_settings: Optional[SsoSettingsOauth2SettingsArgs] = None,
                saml_settings: Optional[SsoSettingsSamlSettingsArgs] = None)

func NewSsoSettings(ctx *Context, name string, args SsoSettingsArgs, opts ...ResourceOption) (*SsoSettings, error)

public SsoSettings(string name, SsoSettingsArgs args, CustomResourceOptions? opts = null)

public SsoSettings(String name, SsoSettingsArgs args)
public SsoSettings(String name, SsoSettingsArgs args, CustomResourceOptions options)

type: grafana:SsoSettings
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args SsoSettingsArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args SsoSettingsArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args SsoSettingsArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args SsoSettingsArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args SsoSettingsArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var ssoSettingsResource = new Grafana.SsoSettings("ssoSettingsResource", new()
{
    ProviderName = "string",
    Oauth2Settings = new Grafana.Inputs.SsoSettingsOauth2SettingsArgs
    {
        ClientId = "string",
        GroupsAttributePath = "string",
        UsePkce = false,
        AllowedGroups = "string",
        IdTokenAttributeName = "string",
        ApiUrl = "string",
        AuthStyle = "string",
        AuthUrl = "string",
        AutoLogin = false,
        AllowSignUp = false,
        ClientSecret = "string",
        Custom = 
        {
            { "string", "string" },
        },
        DefineAllowedGroups = false,
        DefineAllowedTeamsIds = false,
        EmailAttributeName = "string",
        EmailAttributePath = "string",
        EmptyScopes = false,
        Enabled = false,
        AllowAssignGrafanaAdmin = false,
        AllowedOrganizations = "string",
        AllowedDomains = "string",
        NameAttributePath = "string",
        Name = "string",
        RoleAttributePath = "string",
        RoleAttributeStrict = false,
        Scopes = "string",
        SignoutRedirectUrl = "string",
        SkipOrgRoleSync = false,
        TeamIds = "string",
        TeamIdsAttributePath = "string",
        TeamsUrl = "string",
        TlsClientCa = "string",
        TlsClientCert = "string",
        TlsClientKey = "string",
        TlsSkipVerifyInsecure = false,
        TokenUrl = "string",
        LoginAttributePath = "string",
        UseRefreshToken = false,
    },
    SamlSettings = new Grafana.Inputs.SsoSettingsSamlSettingsArgs
    {
        AllowIdpInitiated = false,
        AllowSignUp = false,
        AllowedOrganizations = "string",
        AssertionAttributeEmail = "string",
        AssertionAttributeGroups = "string",
        AssertionAttributeLogin = "string",
        AssertionAttributeName = "string",
        AssertionAttributeOrg = "string",
        AssertionAttributeRole = "string",
        AutoLogin = false,
        Certificate = "string",
        CertificatePath = "string",
        Enabled = false,
        IdpMetadata = "string",
        IdpMetadataPath = "string",
        IdpMetadataUrl = "string",
        MaxIssueDelay = "string",
        MetadataValidDuration = "string",
        Name = "string",
        NameIdFormat = "string",
        OrgMapping = "string",
        PrivateKey = "string",
        PrivateKeyPath = "string",
        RelayState = "string",
        RoleValuesAdmin = "string",
        RoleValuesEditor = "string",
        RoleValuesGrafanaAdmin = "string",
        RoleValuesNone = "string",
        SignatureAlgorithm = "string",
        SingleLogout = false,
        SkipOrgRoleSync = false,
    },
});

example, err := grafana.NewSsoSettings(ctx, "ssoSettingsResource", &grafana.SsoSettingsArgs{
	ProviderName: pulumi.String("string"),
	Oauth2Settings: &grafana.SsoSettingsOauth2SettingsArgs{
		ClientId:             pulumi.String("string"),
		GroupsAttributePath:  pulumi.String("string"),
		UsePkce:              pulumi.Bool(false),
		AllowedGroups:        pulumi.String("string"),
		IdTokenAttributeName: pulumi.String("string"),
		ApiUrl:               pulumi.String("string"),
		AuthStyle:            pulumi.String("string"),
		AuthUrl:              pulumi.String("string"),
		AutoLogin:            pulumi.Bool(false),
		AllowSignUp:          pulumi.Bool(false),
		ClientSecret:         pulumi.String("string"),
		Custom: pulumi.StringMap{
			"string": pulumi.String("string"),
		},
		DefineAllowedGroups:     pulumi.Bool(false),
		DefineAllowedTeamsIds:   pulumi.Bool(false),
		EmailAttributeName:      pulumi.String("string"),
		EmailAttributePath:      pulumi.String("string"),
		EmptyScopes:             pulumi.Bool(false),
		Enabled:                 pulumi.Bool(false),
		AllowAssignGrafanaAdmin: pulumi.Bool(false),
		AllowedOrganizations:    pulumi.String("string"),
		AllowedDomains:          pulumi.String("string"),
		NameAttributePath:       pulumi.String("string"),
		Name:                    pulumi.String("string"),
		RoleAttributePath:       pulumi.String("string"),
		RoleAttributeStrict:     pulumi.Bool(false),
		Scopes:                  pulumi.String("string"),
		SignoutRedirectUrl:      pulumi.String("string"),
		SkipOrgRoleSync:         pulumi.Bool(false),
		TeamIds:                 pulumi.String("string"),
		TeamIdsAttributePath:    pulumi.String("string"),
		TeamsUrl:                pulumi.String("string"),
		TlsClientCa:             pulumi.String("string"),
		TlsClientCert:           pulumi.String("string"),
		TlsClientKey:            pulumi.String("string"),
		TlsSkipVerifyInsecure:   pulumi.Bool(false),
		TokenUrl:                pulumi.String("string"),
		LoginAttributePath:      pulumi.String("string"),
		UseRefreshToken:         pulumi.Bool(false),
	},
	SamlSettings: &grafana.SsoSettingsSamlSettingsArgs{
		AllowIdpInitiated:        pulumi.Bool(false),
		AllowSignUp:              pulumi.Bool(false),
		AllowedOrganizations:     pulumi.String("string"),
		AssertionAttributeEmail:  pulumi.String("string"),
		AssertionAttributeGroups: pulumi.String("string"),
		AssertionAttributeLogin:  pulumi.String("string"),
		AssertionAttributeName:   pulumi.String("string"),
		AssertionAttributeOrg:    pulumi.String("string"),
		AssertionAttributeRole:   pulumi.String("string"),
		AutoLogin:                pulumi.Bool(false),
		Certificate:              pulumi.String("string"),
		CertificatePath:          pulumi.String("string"),
		Enabled:                  pulumi.Bool(false),
		IdpMetadata:              pulumi.String("string"),
		IdpMetadataPath:          pulumi.String("string"),
		IdpMetadataUrl:           pulumi.String("string"),
		MaxIssueDelay:            pulumi.String("string"),
		MetadataValidDuration:    pulumi.String("string"),
		Name:                     pulumi.String("string"),
		NameIdFormat:             pulumi.String("string"),
		OrgMapping:               pulumi.String("string"),
		PrivateKey:               pulumi.String("string"),
		PrivateKeyPath:           pulumi.String("string"),
		RelayState:               pulumi.String("string"),
		RoleValuesAdmin:          pulumi.String("string"),
		RoleValuesEditor:         pulumi.String("string"),
		RoleValuesGrafanaAdmin:   pulumi.String("string"),
		RoleValuesNone:           pulumi.String("string"),
		SignatureAlgorithm:       pulumi.String("string"),
		SingleLogout:             pulumi.Bool(false),
		SkipOrgRoleSync:          pulumi.Bool(false),
	},
})

