{ "description": "SsoSettings is the Schema for the SsoSettingss API. Manages Grafana SSO Settings for OAuth2, SAML and LDAP. Support for LDAP is currently in preview, it will be available in Grafana starting with v11.3. Official documentation https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/HTTP API https://grafana.com/docs/grafana/latest/developers/http_api/sso-settings/", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "description": "SsoSettingsSpec defines the desired state of SsoSettings", "properties": { "deletionPolicy": { "default": "Delete", "description": "DeletionPolicy specifies what will happen to the underlying external\nwhen this managed resource is deleted - either \"Delete\" or \"Orphan\" the\nexternal resource.\nThis field is planned to be deprecated in favor of the ManagementPolicies\nfield in a future release. Currently, both could be set independently and\nnon-default values would be honored if the feature flag is enabled.\nSee the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223", "enum": [ "Orphan", "Delete" ], "type": "string" }, "forProvider": { "properties": { "ldapSettings": { "description": "(Block Set, Max: 1) The LDAP settings set. Required for the ldap provider. (see below for nested schema)\nThe LDAP settings set. Required for the ldap provider.", "items": { "properties": { "allowSignUp": { "description": "(Boolean) Whether to allow new Grafana user creation through LDAP login. If set to false, then only existing Grafana users can log in with LDAP.\nWhether to allow new Grafana user creation through LDAP login. If set to false, then only existing Grafana users can log in with LDAP.", "type": "boolean" }, "config": { "description": "(Block List, Min: 1, Max: 1) The LDAP configuration. (see below for nested schema)\nThe LDAP configuration.", "items": { "properties": { "servers": { "description": "(Block List, Min: 1) The LDAP servers configuration. (see below for nested schema)\nThe LDAP servers configuration.", "items": { "properties": { "attributes": { "additionalProperties": { "type": "string" }, "description": "(Map of String) The LDAP server attributes. The following attributes can be configured: email, member_of, name, surname, username.\nThe LDAP server attributes. The following attributes can be configured: email, member_of, name, surname, username.", "type": "object", "x-kubernetes-map-type": "granular" }, "bindDn": { "description": "(String) The search user bind DN.\nThe search user bind DN.", "type": "string" }, "bindPasswordSecretRef": { "description": "(String, Sensitive) The search user bind password.\nThe search user bind password.", "properties": { "key": { "description": "The key to select.", "type": "string" }, "name": { "description": "Name of the secret.", "type": "string" }, "namespace": { "description": "Namespace of the secret.", "type": "string" } }, "required": [ "key", "name", "namespace" ], "type": "object", "additionalProperties": false }, "clientCert": { "description": "(String) The path to the client certificate.\nThe path to the client certificate.", "type": "string" }, "clientCertValue": { "description": "(String) The Base64 encoded value of the client certificate.\nThe Base64 encoded value of the client certificate.", "type": "string" }, "clientKeySecretRef": { "description": "(String, Sensitive) The path to the client private key.\nThe path to the client private key.", "properties": { "key": { "description": "The key to select.", "type": "string" }, "name": { "description": "Name of the secret.", "type": "string" }, "namespace": { "description": "Namespace of the secret.", "type": "string" } }, "required": [ "key", "name", "namespace" ], "type": "object", "additionalProperties": false }, "clientKeyValueSecretRef": { "description": "(String, Sensitive) The Base64 encoded value of the client private key.\nThe Base64 encoded value of the client private key.", "properties": { "key": { "description": "The key to select.", "type": "string" }, "name": { "description": "Name of the secret.", "type": "string" }, "namespace": { "description": "Namespace of the secret.", "type": "string" } }, "required": [ "key", "name", "namespace" ], "type": "object", "additionalProperties": false }, "groupMappings": { "description": "(Block List) For mapping an LDAP group to a Grafana organization and role. (see below for nested schema)\nFor mapping an LDAP group to a Grafana organization and role.", "items": { "properties": { "grafanaAdmin": { "description": "(Boolean) If set to true, it makes the user of group_dn Grafana server admin.\nIf set to true, it makes the user of group_dn Grafana server admin.", "type": "boolean" }, "groupDn": { "description": "(String) LDAP distinguished name (DN) of LDAP group. If you want to match all (or no LDAP groups) then you can use wildcard (\"*\").\nLDAP distinguished name (DN) of LDAP group. If you want to match all (or no LDAP groups) then you can use wildcard (\"*\").", "type": "string" }, "orgId": { "description": "(Number) The Grafana organization database id.\nThe Grafana organization database id.", "type": "number" }, "orgRole": { "description": "(String) Assign users of group_dn the organization role Admin, Editor, or Viewer.\nAssign users of group_dn the organization role Admin, Editor, or Viewer.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "groupSearchBaseDns": { "description": "(List of String) An array of the base DNs to search through for groups. Typically uses ou=groups.\nAn array of the base DNs to search through for groups. Typically uses ou=groups.", "items": { "type": "string" }, "type": "array" }, "groupSearchFilter": { "description": "(String) Group search filter, to retrieve the groups of which the user is a member (only set if memberOf attribute is not available).\nGroup search filter, to retrieve the groups of which the user is a member (only set if memberOf attribute is not available).", "type": "string" }, "groupSearchFilterUserAttribute": { "description": "(String) The %s in the search filter will be replaced with the attribute defined in this field.\nThe %s in the search filter will be replaced with the attribute defined in this field.", "type": "string" }, "host": { "description": "(String) The LDAP server host.\nThe LDAP server host.", "type": "string" }, "minTlsVersion": { "description": "(String) Minimum TLS version allowed. Accepted values are: TLS1.2, TLS1.3.\nMinimum TLS version allowed. Accepted values are: TLS1.2, TLS1.3.", "type": "string" }, "port": { "description": "(Number) The LDAP server port.\nThe LDAP server port.", "type": "number" }, "rootCaCert": { "description": "(String) The path to the root CA certificate.\nThe path to the root CA certificate.", "type": "string" }, "rootCaCertValue": { "description": "(List of String) The Base64 encoded values of the root CA certificates.\nThe Base64 encoded values of the root CA certificates.", "items": { "type": "string" }, "type": "array" }, "searchBaseDns": { "description": "(List of String) An array of base DNs to search through.\nAn array of base DNs to search through.", "items": { "type": "string" }, "type": "array" }, "searchFilter": { "description": "(String) The user search filter, for example \"(cn=%s)\" or \"(sAMAccountName=%s)\" or \"(uid=%s)\".\nThe user search filter, for example \"(cn=%s)\" or \"(sAMAccountName=%s)\" or \"(uid=%s)\".", "type": "string" }, "sslSkipVerify": { "description": "(Boolean) If set to true, the SSL cert validation will be skipped.\nIf set to true, the SSL cert validation will be skipped.", "type": "boolean" }, "startTls": { "description": "(Boolean) If set to true, use LDAP with STARTTLS instead of LDAPS.\nIf set to true, use LDAP with STARTTLS instead of LDAPS.", "type": "boolean" }, "timeout": { "description": "(Number) The timeout in seconds for connecting to the LDAP host.\nThe timeout in seconds for connecting to the LDAP host.", "type": "number" }, "tlsCiphers": { "description": "(List of String) Accepted TLS ciphers. For a complete list of supported ciphers, refer to: https://go.dev/src/crypto/tls/cipher_suites.go.\nAccepted TLS ciphers. For a complete list of supported ciphers, refer to: https://go.dev/src/crypto/tls/cipher_suites.go.", "items": { "type": "string" }, "type": "array" }, "useSsl": { "description": "(Boolean) Set to true if LDAP server should use an encrypted TLS connection (either with STARTTLS or LDAPS).\nSet to true if LDAP server should use an encrypted TLS connection (either with STARTTLS or LDAPS).", "type": "boolean" } }, "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "enabled": { "description": "(Boolean) Define whether this configuration is enabled for LDAP. Defaults to true.