Configure Amazon Managed Grafana to use CyberArk
Use the following steps to configure Amazon Managed Grafana to use CyberArk as an identity provider. These steps assume that you have already created your Amazon Managed Grafana workspace and you have made a note of the workspace's ID, URLs, and Region.
Step 1: Steps to complete in CyberArk
Complete the following steps in CyberArk.
To set up CyberArk as an identity provider for Amazon Managed Grafana
-
Sign in to the CyberArk Identity Admin Portal.
-
Choose Apps, Web Apps.
-
Choose Add Web App.
-
Search for Amazon Managed Grafana for SAML2.0, and choose Add.
-
In the CyberArk application configuration, go to the Trust section.
-
Under Identity Provider Configuration, choose Metadata.
-
Choose Copy URL and save the URL to use later in these steps.
-
Under Service Provider Configuration, choose Manual Configuration.
-
Specify your SAML settings:
-
For SP Entity ID, paste in your Service provider identifier URL from the Amazon Managed Grafana workspace.
-
For Assertion Consumer Service (ACS) URL, paste in your Service provider reply from the Amazon Managed Grafana workspace.
-
Set Sign Response Assertion to Assertion.
-
Make sure that NameID Format is emailAddress.
-
-
Choose Save.
-
In the SAML Response section, make sure that the Amazon Managed Grafana attribute is in Application Name and that the CyberArk attribute is in Attribute Value. Then make sure that the following attributes are mapped. They are case sensitive.
-
displayName is set with LoginUser.DisplayName.
-
mail is set with LoginUser.Email.
-
Add any other attributes that you would to pass. For more information about the attributes that you can pass to Amazon Managed Grafana in the assertion mapping, see Assertion mapping.
-
-
Choose Save.
-
In the Permissions section, choose which users and groups to assign this application to, and then choose Save.
Step 2: Steps to complete in Amazon Managed Grafana
Complete the following steps in the Amazon Managed Grafana console.
To finishg setting up CyberArk as an identity provider for Amazon Managed Grafana
-
Open the Amazon Managed Grafana console at https://console.aws.amazon.com/grafana/
. -
In the navigation pane, choose the menu icon.
-
Choose All workspaces.
-
Choose the name of the workspace.
-
In the Authentication tab, choose Setup SAML configuration.
-
Under Import the metadata, choose Upload or copy/paste and paste the CyberArk URL that you copied in the previous procedure.
-
Under Assertion mapping, do the following:
-
Make sure that I want to opt-out of assigning admins to my workspace is not selected.
Note
If you choose I want to opt-out of assigning admins to my workspace, you won't be able to use the Amazon Managed Grafana workspace console to administer the workspace, including tasks such as managing data sources, users, and dashboard permissions. You can make administrative changes to the workspace only by using Grafana APIs.
-
Set Assertion attribute role to the attribute name that you chose.
-
Set Admin role values to value corresponding to your admin users' roles.
-
(Optional) If you changed the default attributes in your CyberArk application, expand Additional settings - optional and then set the new attribute names.
By default, the CyberA displayName attribute is passed to the name attribute and the CyberArk mail attribute is passed to both the email and login attributes.
-
-
Choose Save SAML Configuration.