var ssoSettingsResource = new SsoSettings("ssoSettingsResource", SsoSettingsArgs.builder()
    .providerName("string")
    .oauth2Settings(SsoSettingsOauth2SettingsArgs.builder()
        .clientId("string")
        .groupsAttributePath("string")
        .usePkce(false)
        .allowedGroups("string")
        .idTokenAttributeName("string")
        .apiUrl("string")
        .authStyle("string")
        .authUrl("string")
        .autoLogin(false)
        .allowSignUp(false)
        .clientSecret("string")
        .custom(Map.of("string", "string"))
        .defineAllowedGroups(false)
        .defineAllowedTeamsIds(false)
        .emailAttributeName("string")
        .emailAttributePath("string")
        .emptyScopes(false)
        .enabled(false)
        .allowAssignGrafanaAdmin(false)
        .allowedOrganizations("string")
        .allowedDomains("string")
        .nameAttributePath("string")
        .name("string")
        .roleAttributePath("string")
        .roleAttributeStrict(false)
        .scopes("string")
        .signoutRedirectUrl("string")
        .skipOrgRoleSync(false)
        .teamIds("string")
        .teamIdsAttributePath("string")
        .teamsUrl("string")
        .tlsClientCa("string")
        .tlsClientCert("string")
        .tlsClientKey("string")
        .tlsSkipVerifyInsecure(false)
        .tokenUrl("string")
        .loginAttributePath("string")
        .useRefreshToken(false)
        .build())
    .samlSettings(SsoSettingsSamlSettingsArgs.builder()
        .allowIdpInitiated(false)
        .allowSignUp(false)
        .allowedOrganizations("string")
        .assertionAttributeEmail("string")
        .assertionAttributeGroups("string")
        .assertionAttributeLogin("string")
        .assertionAttributeName("string")
        .assertionAttributeOrg("string")
        .assertionAttributeRole("string")
        .autoLogin(false)
        .certificate("string")
        .certificatePath("string")
        .enabled(false)
        .idpMetadata("string")
        .idpMetadataPath("string")
        .idpMetadataUrl("string")
        .maxIssueDelay("string")
        .metadataValidDuration("string")
        .name("string")
        .nameIdFormat("string")
        .orgMapping("string")
        .privateKey("string")
        .privateKeyPath("string")
        .relayState("string")
        .roleValuesAdmin("string")
        .roleValuesEditor("string")
        .roleValuesGrafanaAdmin("string")
        .roleValuesNone("string")
        .signatureAlgorithm("string")
        .singleLogout(false)
        .skipOrgRoleSync(false)
        .build())
    .build());

sso_settings_resource = grafana.SsoSettings("ssoSettingsResource",
    provider_name="string",
    oauth2_settings=grafana.SsoSettingsOauth2SettingsArgs(
        client_id="string",
        groups_attribute_path="string",
        use_pkce=False,
        allowed_groups="string",
        id_token_attribute_name="string",
        api_url="string",
        auth_style="string",
        auth_url="string",
        auto_login=False,
        allow_sign_up=False,
        client_secret="string",
        custom={
            "string": "string",
        },
        define_allowed_groups=False,
        define_allowed_teams_ids=False,
        email_attribute_name="string",
        email_attribute_path="string",
        empty_scopes=False,
        enabled=False,
        allow_assign_grafana_admin=False,
        allowed_organizations="string",
        allowed_domains="string",
        name_attribute_path="string",
        name="string",
        role_attribute_path="string",
        role_attribute_strict=False,
        scopes="string",
        signout_redirect_url="string",
        skip_org_role_sync=False,
        team_ids="string",
        team_ids_attribute_path="string",
        teams_url="string",
        tls_client_ca="string",
        tls_client_cert="string",
        tls_client_key="string",
        tls_skip_verify_insecure=False,
        token_url="string",
        login_attribute_path="string",
        use_refresh_token=False,
    ),
    saml_settings=grafana.SsoSettingsSamlSettingsArgs(
        allow_idp_initiated=False,
        allow_sign_up=False,
        allowed_organizations="string",
        assertion_attribute_email="string",
        assertion_attribute_groups="string",
        assertion_attribute_login="string",
        assertion_attribute_name="string",
        assertion_attribute_org="string",
        assertion_attribute_role="string",
        auto_login=False,
        certificate="string",
        certificate_path="string",
        enabled=False,
        idp_metadata="string",
        idp_metadata_path="string",
        idp_metadata_url="string",
        max_issue_delay="string",
        metadata_valid_duration="string",
        name="string",
        name_id_format="string",
        org_mapping="string",
        private_key="string",
        private_key_path="string",
        relay_state="string",
        role_values_admin="string",
        role_values_editor="string",
        role_values_grafana_admin="string",
        role_values_none="string",
        signature_algorithm="string",
        single_logout=False,
        skip_org_role_sync=False,
    ))

const ssoSettingsResource = new grafana.SsoSettings("ssoSettingsResource", {
    providerName: "string",
    oauth2Settings: {
        clientId: "string",
        groupsAttributePath: "string",
        usePkce: false,
        allowedGroups: "string",
        idTokenAttributeName: "string",
        apiUrl: "string",
        authStyle: "string",
        authUrl: "string",
        autoLogin: false,
        allowSignUp: false,
        clientSecret: "string",
        custom: {
            string: "string",
        },
        defineAllowedGroups: false,
        defineAllowedTeamsIds: false,
        emailAttributeName: "string",
        emailAttributePath: "string",
        emptyScopes: false,
        enabled: false,
        allowAssignGrafanaAdmin: false,
        allowedOrganizations: "string",
        allowedDomains: "string",
        nameAttributePath: "string",
        name: "string",
        roleAttributePath: "string",
        roleAttributeStrict: false,
        scopes: "string",
        signoutRedirectUrl: "string",
        skipOrgRoleSync: false,
        teamIds: "string",
        teamIdsAttributePath: "string",
        teamsUrl: "string",
        tlsClientCa: "string",
        tlsClientCert: "string",
        tlsClientKey: "string",
        tlsSkipVerifyInsecure: false,
        tokenUrl: "string",
        loginAttributePath: "string",
        useRefreshToken: false,
    },
    samlSettings: {
        allowIdpInitiated: false,
        allowSignUp: false,
        allowedOrganizations: "string",
        assertionAttributeEmail: "string",
        assertionAttributeGroups: "string",
        assertionAttributeLogin: "string",
        assertionAttributeName: "string",
        assertionAttributeOrg: "string",
        assertionAttributeRole: "string",
        autoLogin: false,
        certificate: "string",
        certificatePath: "string",
        enabled: false,
        idpMetadata: "string",
        idpMetadataPath: "string",
        idpMetadataUrl: "string",
        maxIssueDelay: "string",
        metadataValidDuration: "string",
        name: "string",
        nameIdFormat: "string",
        orgMapping: "string",
        privateKey: "string",
        privateKeyPath: "string",
        relayState: "string",
        roleValuesAdmin: "string",
        roleValuesEditor: "string",
        roleValuesGrafanaAdmin: "string",
        roleValuesNone: "string",
        signatureAlgorithm: "string",
        singleLogout: false,
        skipOrgRoleSync: false,
    },
});

type: grafana:SsoSettings
properties:
    oauth2Settings:
        allowAssignGrafanaAdmin: false
        allowSignUp: false
        allowedDomains: string
        allowedGroups: string
        allowedOrganizations: string
        apiUrl: string
        authStyle: string
        authUrl: string
        autoLogin: false
        clientId: string
        clientSecret: string
        custom:
            string: string
        defineAllowedGroups: false
        defineAllowedTeamsIds: false
        emailAttributeName: string
        emailAttributePath: string
        emptyScopes: false
        enabled: false
        groupsAttributePath: string
        idTokenAttributeName: string
        loginAttributePath: string
        name: string
        nameAttributePath: string
        roleAttributePath: string
        roleAttributeStrict: false
        scopes: string
        signoutRedirectUrl: string
        skipOrgRoleSync: false
        teamIds: string
        teamIdsAttributePath: string
        teamsUrl: string
        tlsClientCa: string
        tlsClientCert: string
        tlsClientKey: string
        tlsSkipVerifyInsecure: false
        tokenUrl: string
        usePkce: false
        useRefreshToken: false
    providerName: string
    samlSettings:
        allowIdpInitiated: false
        allowSignUp: false
        allowedOrganizations: string
        assertionAttributeEmail: string
        assertionAttributeGroups: string
        assertionAttributeLogin: string
        assertionAttributeName: string
        assertionAttributeOrg: string
        assertionAttributeRole: string
        autoLogin: false
        certificate: string
        certificatePath: string
        enabled: false
        idpMetadata: string
        idpMetadataPath: string
        idpMetadataUrl: string
        maxIssueDelay: string
        metadataValidDuration: string
        name: string
        nameIdFormat: string
        orgMapping: string
        privateKey: string
        privateKeyPath: string
        relayState: string
        roleValuesAdmin: string
        roleValuesEditor: string
        roleValuesGrafanaAdmin: string
        roleValuesNone: string
        signatureAlgorithm: string
        singleLogout: false
        skipOrgRoleSync: false