\nDefine whether this configuration is enabled for LDAP. Defaults to `true`.", "type": "boolean" }, "skipOrgRoleSync": { "description": "(Boolean) Prevent synchronizing users\u2019 organization roles from LDAP.\nPrevent synchronizing users\u2019 organization roles from LDAP.", "type": "boolean" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "oauth2Settings": { "description": "(Block Set, Max: 1) The OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic_oauth providers. (see below for nested schema)\nThe OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic_oauth providers.", "items": { "properties": { "allowAssignGrafanaAdmin": { "description": "(Boolean) If enabled, it will automatically sync the Grafana server administrator role.\nIf enabled, it will automatically sync the Grafana server administrator role.", "type": "boolean" }, "allowSignUp": { "description": "(Boolean) Whether to allow new Grafana user creation through LDAP login. If set to false, then only existing Grafana users can log in with LDAP.\nIf not enabled, only existing Grafana users can log in using OAuth.", "type": "boolean" }, "allowedDomains": { "description": "or space-separated domains. The user should belong to at least one domain to log in.\nList of comma- or space-separated domains. The user should belong to at least one domain to log in.", "type": "string" }, "allowedGroups": { "description": "or space-separated groups. The user should be a member of at least one group to log in. For Generic OAuth, if you configure allowed_groups, you must also configure groups_attribute_path.\nList of comma- or space-separated groups. The user should be a member of at least one group to log in. For Generic OAuth, if you configure allowed_groups, you must also configure groups_attribute_path.", "type": "string" }, "allowedOrganizations": { "description": "or space-separated organizations. The user should be a member of at least one organization to log in.\nList of comma- or space-separated organizations. The user should be a member of at least one organization to log in.", "type": "string" }, "apiUrl": { "description": "(String) The user information endpoint of your OAuth2 provider. Required for okta and generic_oauth providers.\nThe user information endpoint of your OAuth2 provider. Required for okta and generic_oauth providers.", "type": "string" }, "authStyle": { "description": "(String) It determines how client_id and client_secret are sent to Oauth2 provider. Possible values are AutoDetect, InParams, InHeader. Default is AutoDetect.\nIt determines how client_id and client_secret are sent to Oauth2 provider. Possible values are AutoDetect, InParams, InHeader. Default is AutoDetect.", "type": "string" }, "authUrl": { "description": "(String) The authorization endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.\nThe authorization endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.", "type": "string" }, "autoLogin": { "description": "(Boolean) Log in automatically, skipping the login screen.\nLog in automatically, skipping the login screen.", "type": "boolean" }, "clientId": { "description": "(String) The client Id of your OAuth2 app.\nThe client Id of your OAuth2 app.", "type": "string" }, "clientSecretSecretRef": { "description": "(String, Sensitive) The client secret of your OAuth2 app.\nThe client secret of your OAuth2 app.", "properties": { "key": { "description": "The key to select.", "type": "string" }, "name": { "description": "Name of the secret.", "type": "string" }, "namespace": { "description": "Namespace of the secret.", "type": "string" } }, "required": [ "key", "name", "namespace" ], "type": "object", "additionalProperties": false }, "custom": { "additionalProperties": { "type": "string" }, "description": "(Map of String) Custom fields to configure for OAuth2 such as the force_use_graph_api field.\nCustom fields to configure for OAuth2 such as the [force_use_graph_api](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/azuread/#force-fetching-groups-from-microsoft-graph-api) field.", "type": "object", "x-kubernetes-map-type": "granular" }, "defineAllowedGroups": { "description": "(Boolean) Define allowed groups.\nDefine allowed groups.", "type": "boolean" }, "defineAllowedTeamsIds": { "description": "(Boolean) Define allowed teams ids.\nDefine allowed teams ids.", "type": "boolean" }, "emailAttributeName": { "description": "(String) Name of the key to use for user email lookup within the attributes map of OAuth2 ID token. Only applicable to Generic OAuth.\nName of the key to use for user email lookup within the attributes map of OAuth2 ID token. Only applicable to Generic OAuth.", "type": "string" }, "emailAttributePath": { "description": "(String) JMESPath expression to use for user email lookup from the user information. Only applicable to Generic OAuth.\nJMESPath expression to use for user email lookup from the user information. Only applicable to Generic OAuth.", "type": "string" }, "emptyScopes": { "description": "(Boolean) If enabled, no scopes will be sent to the OAuth2 provider.\nIf enabled, no scopes will be sent to the OAuth2 provider.", "type": "boolean" }, "enabled": { "description": "(Boolean) Define whether this configuration is enabled for LDAP. Defaults to true.\nDefine whether this configuration is enabled for the specified provider. Defaults to `true`.", "type": "boolean" }, "groupsAttributePath": { "description": "(String) JMESPath expression to use for user group lookup. If you configure allowed_groups, you must also configure groups_attribute_path.\nJMESPath expression to use for user group lookup. If you configure allowed_groups, you must also configure groups_attribute_path.", "type": "string" }, "idTokenAttributeName": { "description": "(String) The name of the key used to extract the ID token from the returned OAuth2 token. Only applicable to Generic OAuth.\nThe name of the key used to extract the ID token from the returned OAuth2 token. Only applicable to Generic OAuth.", "type": "string" }, "loginAttributePath": { "description": "(String) JMESPath expression to use for user login lookup from the user ID token. Only applicable to Generic OAuth.\nJMESPath expression to use for user login lookup from the user ID token. Only applicable to Generic OAuth.", "type": "string" }, "loginPrompt": { "description": "(String) Indicates the type of user interaction when the user logs in with the IdP. Available values are login, consent and select_account.\nIndicates the type of user interaction when the user logs in with the IdP. Available values are `login`, `consent` and `select_account`.", "type": "string" }, "name": { "description": "(String) Helpful if you use more than one identity providers or SSO protocols.\nHelpful if you use more than one identity providers or SSO protocols.", "type": "string" }, "nameAttributePath": { "description": "(String) JMESPath expression to use for user name lookup from the user ID token. This name will be used as the user\u2019s display name. Only applicable to Generic OAuth.\nJMESPath expression to use for user name lookup from the user ID token. This name will be used as the user\u2019s display name. Only applicable to Generic OAuth.", "type": "string" }, "orgAttributePath": { "description": "(String) JMESPath expression to use for the organization mapping lookup from the user ID token. The extracted list will be used for the organization mapping (to match \"Organization\" in the \"org_mapping\"). Only applicable to Generic OAuth and Okta.\nJMESPath expression to use for the organization mapping lookup from the user ID token. The extracted list will be used for the organization mapping (to match \"Organization\" in the \"org_mapping\"). Only applicable to Generic OAuth and Okta.", "type": "string" }, "orgMapping": { "description": "or space-separated Organization:OrgIdOrOrgName:Role mappings. Organization can be * meaning \u201cAll users\u201d. Role is optional and can have the following values: None, Viewer, Editor or Admin.\nList of comma- or space-separated Organization:OrgIdOrOrgName:Role mappings. Organization can be * meaning \u201cAll users\u201d. Role is optional and can have the following values: None, Viewer, Editor or Admin.", "type": "string" }, "roleAttributePath": { "description": "(String) JMESPath expression to use for Grafana role lookup.\nJMESPath expression to use for Grafana role lookup.", "type": "string" }, "roleAttributeStrict": { "description": "(Boolean) If enabled, denies user login if the Grafana role cannot be extracted using Role attribute path.\nIf enabled, denies user login if the Grafana role cannot be extracted using Role attribute path.", "type": "boolean" }, "scopes": { "description": "or space-separated OAuth2 scopes.\nList of comma- or space-separated OAuth2 scopes.", "type": "string" }, "signoutRedirectUrl": { "description": "(String) The URL to redirect the user to after signing out from Grafana.\nThe URL to redirect the user to after signing out from Grafana.", "type": "string" }, "skipOrgRoleSync": { "description": "(Boolean) Prevent synchronizing users\u2019 organization roles from LDAP.\nPrevent synchronizing users\u2019 organization roles from your IdP.", "type": "boolean" }, "teamIds": { "description": "(String) String list of Team Ids. If set, the user must be a member of one of the given teams to log in. If you configure team_ids, you must also configure teams_url and team_ids_attribute_path.\nString list of Team Ids. If set, the user must be a member of one of the given teams to log in. If you configure team_ids, you must also configure teams_url and team_ids_attribute_path.", "type": "string" }, "teamIdsAttributePath": { "description": "(String) The JMESPath expression to use for Grafana Team Id lookup within the results returned by the teams_url endpoint. Only applicable to Generic OAuth.\nThe JMESPath expression to use for Grafana Team Id lookup within the results returned by the teams_url endpoint. Only applicable to Generic OAuth.", "type": "string" }, "teamsUrl": { "description": "(String) The URL used to query for Team Ids. If not set, the default value is /teams. If you configure teams_url, you must also configure team_ids_attribute_path. Only applicable to Generic OAuth.\nThe URL used to query for Team Ids. If not set, the default value is /teams. If you configure teams_url, you must also configure team_ids_attribute_path. Only applicable to Generic OAuth.", "type": "string" }, "tlsClientCa": { "description": "(String) The path to the trusted certificate authority list. Is not applicable on Grafana Cloud.\nThe path to the trusted certificate authority list. Is not applicable on Grafana Cloud.", "type": "string" }, "tlsClientCert": { "description": "(String) The path to the certificate. Is not applicable on Grafana Cloud.\nThe path to the certificate. Is not applicable on Grafana Cloud.", "type": "string" }, "tlsClientKey": { "description": "(String) The path to the key. Is not applicable on Grafana Cloud.\nThe path to the key. Is not applicable on Grafana Cloud.", "type": "string" }, "tlsSkipVerifyInsecure": { "description": "in-the-middle attacks.\nIf enabled, the client accepts any certificate presented by the server and any host name in that certificate. You should only use this for testing, because this mode leaves SSL/TLS susceptible to man-in-the-middle attacks.", "type": "boolean" }, "tokenUrl": { "description": "(String) The token endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.\nThe token endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.", "type": "string" }, "usePkce": { "description": "(Boolean) If enabled, Grafana will use Proof Key for Code Exchange (PKCE) with the OAuth2 Authorization Code Grant.\nIf enabled, Grafana will use Proof Key for Code Exchange (PKCE) with the OAuth2 Authorization Code Grant.", "type": "boolean" }, "useRefreshToken": { "description": "(Boolean) If enabled, Grafana will fetch a new access token using the refresh token provided by the OAuth2 provider.\nIf enabled, Grafana will fetch a new access token using the refresh token provided by the OAuth2 provider.", "type": "boolean" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "providerName": { "description": "(String) The name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml, ldap.\nThe name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml, ldap.", "type": "string" }, "samlSettings": { "description": "(Block Set, Max: 1) The SAML settings set. Required for the saml provider. (see below for nested schema)\nThe SAML settings set. Required for the saml provider.", "items": { "properties": { "allowIdpInitiated": { "description": "initiated login is allowed.\nWhether SAML IdP-initiated login is allowed.", "type": "boolean" }, "allowSignUp": { "description": "(Boolean) Whether to allow new Grafana user creation through LDAP login. If set to false, then only existing Grafana users can log in with LDAP.\nWhether to allow new Grafana user creation through SAML login. If set to false, then only existing Grafana users can log in with SAML.", "type": "boolean" }, "allowedOrganizations": { "description": "or space-separated organizations. The user should be a member of at least one organization to log in.\nList of comma- or space-separated organizations. User should be a member of at least one organization to log in.", "type": "string" }, "assertionAttributeEmail": { "description": "(String) Friendly name or name of the attribute within the SAML assertion to use as the user email.\nFriendly name or name of the attribute within the SAML assertion to use as the user email.", "type": "string" }, "assertionAttributeExternalUid": { "description": "(String) Friendly name of the attribute within the SAML assertion to use as the external user ID. Only used for SCIM provisioned users.\nFriendly name of the attribute within the SAML assertion to use as the external user ID. Only used for SCIM provisioned users.", "type": "string" }, "assertionAttributeGroups": { "description": "(String) Friendly name or name of the attribute within the SAML assertion to use as the user groups.\nFriendly name or name of the attribute within the SAML assertion to use as the user groups.", "type": "string" }, "assertionAttributeLogin": { "description": "(String) Friendly name or name of the attribute within the SAML assertion to use as the user login handle.\nFriendly name or name of the attribute within the SAML assertion to use as the user login handle.", "type": "string" }, "assertionAttributeName": { "description": "(String) Friendly name or name of the attribute within the SAML assertion to use as the user name. Alternatively, this can be a template with variables that match the names of attributes within the SAML assertion.\nFriendly name or name of the attribute within the SAML assertion to use as the user name. Alternatively, this can be a template with variables that match the names of attributes within the SAML assertion.", "type": "string" }, "assertionAttributeOrg": { "description": "(String) Friendly name or name of the attribute within the SAML assertion to use as the user organization.\nFriendly name or name of the attribute within the SAML assertion to use as the user organization.", "type": "string" }, "assertionAttributeRole": { "description": "(String) Friendly name or name of the attribute within the SAML assertion to use as the user roles.\nFriendly name or name of the attribute within the SAML assertion to use as the user roles.", "type": "string" }, "autoLogin": { "description": "(Boolean) Log in automatically, skipping the login screen.\nWhether SAML auto login is enabled.", "type": "boolean" }, "certificatePath": { "description": "(String) Path for the SP X.509 certificate.\nPath for the SP X.509 certificate.", "type": "string" }, "certificateSecretRef": { "description": "encoded string for the SP X.509 certificate.\nBase64-encoded string for the SP X.509 certificate.", "properties": { "key": { "description": "The key to select.", "type": "string" }, "name": { "description": "Name of the secret.", "type": "string" }, "namespace": { "description": "Namespace of the secret.", "type": "string" } }, "required": [ "key", "name", "namespace" ], "type": "object", "additionalProperties": false }, "clientId": { "description": "(String) The client Id of your OAuth2 app.\nThe client Id of your OAuth2 app.", "type": "string" }, "clientSecret": { "description": "(String, Sensitive) The client secret of your OAuth2 app.\nThe client secret of your OAuth2 app.", "type": "string" }, "enabled": { "description": "(Boolean) Define whether this configuration is enabled for LDAP. Defaults to true.\nDefine whether this configuration is enabled for SAML. Defaults to `true`.", "type": "boolean" }, "entityId": { "description": "(String) The entity ID is a globally unique identifier for the service provider. It is used to identify the service provider to the identity provider. Defaults to the URL of the Grafana instance if not set.\nThe entity ID is a globally unique identifier for the service provider. It is used to identify the service provider to the identity provider. Defaults to the URL of the Grafana instance if not set.", "type": "string" }, "forceUseGraphApi": { "description": "(Boolean) If enabled, Grafana will fetch groups from Microsoft Graph API instead of using the groups claim from the ID token.\nIf enabled, Grafana will fetch groups from Microsoft Graph API instead of using the groups claim from the ID token.", "type": "boolean" }, "idpMetadata": { "description": "encoded string for the IdP SAML metadata XML.