SsoSettings Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The SsoSettings resource accepts the following input properties:

ProviderName string: The name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml.
Oauth2Settings Pulumiverse.Grafana.Inputs.SsoSettingsOauth2Settings: The OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic*oauth providers.
SamlSettings Pulumiverse.Grafana.Inputs.SsoSettingsSamlSettings: The SAML settings set. Required for the saml provider.

ProviderName string: The name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml.
Oauth2Settings SsoSettingsOauth2SettingsArgs: The OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic*oauth providers.
SamlSettings SsoSettingsSamlSettingsArgs: The SAML settings set. Required for the saml provider.

providerName String: The name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml.
oauth2Settings SsoSettingsOauth2Settings: The OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic*oauth providers.
samlSettings SsoSettingsSamlSettings: The SAML settings set. Required for the saml provider.

providerName string: The name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml.
oauth2Settings SsoSettingsOauth2Settings: The OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic*oauth providers.
samlSettings SsoSettingsSamlSettings: The SAML settings set. Required for the saml provider.

provider_name str: The name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml.
oauth2_settings SsoSettingsOauth2SettingsArgs: The OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic*oauth providers.
saml_settings SsoSettingsSamlSettingsArgs: The SAML settings set. Required for the saml provider.

providerName String: The name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml.
oauth2Settings Property Map: The OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic*oauth providers.
samlSettings Property Map: The SAML settings set. Required for the saml provider.

Outputs

All input properties are implicitly available as output properties. Additionally, the SsoSettings resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.

Id string: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

id string: The provider-assigned unique ID for this managed resource.

id str: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

Look up Existing SsoSettings Resource

Get an existing SsoSettings resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: SsoSettingsState, opts?: CustomResourceOptions): SsoSettings

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        oauth2_settings: Optional[SsoSettingsOauth2SettingsArgs] = None,
        provider_name: Optional[str] = None,
        saml_settings: Optional[SsoSettingsSamlSettingsArgs] = None) -> SsoSettings

func GetSsoSettings(ctx *Context, name string, id IDInput, state *SsoSettingsState, opts ...ResourceOption) (*SsoSettings, error)

public static SsoSettings Get(string name, Input<string> id, SsoSettingsState? state, CustomResourceOptions? opts = null)

public static SsoSettings get(String name, Output<String> id, SsoSettingsState state, CustomResourceOptions options)

Resource lookup is not supported in YAML

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

Oauth2Settings Pulumiverse.Grafana.Inputs.SsoSettingsOauth2Settings: The OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic*oauth providers.
ProviderName string: The name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml.
SamlSettings Pulumiverse.Grafana.Inputs.SsoSettingsSamlSettings: The SAML settings set. Required for the saml provider.

Oauth2Settings SsoSettingsOauth2SettingsArgs: The OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic*oauth providers.
ProviderName string: The name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml.
SamlSettings SsoSettingsSamlSettingsArgs: The SAML settings set. Required for the saml provider.

oauth2Settings SsoSettingsOauth2Settings: The OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic*oauth providers.
providerName String: The name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml.
samlSettings SsoSettingsSamlSettings: The SAML settings set. Required for the saml provider.

oauth2Settings SsoSettingsOauth2Settings: The OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic*oauth providers.
providerName string: The name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml.
samlSettings SsoSettingsSamlSettings: The SAML settings set. Required for the saml provider.

oauth2_settings SsoSettingsOauth2SettingsArgs: The OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic*oauth providers.
provider_name str: The name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml.
saml_settings SsoSettingsSamlSettingsArgs: The SAML settings set. Required for the saml provider.

oauth2Settings Property Map: The OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic*oauth providers.
providerName String: The name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml.
samlSettings Property Map: The SAML settings set. Required for the saml provider.

Supporting Types

SsoSettingsOauth2Settings, SsoSettingsOauth2SettingsArgs

ClientId string: The client Id of your OAuth2 app.
AllowAssignGrafanaAdmin bool: If enabled, it will automatically sync the Grafana server administrator role.
AllowSignUp bool: If not enabled, only existing Grafana users can log in using OAuth.
AllowedDomains string: List of comma- or space-separated domains. The user should belong to at least one domain to log in.
AllowedGroups string: List of comma- or space-separated groups. The user should be a member of at least one group to log in. For Generic OAuth, if you configure allowedgroups, you must also configure groupsattribute_path.
AllowedOrganizations string: List of comma- or space-separated organizations. The user should be a member of at least one organization to log in.
ApiUrl string: The user information endpoint of your OAuth2 provider. Required for okta and generic_oauth providers.
AuthStyle string: It determines how clientid and clientsecret are sent to Oauth2 provider. Possible values are AutoDetect, InParams, InHeader. Default is AutoDetect.
AuthUrl string: The authorization endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.
AutoLogin bool: Log in automatically, skipping the login screen.
ClientSecret string: The client secret of your OAuth2 app.
Custom Dictionary<string, string>: Custom fields to configure for OAuth2 such as the forceusegraph_api field.
DefineAllowedGroups bool: Define allowed groups.
DefineAllowedTeamsIds bool: Define allowed teams ids.
EmailAttributeName string: Name of the key to use for user email lookup within the attributes map of OAuth2 ID token. Only applicable to Generic OAuth.
EmailAttributePath string: JMESPath expression to use for user email lookup from the user information. Only applicable to Generic OAuth.
EmptyScopes bool: If enabled, no scopes will be sent to the OAuth2 provider.
Enabled bool: Define whether this configuration is enabled for the specified provider. Defaults to true.
GroupsAttributePath string: JMESPath expression to use for user group lookup. If you configure allowedgroups, you must also configure groupsattribute_path.
IdTokenAttributeName string: The name of the key used to extract the ID token from the returned OAuth2 token. Only applicable to Generic OAuth.
LoginAttributePath string: JMESPath expression to use for user login lookup from the user ID token. Only applicable to Generic OAuth.
Name string: Helpful if you use more than one identity providers or SSO protocols.
NameAttributePath string: JMESPath expression to use for user name lookup from the user ID token. This name will be used as the user’s display name. Only applicable to Generic OAuth.
RoleAttributePath string: JMESPath expression to use for Grafana role lookup.
RoleAttributeStrict bool: If enabled, denies user login if the Grafana role cannot be extracted using Role attribute path.
Scopes string: List of comma- or space-separated OAuth2 scopes.
SignoutRedirectUrl string: The URL to redirect the user to after signing out from Grafana.
SkipOrgRoleSync bool: Prevent synchronizing users’ organization roles from your IdP.
TeamIds string: String list of Team Ids. If set, the user must be a member of one of the given teams to log in. If you configure teamids, you must also configure teamsurl and teamidsattribute_path.
TeamIdsAttributePath string: The JMESPath expression to use for Grafana Team Id lookup within the results returned by the teams_url endpoint. Only applicable to Generic OAuth.
TeamsUrl string: The URL used to query for Team Ids. If not set, the default value is /teams. If you configure teamsurl, you must also configure teamidsattributepath. Only applicable to Generic OAuth.
TlsClientCa string: The path to the trusted certificate authority list. Is not applicable on Grafana Cloud.
TlsClientCert string: The path to the certificate. Is not applicable on Grafana Cloud.
TlsClientKey string: The path to the key. Is not applicable on Grafana Cloud.
TlsSkipVerifyInsecure bool: If enabled, the client accepts any certificate presented by the server and any host name in that certificate. You should only use this for testing, because this mode leaves SSL/TLS susceptible to man-in-the-middle attacks.
TokenUrl string: The token endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.
UsePkce bool: If enabled, Grafana will use Proof Key for Code Exchange (PKCE) with the OAuth2 Authorization Code Grant.
UseRefreshToken bool: If enabled, Grafana will fetch a new access token using the refresh token provided by the OAuth2 provider.