\nBase64-encoded string for the IdP SAML metadata XML.", "type": "string" }, "idpMetadataPath": { "description": "(String) Path for the IdP SAML metadata XML.\nPath for the IdP SAML metadata XML.", "type": "string" }, "idpMetadataUrl": { "description": "(String) URL for the IdP SAML metadata XML.\nURL for the IdP SAML metadata XML.", "type": "string" }, "maxIssueDelay": { "description": "(String) Duration, since the IdP issued a response and the SP is allowed to process it. For example: 90s, 1h.\nDuration, since the IdP issued a response and the SP is allowed to process it. For example: 90s, 1h.", "type": "string" }, "metadataValidDuration": { "description": "(String) Duration, for how long the SP metadata is valid. For example: 48h, 5d.\nDuration, for how long the SP metadata is valid. For example: 48h, 5d.", "type": "string" }, "name": { "description": "(String) Helpful if you use more than one identity providers or SSO protocols.\nName used to refer to the SAML authentication.", "type": "string" }, "nameIdFormat": { "description": "format:transient\nThe Name ID Format to request within the SAML assertion. Defaults to urn:oasis:names:tc:SAML:2.0:nameid-format:transient", "type": "string" }, "orgMapping": { "description": "or space-separated Organization:OrgIdOrOrgName:Role mappings. Organization can be * meaning \u201cAll users\u201d. Role is optional and can have the following values: None, Viewer, Editor or Admin.\nList of comma- or space-separated Organization:OrgId:Role mappings. Organization can be * meaning \u201cAll users\u201d. Role is optional and can have the following values: Viewer, Editor or Admin.", "type": "string" }, "privateKeyPath": { "description": "(String) Path for the SP private key.\nPath for the SP private key.", "type": "string" }, "privateKeySecretRef": { "description": "encoded string for the SP private key.\nBase64-encoded string for the SP private key.", "properties": { "key": { "description": "The key to select.", "type": "string" }, "name": { "description": "Name of the secret.", "type": "string" }, "namespace": { "description": "Namespace of the secret.", "type": "string" } }, "required": [ "key", "name", "namespace" ], "type": "object", "additionalProperties": false }, "relayState": { "description": "initiated login. Should match relay state configured in IdP.\nRelay state for IdP-initiated login. Should match relay state configured in IdP.", "type": "string" }, "roleValuesAdmin": { "description": "or space-separated roles which will be mapped into the Admin role.\nList of comma- or space-separated roles which will be mapped into the Admin role.", "type": "string" }, "roleValuesEditor": { "description": "or space-separated roles which will be mapped into the Editor role.\nList of comma- or space-separated roles which will be mapped into the Editor role.", "type": "string" }, "roleValuesGrafanaAdmin": { "description": "or space-separated roles which will be mapped into the Grafana Admin (Super Admin) role.\nList of comma- or space-separated roles which will be mapped into the Grafana Admin (Super Admin) role.", "type": "string" }, "roleValuesNone": { "description": "or space-separated roles which will be mapped into the None role.\nList of comma- or space-separated roles which will be mapped into the None role.", "type": "string" }, "roleValuesViewer": { "description": "or space-separated roles which will be mapped into the Viewer role.\nList of comma- or space-separated roles which will be mapped into the Viewer role.", "type": "string" }, "signatureAlgorithm": { "description": "sha1, rsa-sha256, rsa-sha512.\nSignature algorithm used for signing requests to the IdP. Supported values are rsa-sha1, rsa-sha256, rsa-sha512.", "type": "string" }, "singleLogout": { "description": "(Boolean) Whether SAML Single Logout is enabled.\nWhether SAML Single Logout is enabled.", "type": "boolean" }, "skipOrgRoleSync": { "description": "(Boolean) Prevent synchronizing users\u2019 organization roles from LDAP.\nPrevent synchronizing users\u2019 organization roles from your IdP.", "type": "boolean" }, "tokenUrl": { "description": "(String) The token endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.\nThe token endpoint of your OAuth2 provider. Required for Azure AD providers.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "initProvider": { "description": "THIS IS A BETA FIELD. It will be honored\nunless the Management Policies feature flag is disabled.\nInitProvider holds the same fields as ForProvider, with the exception\nof Identifier and other resource reference fields. The fields that are\nin InitProvider are merged into ForProvider when the resource is created.\nThe same fields are also added to the terraform ignore_changes hook, to\navoid updating them after creation. This is useful for fields that are\nrequired on creation, but we do not desire to update them after creation,\nfor example because of an external controller is managing them, like an\nautoscaler.", "properties": { "ldapSettings": { "description": "(Block Set, Max: 1) The LDAP settings set. Required for the ldap provider. (see below for nested schema)\nThe LDAP settings set. Required for the ldap provider.", "items": { "properties": { "allowSignUp": { "description": "(Boolean) Whether to allow new Grafana user creation through LDAP login. If set to false, then only existing Grafana users can log in with LDAP.\nWhether to allow new Grafana user creation through LDAP login. If set to false, then only existing Grafana users can log in with LDAP.", "type": "boolean" }, "config": { "description": "(Block List, Min: 1, Max: 1) The LDAP configuration. (see below for nested schema)\nThe LDAP configuration.", "items": { "properties": { "servers": { "description": "(Block List, Min: 1) The LDAP servers configuration. (see below for nested schema)\nThe LDAP servers configuration.", "items": { "properties": { "attributes": { "additionalProperties": { "type": "string" }, "description": "(Map of String) The LDAP server attributes. The following attributes can be configured: email, member_of, name, surname, username.\nThe LDAP server attributes. The following attributes can be configured: email, member_of, name, surname, username.", "type": "object", "x-kubernetes-map-type": "granular" }, "bindDn": { "description": "(String) The search user bind DN.\nThe search user bind DN.", "type": "string" }, "bindPasswordSecretRef": { "description": "(String, Sensitive) The search user bind password.\nThe search user bind password.", "properties": { "key": { "description": "The key to select.", "type": "string" }, "name": { "description": "Name of the secret.", "type": "string" }, "namespace": { "description": "Namespace of the secret.", "type": "string" } }, "required": [ "key", "name", "namespace" ], "type": "object", "additionalProperties": false }, "clientCert": { "description": "(String) The path to the client certificate.\nThe path to the client certificate.", "type": "string" }, "clientCertValue": { "description": "(String) The Base64 encoded value of the client certificate.\nThe Base64 encoded value of the client certificate.", "type": "string" }, "clientKeySecretRef": { "description": "(String, Sensitive) The path to the client private key.\nThe path to the client private key.", "properties": { "key": { "description": "The key to select.", "type": "string" }, "name": { "description": "Name of the secret.", "type": "string" }, "namespace": { "description": "Namespace of the secret.", "type": "string" } }, "required": [ "key", "name", "namespace" ], "type": "object", "additionalProperties": false }, "clientKeyValueSecretRef": { "description": "(String, Sensitive) The Base64 encoded value of the client private key.\nThe Base64 encoded value of the client private key.", "properties": { "key": { "description": "The key to select.", "type": "string" }, "name": { "description": "Name of the secret.", "type": "string" }, "namespace": { "description": "Namespace of the secret.", "type": "string" } }, "required": [ "key", "name", "namespace" ], "type": "object", "additionalProperties": false }, "groupMappings": { "description": "(Block List) For mapping an LDAP group to a Grafana organization and role. (see below for nested schema)\nFor mapping an LDAP group to a Grafana organization and role.", "items": { "properties": { "grafanaAdmin": { "description": "(Boolean) If set to true, it makes the user of group_dn Grafana server admin.\nIf set to true, it makes the user of group_dn Grafana server admin.", "type": "boolean" }, "groupDn": { "description": "(String) LDAP distinguished name (DN) of LDAP group. If you want to match all (or no LDAP groups) then you can use wildcard (\"*\").\nLDAP distinguished name (DN) of LDAP group. If you want to match all (or no LDAP groups) then you can use wildcard (\"*\").", "type": "string" }, "orgId": { "description": "(Number) The Grafana organization database id.\nThe Grafana organization database id.", "type": "number" }, "orgRole": { "description": "(String) Assign users of group_dn the organization role Admin, Editor, or Viewer.\nAssign users of group_dn the organization role Admin, Editor, or Viewer.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "groupSearchBaseDns": { "description": "(List of String) An array of the base DNs to search through for groups. Typically uses ou=groups.\nAn array of the base DNs to search through for groups. Typically uses ou=groups.", "items": { "type": "string" }, "type": "array" }, "groupSearchFilter": { "description": "(String) Group search filter, to retrieve the groups of which the user is a member (only set if memberOf attribute is not available).\nGroup search filter, to retrieve the groups of which the user is a member (only set if memberOf attribute is not available).", "type": "string" }, "groupSearchFilterUserAttribute": { "description": "(String) The %s in the search filter will be replaced with the attribute defined in this field.\nThe %s in the search filter will be replaced with the attribute defined in this field.", "type": "string" }, "host": { "description": "(String) The LDAP server host.\nThe LDAP server host.", "type": "string" }, "minTlsVersion": { "description": "(String) Minimum TLS version allowed. Accepted values are: TLS1.2, TLS1.3.\nMinimum TLS version allowed. Accepted values are: TLS1.2, TLS1.3.", "type": "string" }, "port": { "description": "(Number) The LDAP server port.\nThe LDAP server port.", "type": "number" }, "rootCaCert": { "description": "(String) The path to the root CA certificate.\nThe path to the root CA certificate.", "type": "string" }, "rootCaCertValue": { "description": "(List of String) The Base64 encoded values of the root CA certificates.\nThe Base64 encoded values of the root CA certificates.", "items": { "type": "string" }, "type": "array" }, "searchBaseDns": { "description": "(List of String) An array of base DNs to search through.\nAn array of base DNs to search through.", "items": { "type": "string" }, "type": "array" }, "searchFilter": { "description": "(String) The user search filter, for example \"(cn=%s)\" or \"(sAMAccountName=%s)\" or \"(uid=%s)\".\nThe user search filter, for example \"(cn=%s)\" or \"(sAMAccountName=%s)\" or \"(uid=%s)\".", "type": "string" }, "sslSkipVerify": { "description": "(Boolean) If set to true, the SSL cert validation will be skipped.\nIf set to true, the SSL cert validation will be skipped.", "type": "boolean" }, "startTls": { "description": "(Boolean) If set to true, use LDAP with STARTTLS instead of LDAPS.\nIf set to true, use LDAP with STARTTLS instead of LDAPS.", "type": "boolean" }, "timeout": { "description": "(Number) The timeout in seconds for connecting to the LDAP host.\nThe timeout in seconds for connecting to the LDAP host.", "type": "number" }, "tlsCiphers": { "description": "(List of String) Accepted TLS ciphers. For a complete list of supported ciphers, refer to: https://go.dev/src/crypto/tls/cipher_suites.go.\nAccepted TLS ciphers. For a complete list of supported ciphers, refer to: https://go.dev/src/crypto/tls/cipher_suites.go.", "items": { "type": "string" }, "type": "array" }, "useSsl": { "description": "(Boolean) Set to true if LDAP server should use an encrypted TLS connection (either with STARTTLS or LDAPS).\nSet to true if LDAP server should use an encrypted TLS connection (either with STARTTLS or LDAPS).", "type": "boolean" } }, "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "enabled": { "description": "(Boolean) Define whether this configuration is enabled for LDAP. Defaults to true.\nDefine whether this configuration is enabled for LDAP. Defaults to `true`.", "type": "boolean" }, "skipOrgRoleSync": { "description": "(Boolean) Prevent synchronizing users\u2019 organization roles from LDAP.\nPrevent synchronizing users\u2019 organization roles from LDAP.", "type": "boolean" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "oauth2Settings": { "description": "(Block Set, Max: 1) The OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic_oauth providers. (see below for nested schema)\nThe OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic_oauth providers.", "items": { "properties": { "allowAssignGrafanaAdmin": { "description": "(Boolean) If enabled, it will automatically sync the Grafana server administrator role.\nIf enabled, it will automatically sync the Grafana server administrator role.", "type": "boolean" }, "allowSignUp": { "description": "(Boolean) Whether to allow new Grafana user creation through LDAP login. If set to false, then only existing Grafana users can log in with LDAP.\nIf not enabled, only existing Grafana users can log in using OAuth.", "type": "boolean" }, "allowedDomains": { "description": "or space-separated domains. The user should belong to at least one domain to log in.\nList of comma- or space-separated domains. The user should belong to at least one domain to log in.", "type": "string" }, "allowedGroups": { "description": "or space-separated groups. The user should be a member of at least one group to log in. For Generic OAuth, if you configure allowed_groups, you must also configure groups_attribute_path.\nList of comma- or space-separated groups. The user should be a member of at least one group to log in. For Generic OAuth, if you configure allowed_groups, you must also configure groups_attribute_path.", "type": "string" }, "allowedOrganizations": { "description": "or space-separated organizations. The user should be a member of at least one organization to log in.\nList of comma- or space-separated organizations. The user should be a member of at least one organization to log in.", "type": "string" }, "apiUrl": { "description": "(String) The user information endpoint of your OAuth2 provider. Required for okta and generic_oauth providers.\nThe user information endpoint of your OAuth2 provider. Required for okta and generic_oauth providers.", "type": "string" }, "authStyle": { "description": "(String) It determines how client_id and client_secret are sent to Oauth2 provider. Possible values are AutoDetect, InParams, InHeader. Default is AutoDetect.\nIt determines how client_id and client_secret are sent to Oauth2 provider. Possible values are AutoDetect, InParams, InHeader. Default is AutoDetect.", "type": "string" }, "authUrl": { "description": "(String) The authorization endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.\nThe authorization endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.", "type": "string" }, "autoLogin": { "description": "(Boolean) Log in automatically, skipping the login screen.\nLog in automatically, skipping the login screen.", "type": "boolean" }, "clientId": { "description": "(String) The client Id of your OAuth2 app.\nThe client Id of your OAuth2 app.", "type": "string" }, "clientSecretSecretRef": { "description": "(String, Sensitive) The client secret of your OAuth2 app.\nThe client secret of your OAuth2 app.", "properties": { "key": { "description": "The key to select.", "type": "string" }, "name": { "description": "Name of the secret.", "type": "string" }, "namespace": { "description": "Namespace of the secret.", "type": "string" } }, "required": [ "key", "name", "namespace" ], "type": "object", "additionalProperties": false }, "custom": { "additionalProperties": { "type": "string" }, "description": "(Map of String) Custom fields to configure for OAuth2 such as the force_use_graph_api field.\nCustom fields to configure for OAuth2 such as the [force_use_graph_api](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/azuread/#force-fetching-groups-from-microsoft-graph-api) field.", "type": "object", "x-kubernetes-map-type": "granular" }, "defineAllowedGroups": { "description": "(Boolean) Define allowed groups.\nDefine allowed groups.", "type": "boolean" }, "defineAllowedTeamsIds": { "description": "(Boolean) Define allowed teams ids.\nDefine allowed teams ids.", "type": "boolean" }, "emailAttributeName": { "description": "(String) Name of the key to use for user email lookup within the attributes map of OAuth2 ID token. Only applicable to Generic OAuth.\nName of the key to use for user email lookup within the attributes map of OAuth2 ID token. Only applicable to Generic OAuth.", "type": "string" }, "emailAttributePath": { "description": "(String) JMESPath expression to use for user email lookup from the user information. Only applicable to Generic OAuth.