ClientId string: The client Id of your OAuth2 app.
AllowAssignGrafanaAdmin bool: If enabled, it will automatically sync the Grafana server administrator role.
AllowSignUp bool: If not enabled, only existing Grafana users can log in using OAuth.
AllowedDomains string: List of comma- or space-separated domains. The user should belong to at least one domain to log in.
AllowedGroups string: List of comma- or space-separated groups. The user should be a member of at least one group to log in. For Generic OAuth, if you configure allowedgroups, you must also configure groupsattribute_path.
AllowedOrganizations string: List of comma- or space-separated organizations. The user should be a member of at least one organization to log in.
ApiUrl string: The user information endpoint of your OAuth2 provider. Required for okta and generic_oauth providers.
AuthStyle string: It determines how clientid and clientsecret are sent to Oauth2 provider. Possible values are AutoDetect, InParams, InHeader. Default is AutoDetect.
AuthUrl string: The authorization endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.
AutoLogin bool: Log in automatically, skipping the login screen.
ClientSecret string: The client secret of your OAuth2 app.
Custom map[string]string: Custom fields to configure for OAuth2 such as the forceusegraph_api field.
DefineAllowedGroups bool: Define allowed groups.
DefineAllowedTeamsIds bool: Define allowed teams ids.
EmailAttributeName string: Name of the key to use for user email lookup within the attributes map of OAuth2 ID token. Only applicable to Generic OAuth.
EmailAttributePath string: JMESPath expression to use for user email lookup from the user information. Only applicable to Generic OAuth.
EmptyScopes bool: If enabled, no scopes will be sent to the OAuth2 provider.
Enabled bool: Define whether this configuration is enabled for the specified provider. Defaults to true.
GroupsAttributePath string: JMESPath expression to use for user group lookup. If you configure allowedgroups, you must also configure groupsattribute_path.
IdTokenAttributeName string: The name of the key used to extract the ID token from the returned OAuth2 token. Only applicable to Generic OAuth.
LoginAttributePath string: JMESPath expression to use for user login lookup from the user ID token. Only applicable to Generic OAuth.
Name string: Helpful if you use more than one identity providers or SSO protocols.
NameAttributePath string: JMESPath expression to use for user name lookup from the user ID token. This name will be used as the user’s display name. Only applicable to Generic OAuth.
RoleAttributePath string: JMESPath expression to use for Grafana role lookup.
RoleAttributeStrict bool: If enabled, denies user login if the Grafana role cannot be extracted using Role attribute path.
Scopes string: List of comma- or space-separated OAuth2 scopes.
SignoutRedirectUrl string: The URL to redirect the user to after signing out from Grafana.
SkipOrgRoleSync bool: Prevent synchronizing users’ organization roles from your IdP.
TeamIds string: String list of Team Ids. If set, the user must be a member of one of the given teams to log in. If you configure teamids, you must also configure teamsurl and teamidsattribute_path.
TeamIdsAttributePath string: The JMESPath expression to use for Grafana Team Id lookup within the results returned by the teams_url endpoint. Only applicable to Generic OAuth.
TeamsUrl string: The URL used to query for Team Ids. If not set, the default value is /teams. If you configure teamsurl, you must also configure teamidsattributepath. Only applicable to Generic OAuth.
TlsClientCa string: The path to the trusted certificate authority list. Is not applicable on Grafana Cloud.
TlsClientCert string: The path to the certificate. Is not applicable on Grafana Cloud.
TlsClientKey string: The path to the key. Is not applicable on Grafana Cloud.
TlsSkipVerifyInsecure bool: If enabled, the client accepts any certificate presented by the server and any host name in that certificate. You should only use this for testing, because this mode leaves SSL/TLS susceptible to man-in-the-middle attacks.
TokenUrl string: The token endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.
UsePkce bool: If enabled, Grafana will use Proof Key for Code Exchange (PKCE) with the OAuth2 Authorization Code Grant.
UseRefreshToken bool: If enabled, Grafana will fetch a new access token using the refresh token provided by the OAuth2 provider.

clientId String: The client Id of your OAuth2 app.
allowAssignGrafanaAdmin Boolean: If enabled, it will automatically sync the Grafana server administrator role.
allowSignUp Boolean: If not enabled, only existing Grafana users can log in using OAuth.
allowedDomains String: List of comma- or space-separated domains. The user should belong to at least one domain to log in.
allowedGroups String: List of comma- or space-separated groups. The user should be a member of at least one group to log in. For Generic OAuth, if you configure allowedgroups, you must also configure groupsattribute_path.
allowedOrganizations String: List of comma- or space-separated organizations. The user should be a member of at least one organization to log in.
apiUrl String: The user information endpoint of your OAuth2 provider. Required for okta and generic_oauth providers.
authStyle String: It determines how clientid and clientsecret are sent to Oauth2 provider. Possible values are AutoDetect, InParams, InHeader. Default is AutoDetect.
authUrl String: The authorization endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.
autoLogin Boolean: Log in automatically, skipping the login screen.
clientSecret String: The client secret of your OAuth2 app.
custom Map<String,String>: Custom fields to configure for OAuth2 such as the forceusegraph_api field.
defineAllowedGroups Boolean: Define allowed groups.
defineAllowedTeamsIds Boolean: Define allowed teams ids.
emailAttributeName String: Name of the key to use for user email lookup within the attributes map of OAuth2 ID token. Only applicable to Generic OAuth.
emailAttributePath String: JMESPath expression to use for user email lookup from the user information. Only applicable to Generic OAuth.
emptyScopes Boolean: If enabled, no scopes will be sent to the OAuth2 provider.
enabled Boolean: Define whether this configuration is enabled for the specified provider. Defaults to true.
groupsAttributePath String: JMESPath expression to use for user group lookup. If you configure allowedgroups, you must also configure groupsattribute_path.
idTokenAttributeName String: The name of the key used to extract the ID token from the returned OAuth2 token. Only applicable to Generic OAuth.
loginAttributePath String: JMESPath expression to use for user login lookup from the user ID token. Only applicable to Generic OAuth.
name String: Helpful if you use more than one identity providers or SSO protocols.
nameAttributePath String: JMESPath expression to use for user name lookup from the user ID token. This name will be used as the user’s display name. Only applicable to Generic OAuth.
roleAttributePath String: JMESPath expression to use for Grafana role lookup.
roleAttributeStrict Boolean: If enabled, denies user login if the Grafana role cannot be extracted using Role attribute path.
scopes String: List of comma- or space-separated OAuth2 scopes.
signoutRedirectUrl String: The URL to redirect the user to after signing out from Grafana.
skipOrgRoleSync Boolean: Prevent synchronizing users’ organization roles from your IdP.
teamIds String: String list of Team Ids. If set, the user must be a member of one of the given teams to log in. If you configure teamids, you must also configure teamsurl and teamidsattribute_path.
teamIdsAttributePath String: The JMESPath expression to use for Grafana Team Id lookup within the results returned by the teams_url endpoint. Only applicable to Generic OAuth.
teamsUrl String: The URL used to query for Team Ids. If not set, the default value is /teams. If you configure teamsurl, you must also configure teamidsattributepath. Only applicable to Generic OAuth.
tlsClientCa String: The path to the trusted certificate authority list. Is not applicable on Grafana Cloud.
tlsClientCert String: The path to the certificate. Is not applicable on Grafana Cloud.
tlsClientKey String: The path to the key. Is not applicable on Grafana Cloud.
tlsSkipVerifyInsecure Boolean: If enabled, the client accepts any certificate presented by the server and any host name in that certificate. You should only use this for testing, because this mode leaves SSL/TLS susceptible to man-in-the-middle attacks.
tokenUrl String: The token endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.
usePkce Boolean: If enabled, Grafana will use Proof Key for Code Exchange (PKCE) with the OAuth2 Authorization Code Grant.
useRefreshToken Boolean: If enabled, Grafana will fetch a new access token using the refresh token provided by the OAuth2 provider.