\nJMESPath expression to use for user email lookup from the user information. Only applicable to Generic OAuth.", "type": "string" }, "emptyScopes": { "description": "(Boolean) If enabled, no scopes will be sent to the OAuth2 provider.\nIf enabled, no scopes will be sent to the OAuth2 provider.", "type": "boolean" }, "enabled": { "description": "(Boolean) Define whether this configuration is enabled for LDAP. Defaults to true.\nDefine whether this configuration is enabled for the specified provider. Defaults to `true`.", "type": "boolean" }, "groupsAttributePath": { "description": "(String) JMESPath expression to use for user group lookup. If you configure allowed_groups, you must also configure groups_attribute_path.\nJMESPath expression to use for user group lookup. If you configure allowed_groups, you must also configure groups_attribute_path.", "type": "string" }, "idTokenAttributeName": { "description": "(String) The name of the key used to extract the ID token from the returned OAuth2 token. Only applicable to Generic OAuth.\nThe name of the key used to extract the ID token from the returned OAuth2 token. Only applicable to Generic OAuth.", "type": "string" }, "loginAttributePath": { "description": "(String) JMESPath expression to use for user login lookup from the user ID token. Only applicable to Generic OAuth.\nJMESPath expression to use for user login lookup from the user ID token. Only applicable to Generic OAuth.", "type": "string" }, "loginPrompt": { "description": "(String) Indicates the type of user interaction when the user logs in with the IdP. Available values are login, consent and select_account.\nIndicates the type of user interaction when the user logs in with the IdP. Available values are `login`, `consent` and `select_account`.", "type": "string" }, "name": { "description": "(String) Helpful if you use more than one identity providers or SSO protocols.\nHelpful if you use more than one identity providers or SSO protocols.", "type": "string" }, "nameAttributePath": { "description": "(String) JMESPath expression to use for user name lookup from the user ID token. This name will be used as the user\u2019s display name. Only applicable to Generic OAuth.\nJMESPath expression to use for user name lookup from the user ID token. This name will be used as the user\u2019s display name. Only applicable to Generic OAuth.", "type": "string" }, "orgAttributePath": { "description": "(String) JMESPath expression to use for the organization mapping lookup from the user ID token. The extracted list will be used for the organization mapping (to match \"Organization\" in the \"org_mapping\"). Only applicable to Generic OAuth and Okta.\nJMESPath expression to use for the organization mapping lookup from the user ID token. The extracted list will be used for the organization mapping (to match \"Organization\" in the \"org_mapping\"). Only applicable to Generic OAuth and Okta.", "type": "string" }, "orgMapping": { "description": "or space-separated Organization:OrgIdOrOrgName:Role mappings. Organization can be * meaning \u201cAll users\u201d. Role is optional and can have the following values: None, Viewer, Editor or Admin.\nList of comma- or space-separated Organization:OrgIdOrOrgName:Role mappings. Organization can be * meaning \u201cAll users\u201d. Role is optional and can have the following values: None, Viewer, Editor or Admin.", "type": "string" }, "roleAttributePath": { "description": "(String) JMESPath expression to use for Grafana role lookup.\nJMESPath expression to use for Grafana role lookup.", "type": "string" }, "roleAttributeStrict": { "description": "(Boolean) If enabled, denies user login if the Grafana role cannot be extracted using Role attribute path.\nIf enabled, denies user login if the Grafana role cannot be extracted using Role attribute path.", "type": "boolean" }, "scopes": { "description": "or space-separated OAuth2 scopes.\nList of comma- or space-separated OAuth2 scopes.", "type": "string" }, "signoutRedirectUrl": { "description": "(String) The URL to redirect the user to after signing out from Grafana.\nThe URL to redirect the user to after signing out from Grafana.", "type": "string" }, "skipOrgRoleSync": { "description": "(Boolean) Prevent synchronizing users\u2019 organization roles from LDAP.\nPrevent synchronizing users\u2019 organization roles from your IdP.", "type": "boolean" }, "teamIds": { "description": "(String) String list of Team Ids. If set, the user must be a member of one of the given teams to log in. If you configure team_ids, you must also configure teams_url and team_ids_attribute_path.\nString list of Team Ids. If set, the user must be a member of one of the given teams to log in. If you configure team_ids, you must also configure teams_url and team_ids_attribute_path.", "type": "string" }, "teamIdsAttributePath": { "description": "(String) The JMESPath expression to use for Grafana Team Id lookup within the results returned by the teams_url endpoint. Only applicable to Generic OAuth.\nThe JMESPath expression to use for Grafana Team Id lookup within the results returned by the teams_url endpoint. Only applicable to Generic OAuth.", "type": "string" }, "teamsUrl": { "description": "(String) The URL used to query for Team Ids. If not set, the default value is /teams. If you configure teams_url, you must also configure team_ids_attribute_path. Only applicable to Generic OAuth.\nThe URL used to query for Team Ids. If not set, the default value is /teams. If you configure teams_url, you must also configure team_ids_attribute_path. Only applicable to Generic OAuth.", "type": "string" }, "tlsClientCa": { "description": "(String) The path to the trusted certificate authority list. Is not applicable on Grafana Cloud.\nThe path to the trusted certificate authority list. Is not applicable on Grafana Cloud.", "type": "string" }, "tlsClientCert": { "description": "(String) The path to the certificate. Is not applicable on Grafana Cloud.\nThe path to the certificate. Is not applicable on Grafana Cloud.", "type": "string" }, "tlsClientKey": { "description": "(String) The path to the key. Is not applicable on Grafana Cloud.\nThe path to the key. Is not applicable on Grafana Cloud.", "type": "string" }, "tlsSkipVerifyInsecure": { "description": "in-the-middle attacks.\nIf enabled, the client accepts any certificate presented by the server and any host name in that certificate. You should only use this for testing, because this mode leaves SSL/TLS susceptible to man-in-the-middle attacks.", "type": "boolean" }, "tokenUrl": { "description": "(String) The token endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.\nThe token endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.", "type": "string" }, "usePkce": { "description": "(Boolean) If enabled, Grafana will use Proof Key for Code Exchange (PKCE) with the OAuth2 Authorization Code Grant.\nIf enabled, Grafana will use Proof Key for Code Exchange (PKCE) with the OAuth2 Authorization Code Grant.", "type": "boolean" }, "useRefreshToken": { "description": "(Boolean) If enabled, Grafana will fetch a new access token using the refresh token provided by the OAuth2 provider.\nIf enabled, Grafana will fetch a new access token using the refresh token provided by the OAuth2 provider.", "type": "boolean" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "providerName": { "description": "(String) The name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml, ldap.\nThe name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml, ldap.", "type": "string" }, "samlSettings": { "description": "(Block Set, Max: 1) The SAML settings set. Required for the saml provider. (see below for nested schema)\nThe SAML settings set. Required for the saml provider.", "items": { "properties": { "allowIdpInitiated": { "description": "initiated login is allowed.\nWhether SAML IdP-initiated login is allowed.", "type": "boolean" }, "allowSignUp": { "description": "(Boolean) Whether to allow new Grafana user creation through LDAP login. If set to false, then only existing Grafana users can log in with LDAP.\nWhether to allow new Grafana user creation through SAML login. If set to false, then only existing Grafana users can log in with SAML.", "type": "boolean" }, "allowedOrganizations": { "description": "or space-separated organizations. The user should be a member of at least one organization to log in.\nList of comma- or space-separated organizations. User should be a member of at least one organization to log in.", "type": "string" }, "assertionAttributeEmail": { "description": "(String) Friendly name or name of the attribute within the SAML assertion to use as the user email.