clientId string: The client Id of your OAuth2 app.
allowAssignGrafanaAdmin boolean: If enabled, it will automatically sync the Grafana server administrator role.
allowSignUp boolean: If not enabled, only existing Grafana users can log in using OAuth.
allowedDomains string: List of comma- or space-separated domains. The user should belong to at least one domain to log in.
allowedGroups string: List of comma- or space-separated groups. The user should be a member of at least one group to log in. For Generic OAuth, if you configure allowedgroups, you must also configure groupsattribute_path.
allowedOrganizations string: List of comma- or space-separated organizations. The user should be a member of at least one organization to log in.
apiUrl string: The user information endpoint of your OAuth2 provider. Required for okta and generic_oauth providers.
authStyle string: It determines how clientid and clientsecret are sent to Oauth2 provider. Possible values are AutoDetect, InParams, InHeader. Default is AutoDetect.
authUrl string: The authorization endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.
autoLogin boolean: Log in automatically, skipping the login screen.
clientSecret string: The client secret of your OAuth2 app.
custom {[key: string]: string}: Custom fields to configure for OAuth2 such as the forceusegraph_api field.
defineAllowedGroups boolean: Define allowed groups.
defineAllowedTeamsIds boolean: Define allowed teams ids.
emailAttributeName string: Name of the key to use for user email lookup within the attributes map of OAuth2 ID token. Only applicable to Generic OAuth.
emailAttributePath string: JMESPath expression to use for user email lookup from the user information. Only applicable to Generic OAuth.
emptyScopes boolean: If enabled, no scopes will be sent to the OAuth2 provider.
enabled boolean: Define whether this configuration is enabled for the specified provider. Defaults to true.
groupsAttributePath string: JMESPath expression to use for user group lookup. If you configure allowedgroups, you must also configure groupsattribute_path.
idTokenAttributeName string: The name of the key used to extract the ID token from the returned OAuth2 token. Only applicable to Generic OAuth.
loginAttributePath string: JMESPath expression to use for user login lookup from the user ID token. Only applicable to Generic OAuth.
name string: Helpful if you use more than one identity providers or SSO protocols.
nameAttributePath string: JMESPath expression to use for user name lookup from the user ID token. This name will be used as the user’s display name. Only applicable to Generic OAuth.
roleAttributePath string: JMESPath expression to use for Grafana role lookup.
roleAttributeStrict boolean: If enabled, denies user login if the Grafana role cannot be extracted using Role attribute path.
scopes string: List of comma- or space-separated OAuth2 scopes.
signoutRedirectUrl string: The URL to redirect the user to after signing out from Grafana.
skipOrgRoleSync boolean: Prevent synchronizing users’ organization roles from your IdP.
teamIds string: String list of Team Ids. If set, the user must be a member of one of the given teams to log in. If you configure teamids, you must also configure teamsurl and teamidsattribute_path.
teamIdsAttributePath string: The JMESPath expression to use for Grafana Team Id lookup within the results returned by the teams_url endpoint. Only applicable to Generic OAuth.
teamsUrl string: The URL used to query for Team Ids. If not set, the default value is /teams. If you configure teamsurl, you must also configure teamidsattributepath. Only applicable to Generic OAuth.
tlsClientCa string: The path to the trusted certificate authority list. Is not applicable on Grafana Cloud.
tlsClientCert string: The path to the certificate. Is not applicable on Grafana Cloud.
tlsClientKey string: The path to the key. Is not applicable on Grafana Cloud.
tlsSkipVerifyInsecure boolean: If enabled, the client accepts any certificate presented by the server and any host name in that certificate. You should only use this for testing, because this mode leaves SSL/TLS susceptible to man-in-the-middle attacks.
tokenUrl string: The token endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.
usePkce boolean: If enabled, Grafana will use Proof Key for Code Exchange (PKCE) with the OAuth2 Authorization Code Grant.
useRefreshToken boolean: If enabled, Grafana will fetch a new access token using the refresh token provided by the OAuth2 provider.

client_id str: The client Id of your OAuth2 app.
allow_assign_grafana_admin bool: If enabled, it will automatically sync the Grafana server administrator role.
allow_sign_up bool: If not enabled, only existing Grafana users can log in using OAuth.
allowed_domains str: List of comma- or space-separated domains. The user should belong to at least one domain to log in.
allowed_groups str: List of comma- or space-separated groups. The user should be a member of at least one group to log in. For Generic OAuth, if you configure allowedgroups, you must also configure groupsattribute_path.
allowed_organizations str: List of comma- or space-separated organizations. The user should be a member of at least one organization to log in.
api_url str: The user information endpoint of your OAuth2 provider. Required for okta and generic_oauth providers.
auth_style str: It determines how clientid and clientsecret are sent to Oauth2 provider. Possible values are AutoDetect, InParams, InHeader. Default is AutoDetect.
auth_url str: The authorization endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.
auto_login bool: Log in automatically, skipping the login screen.
client_secret str: The client secret of your OAuth2 app.
custom Mapping[str, str]: Custom fields to configure for OAuth2 such as the forceusegraph_api field.
define_allowed_groups bool: Define allowed groups.
define_allowed_teams_ids bool: Define allowed teams ids.
email_attribute_name str: Name of the key to use for user email lookup within the attributes map of OAuth2 ID token. Only applicable to Generic OAuth.
email_attribute_path str: JMESPath expression to use for user email lookup from the user information. Only applicable to Generic OAuth.
empty_scopes bool: If enabled, no scopes will be sent to the OAuth2 provider.
enabled bool: Define whether this configuration is enabled for the specified provider. Defaults to true.
groups_attribute_path str: JMESPath expression to use for user group lookup. If you configure allowedgroups, you must also configure groupsattribute_path.
id_token_attribute_name str: The name of the key used to extract the ID token from the returned OAuth2 token. Only applicable to Generic OAuth.
login_attribute_path str: JMESPath expression to use for user login lookup from the user ID token. Only applicable to Generic OAuth.
name str: Helpful if you use more than one identity providers or SSO protocols.
name_attribute_path str: JMESPath expression to use for user name lookup from the user ID token. This name will be used as the user’s display name. Only applicable to Generic OAuth.
role_attribute_path str: JMESPath expression to use for Grafana role lookup.
role_attribute_strict bool: If enabled, denies user login if the Grafana role cannot be extracted using Role attribute path.
scopes str: List of comma- or space-separated OAuth2 scopes.
signout_redirect_url str: The URL to redirect the user to after signing out from Grafana.
skip_org_role_sync bool: Prevent synchronizing users’ organization roles from your IdP.
team_ids str: String list of Team Ids. If set, the user must be a member of one of the given teams to log in. If you configure teamids, you must also configure teamsurl and teamidsattribute_path.
team_ids_attribute_path str: The JMESPath expression to use for Grafana Team Id lookup within the results returned by the teams_url endpoint. Only applicable to Generic OAuth.
teams_url str: The URL used to query for Team Ids. If not set, the default value is /teams. If you configure teamsurl, you must also configure teamidsattributepath. Only applicable to Generic OAuth.
tls_client_ca str: The path to the trusted certificate authority list. Is not applicable on Grafana Cloud.
tls_client_cert str: The path to the certificate. Is not applicable on Grafana Cloud.
tls_client_key str: The path to the key. Is not applicable on Grafana Cloud.
tls_skip_verify_insecure bool: If enabled, the client accepts any certificate presented by the server and any host name in that certificate. You should only use this for testing, because this mode leaves SSL/TLS susceptible to man-in-the-middle attacks.
token_url str: The token endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.
use_pkce bool: If enabled, Grafana will use Proof Key for Code Exchange (PKCE) with the OAuth2 Authorization Code Grant.
use_refresh_token bool: If enabled, Grafana will fetch a new access token using the refresh token provided by the OAuth2 provider.

clientId String: The client Id of your OAuth2 app.
allowAssignGrafanaAdmin Boolean: If enabled, it will automatically sync the Grafana server administrator role.
allowSignUp Boolean: If not enabled, only existing Grafana users can log in using OAuth.
allowedDomains String: List of comma- or space-separated domains. The user should belong to at least one domain to log in.
allowedGroups String: List of comma- or space-separated groups. The user should be a member of at least one group to log in. For Generic OAuth, if you configure allowedgroups, you must also configure groupsattribute_path.
allowedOrganizations String: List of comma- or space-separated organizations. The user should be a member of at least one organization to log in.
apiUrl String: The user information endpoint of your OAuth2 provider. Required for okta and generic_oauth providers.
authStyle String: It determines how clientid and clientsecret are sent to Oauth2 provider. Possible values are AutoDetect, InParams, InHeader. Default is AutoDetect.
authUrl String: The authorization endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.
autoLogin Boolean: Log in automatically, skipping the login screen.
clientSecret String: The client secret of your OAuth2 app.
custom Map<String>: Custom fields to configure for OAuth2 such as the forceusegraph_api field.
defineAllowedGroups Boolean: Define allowed groups.
defineAllowedTeamsIds Boolean: Define allowed teams ids.
emailAttributeName String: Name of the key to use for user email lookup within the attributes map of OAuth2 ID token. Only applicable to Generic OAuth.
emailAttributePath String: JMESPath expression to use for user email lookup from the user information. Only applicable to Generic OAuth.
emptyScopes Boolean: If enabled, no scopes will be sent to the OAuth2 provider.
enabled Boolean: Define whether this configuration is enabled for the specified provider. Defaults to true.
groupsAttributePath String: JMESPath expression to use for user group lookup. If you configure allowedgroups, you must also configure groupsattribute_path.
idTokenAttributeName String: The name of the key used to extract the ID token from the returned OAuth2 token. Only applicable to Generic OAuth.
loginAttributePath String: JMESPath expression to use for user login lookup from the user ID token. Only applicable to Generic OAuth.
name String: Helpful if you use more than one identity providers or SSO protocols.
nameAttributePath String: JMESPath expression to use for user name lookup from the user ID token. This name will be used as the user’s display name. Only applicable to Generic OAuth.
roleAttributePath String: JMESPath expression to use for Grafana role lookup.
roleAttributeStrict Boolean: If enabled, denies user login if the Grafana role cannot be extracted using Role attribute path.
scopes String: List of comma- or space-separated OAuth2 scopes.
signoutRedirectUrl String: The URL to redirect the user to after signing out from Grafana.
skipOrgRoleSync Boolean: Prevent synchronizing users’ organization roles from your IdP.
teamIds String: String list of Team Ids. If set, the user must be a member of one of the given teams to log in. If you configure teamids, you must also configure teamsurl and teamidsattribute_path.
teamIdsAttributePath String: The JMESPath expression to use for Grafana Team Id lookup within the results returned by the teams_url endpoint. Only applicable to Generic OAuth.
teamsUrl String: The URL used to query for Team Ids. If not set, the default value is /teams. If you configure teamsurl, you must also configure teamidsattributepath. Only applicable to Generic OAuth.
tlsClientCa String: The path to the trusted certificate authority list. Is not applicable on Grafana Cloud.
tlsClientCert String: The path to the certificate. Is not applicable on Grafana Cloud.
tlsClientKey String: The path to the key. Is not applicable on Grafana Cloud.
tlsSkipVerifyInsecure Boolean: If enabled, the client accepts any certificate presented by the server and any host name in that certificate. You should only use this for testing, because this mode leaves SSL/TLS susceptible to man-in-the-middle attacks.
tokenUrl String: The token endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.
usePkce Boolean: If enabled, Grafana will use Proof Key for Code Exchange (PKCE) with the OAuth2 Authorization Code Grant.
useRefreshToken Boolean: If enabled, Grafana will fetch a new access token using the refresh token provided by the OAuth2 provider.

SsoSettingsSamlSettings, SsoSettingsSamlSettingsArgs

AllowIdpInitiated bool: Whether SAML IdP-initiated login is allowed.
AllowSignUp bool: Whether to allow new Grafana user creation through SAML login. If set to false, then only existing Grafana users can log in with SAML.
AllowedOrganizations string: List of comma- or space-separated organizations. User should be a member of at least one organization to log in.
AssertionAttributeEmail string: Friendly name or name of the attribute within the SAML assertion to use as the user email.
AssertionAttributeGroups string: Friendly name or name of the attribute within the SAML assertion to use as the user groups.
AssertionAttributeLogin string: Friendly name or name of the attribute within the SAML assertion to use as the user login handle.
AssertionAttributeName string: Friendly name or name of the attribute within the SAML assertion to use as the user name. Alternatively, this can be a template with variables that match the names of attributes within the SAML assertion.
AssertionAttributeOrg string: Friendly name or name of the attribute within the SAML assertion to use as the user organization.
AssertionAttributeRole string: Friendly name or name of the attribute within the SAML assertion to use as the user roles.
AutoLogin bool: Whether SAML auto login is enabled.
Certificate string: Base64-encoded string for the SP X.509 certificate.
CertificatePath string: Path for the SP X.509 certificate.
Enabled bool: Define whether this configuration is enabled for SAML. Defaults to true.
IdpMetadata string: Base64-encoded string for the IdP SAML metadata XML.
IdpMetadataPath string: Path for the IdP SAML metadata XML.
IdpMetadataUrl string: URL for the IdP SAML metadata XML.
MaxIssueDelay string: Duration, since the IdP issued a response and the SP is allowed to process it. For example: 90s, 1h.
MetadataValidDuration string: Duration, for how long the SP metadata is valid. For example: 48h, 5d.
Name string: Name used to refer to the SAML authentication.
NameIdFormat string: The Name ID Format to request within the SAML assertion. Defaults to urn:oasis:names:tc:SAML:2.0:nameid-format:transient
OrgMapping string: List of comma- or space-separated Organization:OrgId:Role mappings. Organization can be * meaning “All users”. Role is optional and can have the following values: Viewer, Editor or Admin.
PrivateKey string: Base64-encoded string for the SP private key.
PrivateKeyPath string: Path for the SP private key.
RelayState string: Relay state for IdP-initiated login. Should match relay state configured in IdP.
RoleValuesAdmin string: List of comma- or space-separated roles which will be mapped into the Admin role.
RoleValuesEditor string: List of comma- or space-separated roles which will be mapped into the Editor role.
RoleValuesGrafanaAdmin string: List of comma- or space-separated roles which will be mapped into the Grafana Admin (Super Admin) role.
RoleValuesNone string: List of comma- or space-separated roles which will be mapped into the None role.
SignatureAlgorithm string: Signature algorithm used for signing requests to the IdP. Supported values are rsa-sha1, rsa-sha256, rsa-sha512.
SingleLogout bool: Whether SAML Single Logout is enabled.
SkipOrgRoleSync bool: Prevent synchronizing users’ organization roles from your IdP.