\nFriendly name or name of the attribute within the SAML assertion to use as the user email.", "type": "string" }, "assertionAttributeExternalUid": { "description": "(String) Friendly name of the attribute within the SAML assertion to use as the external user ID. Only used for SCIM provisioned users.\nFriendly name of the attribute within the SAML assertion to use as the external user ID. Only used for SCIM provisioned users.", "type": "string" }, "assertionAttributeGroups": { "description": "(String) Friendly name or name of the attribute within the SAML assertion to use as the user groups.\nFriendly name or name of the attribute within the SAML assertion to use as the user groups.", "type": "string" }, "assertionAttributeLogin": { "description": "(String) Friendly name or name of the attribute within the SAML assertion to use as the user login handle.\nFriendly name or name of the attribute within the SAML assertion to use as the user login handle.", "type": "string" }, "assertionAttributeName": { "description": "(String) Friendly name or name of the attribute within the SAML assertion to use as the user name. Alternatively, this can be a template with variables that match the names of attributes within the SAML assertion.\nFriendly name or name of the attribute within the SAML assertion to use as the user name. Alternatively, this can be a template with variables that match the names of attributes within the SAML assertion.", "type": "string" }, "assertionAttributeOrg": { "description": "(String) Friendly name or name of the attribute within the SAML assertion to use as the user organization.\nFriendly name or name of the attribute within the SAML assertion to use as the user organization.", "type": "string" }, "assertionAttributeRole": { "description": "(String) Friendly name or name of the attribute within the SAML assertion to use as the user roles.\nFriendly name or name of the attribute within the SAML assertion to use as the user roles.", "type": "string" }, "autoLogin": { "description": "(Boolean) Log in automatically, skipping the login screen.\nWhether SAML auto login is enabled.", "type": "boolean" }, "certificatePath": { "description": "(String) Path for the SP X.509 certificate.\nPath for the SP X.509 certificate.", "type": "string" }, "certificateSecretRef": { "description": "encoded string for the SP X.509 certificate.\nBase64-encoded string for the SP X.509 certificate.", "properties": { "key": { "description": "The key to select.", "type": "string" }, "name": { "description": "Name of the secret.", "type": "string" }, "namespace": { "description": "Namespace of the secret.", "type": "string" } }, "required": [ "key", "name", "namespace" ], "type": "object", "additionalProperties": false }, "clientId": { "description": "(String) The client Id of your OAuth2 app.\nThe client Id of your OAuth2 app.", "type": "string" }, "clientSecret": { "description": "(String, Sensitive) The client secret of your OAuth2 app.\nThe client secret of your OAuth2 app.", "type": "string" }, "enabled": { "description": "(Boolean) Define whether this configuration is enabled for LDAP. Defaults to true.\nDefine whether this configuration is enabled for SAML. Defaults to `true`.", "type": "boolean" }, "entityId": { "description": "(String) The entity ID is a globally unique identifier for the service provider. It is used to identify the service provider to the identity provider. Defaults to the URL of the Grafana instance if not set.\nThe entity ID is a globally unique identifier for the service provider. It is used to identify the service provider to the identity provider. Defaults to the URL of the Grafana instance if not set.", "type": "string" }, "forceUseGraphApi": { "description": "(Boolean) If enabled, Grafana will fetch groups from Microsoft Graph API instead of using the groups claim from the ID token.\nIf enabled, Grafana will fetch groups from Microsoft Graph API instead of using the groups claim from the ID token.", "type": "boolean" }, "idpMetadata": { "description": "encoded string for the IdP SAML metadata XML.\nBase64-encoded string for the IdP SAML metadata XML.", "type": "string" }, "idpMetadataPath": { "description": "(String) Path for the IdP SAML metadata XML.\nPath for the IdP SAML metadata XML.", "type": "string" }, "idpMetadataUrl": { "description": "(String) URL for the IdP SAML metadata XML.\nURL for the IdP SAML metadata XML.", "type": "string" }, "maxIssueDelay": { "description": "(String) Duration, since the IdP issued a response and the SP is allowed to process it. For example: 90s, 1h.\nDuration, since the IdP issued a response and the SP is allowed to process it. For example: 90s, 1h.", "type": "string" }, "metadataValidDuration": { "description": "(String) Duration, for how long the SP metadata is valid. For example: 48h, 5d.\nDuration, for how long the SP metadata is valid. For example: 48h, 5d.", "type": "string" }, "name": { "description": "(String) Helpful if you use more than one identity providers or SSO protocols.\nName used to refer to the SAML authentication.", "type": "string" }, "nameIdFormat": { "description": "format:transient\nThe Name ID Format to request within the SAML assertion. Defaults to urn:oasis:names:tc:SAML:2.0:nameid-format:transient", "type": "string" }, "orgMapping": { "description": "or space-separated Organization:OrgIdOrOrgName:Role mappings. Organization can be * meaning \u201cAll users\u201d. Role is optional and can have the following values: None, Viewer, Editor or Admin.\nList of comma- or space-separated Organization:OrgId:Role mappings. Organization can be * meaning \u201cAll users\u201d. Role is optional and can have the following values: Viewer, Editor or Admin.", "type": "string" }, "privateKeyPath": { "description": "(String) Path for the SP private key.\nPath for the SP private key.", "type": "string" }, "privateKeySecretRef": { "description": "encoded string for the SP private key.\nBase64-encoded string for the SP private key.", "properties": { "key": { "description": "The key to select.", "type": "string" }, "name": { "description": "Name of the secret.", "type": "string" }, "namespace": { "description": "Namespace of the secret.", "type": "string" } }, "required": [ "key", "name", "namespace" ], "type": "object", "additionalProperties": false }, "relayState": { "description": "initiated login. Should match relay state configured in IdP.\nRelay state for IdP-initiated login. Should match relay state configured in IdP.", "type": "string" }, "roleValuesAdmin": { "description": "or space-separated roles which will be mapped into the Admin role.\nList of comma- or space-separated roles which will be mapped into the Admin role.", "type": "string" }, "roleValuesEditor": { "description": "or space-separated roles which will be mapped into the Editor role.\nList of comma- or space-separated roles which will be mapped into the Editor role.", "type": "string" }, "roleValuesGrafanaAdmin": { "description": "or space-separated roles which will be mapped into the Grafana Admin (Super Admin) role.\nList of comma- or space-separated roles which will be mapped into the Grafana Admin (Super Admin) role.", "type": "string" }, "roleValuesNone": { "description": "or space-separated roles which will be mapped into the None role.\nList of comma- or space-separated roles which will be mapped into the None role.", "type": "string" }, "roleValuesViewer": { "description": "or space-separated roles which will be mapped into the Viewer role.\nList of comma- or space-separated roles which will be mapped into the Viewer role.", "type": "string" }, "signatureAlgorithm": { "description": "sha1, rsa-sha256, rsa-sha512.\nSignature algorithm used for signing requests to the IdP. Supported values are rsa-sha1, rsa-sha256, rsa-sha512.", "type": "string" }, "singleLogout": { "description": "(Boolean) Whether SAML Single Logout is enabled.\nWhether SAML Single Logout is enabled.", "type": "boolean" }, "skipOrgRoleSync": { "description": "(Boolean) Prevent synchronizing users\u2019 organization roles from LDAP.\nPrevent synchronizing users\u2019 organization roles from your IdP.", "type": "boolean" }, "tokenUrl": { "description": "(String) The token endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.\nThe token endpoint of your OAuth2 provider. Required for Azure AD providers.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "managementPolicies": { "default": [ "*" ], "description": "THIS IS A BETA FIELD. It is on by default but can be opted out\nthrough a Crossplane feature flag.\nManagementPolicies specify the array of actions Crossplane is allowed to\ntake on the managed and external resources.