AllowIdpInitiated bool: Whether SAML IdP-initiated login is allowed.
AllowSignUp bool: Whether to allow new Grafana user creation through SAML login. If set to false, then only existing Grafana users can log in with SAML.
AllowedOrganizations string: List of comma- or space-separated organizations. User should be a member of at least one organization to log in.
AssertionAttributeEmail string: Friendly name or name of the attribute within the SAML assertion to use as the user email.
AssertionAttributeGroups string: Friendly name or name of the attribute within the SAML assertion to use as the user groups.
AssertionAttributeLogin string: Friendly name or name of the attribute within the SAML assertion to use as the user login handle.
AssertionAttributeName string: Friendly name or name of the attribute within the SAML assertion to use as the user name. Alternatively, this can be a template with variables that match the names of attributes within the SAML assertion.
AssertionAttributeOrg string: Friendly name or name of the attribute within the SAML assertion to use as the user organization.
AssertionAttributeRole string: Friendly name or name of the attribute within the SAML assertion to use as the user roles.
AutoLogin bool: Whether SAML auto login is enabled.
Certificate string: Base64-encoded string for the SP X.509 certificate.
CertificatePath string: Path for the SP X.509 certificate.
Enabled bool: Define whether this configuration is enabled for SAML. Defaults to true.
IdpMetadata string: Base64-encoded string for the IdP SAML metadata XML.
IdpMetadataPath string: Path for the IdP SAML metadata XML.
IdpMetadataUrl string: URL for the IdP SAML metadata XML.
MaxIssueDelay string: Duration, since the IdP issued a response and the SP is allowed to process it. For example: 90s, 1h.
MetadataValidDuration string: Duration, for how long the SP metadata is valid. For example: 48h, 5d.
Name string: Name used to refer to the SAML authentication.
NameIdFormat string: The Name ID Format to request within the SAML assertion. Defaults to urn:oasis:names:tc:SAML:2.0:nameid-format:transient
OrgMapping string: List of comma- or space-separated Organization:OrgId:Role mappings. Organization can be * meaning “All users”. Role is optional and can have the following values: Viewer, Editor or Admin.
PrivateKey string: Base64-encoded string for the SP private key.
PrivateKeyPath string: Path for the SP private key.
RelayState string: Relay state for IdP-initiated login. Should match relay state configured in IdP.
RoleValuesAdmin string: List of comma- or space-separated roles which will be mapped into the Admin role.
RoleValuesEditor string: List of comma- or space-separated roles which will be mapped into the Editor role.
RoleValuesGrafanaAdmin string: List of comma- or space-separated roles which will be mapped into the Grafana Admin (Super Admin) role.
RoleValuesNone string: List of comma- or space-separated roles which will be mapped into the None role.
SignatureAlgorithm string: Signature algorithm used for signing requests to the IdP. Supported values are rsa-sha1, rsa-sha256, rsa-sha512.
SingleLogout bool: Whether SAML Single Logout is enabled.
SkipOrgRoleSync bool: Prevent synchronizing users’ organization roles from your IdP.

allowIdpInitiated Boolean: Whether SAML IdP-initiated login is allowed.
allowSignUp Boolean: Whether to allow new Grafana user creation through SAML login. If set to false, then only existing Grafana users can log in with SAML.
allowedOrganizations String: List of comma- or space-separated organizations. User should be a member of at least one organization to log in.
assertionAttributeEmail String: Friendly name or name of the attribute within the SAML assertion to use as the user email.
assertionAttributeGroups String: Friendly name or name of the attribute within the SAML assertion to use as the user groups.
assertionAttributeLogin String: Friendly name or name of the attribute within the SAML assertion to use as the user login handle.
assertionAttributeName String: Friendly name or name of the attribute within the SAML assertion to use as the user name. Alternatively, this can be a template with variables that match the names of attributes within the SAML assertion.
assertionAttributeOrg String: Friendly name or name of the attribute within the SAML assertion to use as the user organization.
assertionAttributeRole String: Friendly name or name of the attribute within the SAML assertion to use as the user roles.
autoLogin Boolean: Whether SAML auto login is enabled.
certificate String: Base64-encoded string for the SP X.509 certificate.
certificatePath String: Path for the SP X.509 certificate.
enabled Boolean: Define whether this configuration is enabled for SAML. Defaults to true.
idpMetadata String: Base64-encoded string for the IdP SAML metadata XML.
idpMetadataPath String: Path for the IdP SAML metadata XML.
idpMetadataUrl String: URL for the IdP SAML metadata XML.
maxIssueDelay String: Duration, since the IdP issued a response and the SP is allowed to process it. For example: 90s, 1h.
metadataValidDuration String: Duration, for how long the SP metadata is valid. For example: 48h, 5d.
name String: Name used to refer to the SAML authentication.
nameIdFormat String: The Name ID Format to request within the SAML assertion. Defaults to urn:oasis:names:tc:SAML:2.0:nameid-format:transient
orgMapping String: List of comma- or space-separated Organization:OrgId:Role mappings. Organization can be * meaning “All users”. Role is optional and can have the following values: Viewer, Editor or Admin.
privateKey String: Base64-encoded string for the SP private key.
privateKeyPath String: Path for the SP private key.
relayState String: Relay state for IdP-initiated login. Should match relay state configured in IdP.
roleValuesAdmin String: List of comma- or space-separated roles which will be mapped into the Admin role.
roleValuesEditor String: List of comma- or space-separated roles which will be mapped into the Editor role.
roleValuesGrafanaAdmin String: List of comma- or space-separated roles which will be mapped into the Grafana Admin (Super Admin) role.
roleValuesNone String: List of comma- or space-separated roles which will be mapped into the None role.
signatureAlgorithm String: Signature algorithm used for signing requests to the IdP. Supported values are rsa-sha1, rsa-sha256, rsa-sha512.
singleLogout Boolean: Whether SAML Single Logout is enabled.
skipOrgRoleSync Boolean: Prevent synchronizing users’ organization roles from your IdP.

allowIdpInitiated boolean: Whether SAML IdP-initiated login is allowed.
allowSignUp boolean: Whether to allow new Grafana user creation through SAML login. If set to false, then only existing Grafana users can log in with SAML.
allowedOrganizations string: List of comma- or space-separated organizations. User should be a member of at least one organization to log in.
assertionAttributeEmail string: Friendly name or name of the attribute within the SAML assertion to use as the user email.
assertionAttributeGroups string: Friendly name or name of the attribute within the SAML assertion to use as the user groups.
assertionAttributeLogin string: Friendly name or name of the attribute within the SAML assertion to use as the user login handle.
assertionAttributeName string: Friendly name or name of the attribute within the SAML assertion to use as the user name. Alternatively, this can be a template with variables that match the names of attributes within the SAML assertion.
assertionAttributeOrg string: Friendly name or name of the attribute within the SAML assertion to use as the user organization.
assertionAttributeRole string: Friendly name or name of the attribute within the SAML assertion to use as the user roles.
autoLogin boolean: Whether SAML auto login is enabled.
certificate string: Base64-encoded string for the SP X.509 certificate.
certificatePath string: Path for the SP X.509 certificate.
enabled boolean: Define whether this configuration is enabled for SAML. Defaults to true.
idpMetadata string: Base64-encoded string for the IdP SAML metadata XML.
idpMetadataPath string: Path for the IdP SAML metadata XML.
idpMetadataUrl string: URL for the IdP SAML metadata XML.
maxIssueDelay string: Duration, since the IdP issued a response and the SP is allowed to process it. For example: 90s, 1h.
metadataValidDuration string: Duration, for how long the SP metadata is valid. For example: 48h, 5d.
name string: Name used to refer to the SAML authentication.
nameIdFormat string: The Name ID Format to request within the SAML assertion. Defaults to urn:oasis:names:tc:SAML:2.0:nameid-format:transient
orgMapping string: List of comma- or space-separated Organization:OrgId:Role mappings. Organization can be * meaning “All users”. Role is optional and can have the following values: Viewer, Editor or Admin.
privateKey string: Base64-encoded string for the SP private key.
privateKeyPath string: Path for the SP private key.
relayState string: Relay state for IdP-initiated login. Should match relay state configured in IdP.
roleValuesAdmin string: List of comma- or space-separated roles which will be mapped into the Admin role.
roleValuesEditor string: List of comma- or space-separated roles which will be mapped into the Editor role.
roleValuesGrafanaAdmin string: List of comma- or space-separated roles which will be mapped into the Grafana Admin (Super Admin) role.
roleValuesNone string: List of comma- or space-separated roles which will be mapped into the None role.
signatureAlgorithm string: Signature algorithm used for signing requests to the IdP. Supported values are rsa-sha1, rsa-sha256, rsa-sha512.
singleLogout boolean: Whether SAML Single Logout is enabled.
skipOrgRoleSync boolean: Prevent synchronizing users’ organization roles from your IdP.

allow_idp_initiated bool: Whether SAML IdP-initiated login is allowed.
allow_sign_up bool: Whether to allow new Grafana user creation through SAML login. If set to false, then only existing Grafana users can log in with SAML.
allowed_organizations str: List of comma- or space-separated organizations. User should be a member of at least one organization to log in.
assertion_attribute_email str: Friendly name or name of the attribute within the SAML assertion to use as the user email.
assertion_attribute_groups str: Friendly name or name of the attribute within the SAML assertion to use as the user groups.
assertion_attribute_login str: Friendly name or name of the attribute within the SAML assertion to use as the user login handle.
assertion_attribute_name str: Friendly name or name of the attribute within the SAML assertion to use as the user name. Alternatively, this can be a template with variables that match the names of attributes within the SAML assertion.
assertion_attribute_org str: Friendly name or name of the attribute within the SAML assertion to use as the user organization.
assertion_attribute_role str: Friendly name or name of the attribute within the SAML assertion to use as the user roles.
auto_login bool: Whether SAML auto login is enabled.
certificate str: Base64-encoded string for the SP X.509 certificate.
certificate_path str: Path for the SP X.509 certificate.
enabled bool: Define whether this configuration is enabled for SAML. Defaults to true.
idp_metadata str: Base64-encoded string for the IdP SAML metadata XML.
idp_metadata_path str: Path for the IdP SAML metadata XML.
idp_metadata_url str: URL for the IdP SAML metadata XML.
max_issue_delay str: Duration, since the IdP issued a response and the SP is allowed to process it. For example: 90s, 1h.
metadata_valid_duration str: Duration, for how long the SP metadata is valid. For example: 48h, 5d.
name str: Name used to refer to the SAML authentication.
name_id_format str: The Name ID Format to request within the SAML assertion. Defaults to urn:oasis:names:tc:SAML:2.0:nameid-format:transient
org_mapping str: List of comma- or space-separated Organization:OrgId:Role mappings. Organization can be * meaning “All users”. Role is optional and can have the following values: Viewer, Editor or Admin.
private_key str: Base64-encoded string for the SP private key.
private_key_path str: Path for the SP private key.
relay_state str: Relay state for IdP-initiated login. Should match relay state configured in IdP.
role_values_admin str: List of comma- or space-separated roles which will be mapped into the Admin role.
role_values_editor str: List of comma- or space-separated roles which will be mapped into the Editor role.
role_values_grafana_admin str: List of comma- or space-separated roles which will be mapped into the Grafana Admin (Super Admin) role.
role_values_none str: List of comma- or space-separated roles which will be mapped into the None role.
signature_algorithm str: Signature algorithm used for signing requests to the IdP. Supported values are rsa-sha1, rsa-sha256, rsa-sha512.
single_logout bool: Whether SAML Single Logout is enabled.
skip_org_role_sync bool: Prevent synchronizing users’ organization roles from your IdP.

allowIdpInitiated Boolean: Whether SAML IdP-initiated login is allowed.
allowSignUp Boolean: Whether to allow new Grafana user creation through SAML login. If set to false, then only existing Grafana users can log in with SAML.
allowedOrganizations String: List of comma- or space-separated organizations. User should be a member of at least one organization to log in.
assertionAttributeEmail String: Friendly name or name of the attribute within the SAML assertion to use as the user email.
assertionAttributeGroups String: Friendly name or name of the attribute within the SAML assertion to use as the user groups.
assertionAttributeLogin String: Friendly name or name of the attribute within the SAML assertion to use as the user login handle.
assertionAttributeName String: Friendly name or name of the attribute within the SAML assertion to use as the user name. Alternatively, this can be a template with variables that match the names of attributes within the SAML assertion.
assertionAttributeOrg String: Friendly name or name of the attribute within the SAML assertion to use as the user organization.
assertionAttributeRole String: Friendly name or name of the attribute within the SAML assertion to use as the user roles.
autoLogin Boolean: Whether SAML auto login is enabled.
certificate String: Base64-encoded string for the SP X.509 certificate.
certificatePath String: Path for the SP X.509 certificate.
enabled Boolean: Define whether this configuration is enabled for SAML. Defaults to true.
idpMetadata String: Base64-encoded string for the IdP SAML metadata XML.
idpMetadataPath String: Path for the IdP SAML metadata XML.
idpMetadataUrl String: URL for the IdP SAML metadata XML.
maxIssueDelay String: Duration, since the IdP issued a response and the SP is allowed to process it. For example: 90s, 1h.
metadataValidDuration String: Duration, for how long the SP metadata is valid. For example: 48h, 5d.
name String: Name used to refer to the SAML authentication.
nameIdFormat String: The Name ID Format to request within the SAML assertion. Defaults to urn:oasis:names:tc:SAML:2.0:nameid-format:transient
orgMapping String: List of comma- or space-separated Organization:OrgId:Role mappings. Organization can be * meaning “All users”. Role is optional and can have the following values: Viewer, Editor or Admin.
privateKey String: Base64-encoded string for the SP private key.
privateKeyPath String: Path for the SP private key.
relayState String: Relay state for IdP-initiated login. Should match relay state configured in IdP.
roleValuesAdmin String: List of comma- or space-separated roles which will be mapped into the Admin role.
roleValuesEditor String: List of comma- or space-separated roles which will be mapped into the Editor role.
roleValuesGrafanaAdmin String: List of comma- or space-separated roles which will be mapped into the Grafana Admin (Super Admin) role.
roleValuesNone String: List of comma- or space-separated roles which will be mapped into the None role.
signatureAlgorithm String: Signature algorithm used for signing requests to the IdP. Supported values are rsa-sha1, rsa-sha256, rsa-sha512.
singleLogout Boolean: Whether SAML Single Logout is enabled.
skipOrgRoleSync Boolean: Prevent synchronizing users’ organization roles from your IdP.

Import

$ pulumi import grafana:index/ssoSettings:SsoSettings name "{{ provider }}"

$ pulumi import grafana:index/ssoSettings:SsoSettings name "{{ orgID }}:{{ provider }}"

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: grafana pulumiverse/pulumi-grafana
License: Apache-2.0
Notes: This Pulumi package is based on the grafana Terraform Provider.

Grafana v0.5.1 published on Wednesday, Jun 12, 2024 by pulumiverse

pulumiverse/pulumi-grafana

grafana.SsoSettings

On this page

On this page

Example Usage

Create SsoSettings Resource

Constructor syntax

Parameters

Constructor example

SsoSettings Resource Properties

Inputs

Outputs

Look up Existing SsoSettings Resource

Supporting Types

SsoSettingsOauth2Settings, SsoSettingsOauth2SettingsArgs

SsoSettingsSamlSettings, SsoSettingsSamlSettingsArgs

Import

Package Details

On this page

On this page