\nThis field is planned to replace the DeletionPolicy field in a future\nrelease. Currently, both could be set independently and non-default\nvalues would be honored if the feature flag is enabled. If both are\ncustom, the DeletionPolicy field will be ignored.\nSee the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223\nand this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md", "items": { "description": "A ManagementAction represents an action that the Crossplane controllers\ncan take on an external resource.", "enum": [ "Observe", "Create", "Update", "Delete", "LateInitialize", "*" ], "type": "string" }, "type": "array" }, "providerConfigRef": { "default": { "name": "default" }, "description": "ProviderConfigReference specifies how the provider that will be used to\ncreate, observe, update, and delete this managed resource should be\nconfigured.", "properties": { "name": { "description": "Name of the referenced object.", "type": "string" }, "policy": { "description": "Policies for referencing.", "properties": { "resolution": { "default": "Required", "description": "Resolution specifies whether resolution of this reference is required.\nThe default is 'Required', which means the reconcile will fail if the\nreference cannot be resolved. 'Optional' means this reference will be\na no-op if it cannot be resolved.", "enum": [ "Required", "Optional" ], "type": "string" }, "resolve": { "description": "Resolve specifies when this reference should be resolved. The default\nis 'IfNotPresent', which will attempt to resolve the reference only when\nthe corresponding field is not present. Use 'Always' to resolve the\nreference on every reconcile.", "enum": [ "Always", "IfNotPresent" ], "type": "string" } }, "type": "object", "additionalProperties": false } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "publishConnectionDetailsTo": { "description": "PublishConnectionDetailsTo specifies the connection secret config which\ncontains a name, metadata and a reference to secret store config to\nwhich any connection details for this managed resource should be written.\nConnection details frequently include the endpoint, username,\nand password required to connect to the managed resource.", "properties": { "configRef": { "default": { "name": "default" }, "description": "SecretStoreConfigRef specifies which secret store config should be used\nfor this ConnectionSecret.", "properties": { "name": { "description": "Name of the referenced object.", "type": "string" }, "policy": { "description": "Policies for referencing.", "properties": { "resolution": { "default": "Required", "description": "Resolution specifies whether resolution of this reference is required.\nThe default is 'Required', which means the reconcile will fail if the\nreference cannot be resolved. 'Optional' means this reference will be\na no-op if it cannot be resolved.", "enum": [ "Required", "Optional" ], "type": "string" }, "resolve": { "description": "Resolve specifies when this reference should be resolved. The default\nis 'IfNotPresent', which will attempt to resolve the reference only when\nthe corresponding field is not present. Use 'Always' to resolve the\nreference on every reconcile.", "enum": [ "Always", "IfNotPresent" ], "type": "string" } }, "type": "object", "additionalProperties": false } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "metadata": { "description": "Metadata is the metadata for connection secret.", "properties": { "annotations": { "additionalProperties": { "type": "string" }, "description": "Annotations are the annotations to be added to connection secret.\n- For Kubernetes secrets, this will be used as \"metadata.annotations\".\n- It is up to Secret Store implementation for others store types.", "type": "object" }, "labels": { "additionalProperties": { "type": "string" }, "description": "Labels are the labels/tags to be added to connection secret.\n- For Kubernetes secrets, this will be used as \"metadata.labels\".\n- It is up to Secret Store implementation for others store types.", "type": "object" }, "type": { "description": "Type is the SecretType for the connection secret.\n- Only valid for Kubernetes Secret Stores.", "type": "string" } }, "type": "object", "additionalProperties": false }, "name": { "description": "Name is the name of the connection secret.", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "writeConnectionSecretToRef": { "description": "WriteConnectionSecretToReference specifies the namespace and name of a\nSecret to which any connection details for this managed resource should\nbe written. Connection details frequently include the endpoint, username,\nand password required to connect to the managed resource.\nThis field is planned to be replaced in a future release in favor of\nPublishConnectionDetailsTo. Currently, both could be set independently\nand connection details would be published to both without affecting\neach other.", "properties": { "name": { "description": "Name of the secret.", "type": "string" }, "namespace": { "description": "Namespace of the secret.", "type": "string" } }, "required": [ "name", "namespace" ], "type": "object", "additionalProperties": false } }, "required": [ "forProvider" ], "type": "object", "x-kubernetes-validations": [ { "message": "spec.forProvider.providerName is a required parameter", "rule": "!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.providerName) || (has(self.initProvider) && has(self.initProvider.providerName))" } ], "additionalProperties": false }, "status": { "description": "SsoSettingsStatus defines the observed state of SsoSettings.", "properties": { "atProvider": { "properties": { "id": { "description": "(String) The ID of this resource.", "type": "string" }, "ldapSettings": { "description": "(Block Set, Max: 1) The LDAP settings set. Required for the ldap provider. (see below for nested schema)\nThe LDAP settings set. Required for the ldap provider.", "items": { "properties": { "allowSignUp": { "description": "(Boolean) Whether to allow new Grafana user creation through LDAP login. If set to false, then only existing Grafana users can log in with LDAP.\nWhether to allow new Grafana user creation through LDAP login. If set to false, then only existing Grafana users can log in with LDAP.", "type": "boolean" }, "config": { "description": "(Block List, Min: 1, Max: 1) The LDAP configuration. (see below for nested schema)\nThe LDAP configuration.", "items": { "properties": { "servers": { "description": "(Block List, Min: 1) The LDAP servers configuration. (see below for nested schema)\nThe LDAP servers configuration.", "items": { "properties": { "attributes": { "additionalProperties": { "type": "string" }, "description": "(Map of String) The LDAP server attributes. The following attributes can be configured: email, member_of, name, surname, username.\nThe LDAP server attributes. The following attributes can be configured: email, member_of, name, surname, username.", "type": "object", "x-kubernetes-map-type": "granular" }, "bindDn": { "description": "(String) The search user bind DN.\nThe search user bind DN.", "type": "string" }, "clientCert": { "description": "(String) The path to the client certificate.\nThe path to the client certificate.", "type": "string" }, "clientCertValue": { "description": "(String) The Base64 encoded value of the client certificate.\nThe Base64 encoded value of the client certificate.", "type": "string" }, "groupMappings": { "description": "(Block List) For mapping an LDAP group to a Grafana organization and role. (see below for nested schema)\nFor mapping an LDAP group to a Grafana organization and role.", "items": { "properties": { "grafanaAdmin": { "description": "(Boolean) If set to true, it makes the user of group_dn Grafana server admin.\nIf set to true, it makes the user of group_dn Grafana server admin.", "type": "boolean" }, "groupDn": { "description": "(String) LDAP distinguished name (DN) of LDAP group. If you want to match all (or no LDAP groups) then you can use wildcard (\"*\").\nLDAP distinguished name (DN) of LDAP group. If you want to match all (or no LDAP groups) then you can use wildcard (\"*\").", "type": "string" }, "orgId": { "description": "(Number) The Grafana organization database id.\nThe Grafana organization database id.", "type": "number" }, "orgRole": { "description": "(String) Assign users of group_dn the organization role Admin, Editor, or Viewer.\nAssign users of group_dn the organization role Admin, Editor, or Viewer.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "groupSearchBaseDns": { "description": "(List of String) An array of the base DNs to search through for groups. Typically uses ou=groups.\nAn array of the base DNs to search through for groups. Typically uses ou=groups.", "items": { "type": "string" }, "type": "array" }, "groupSearchFilter": { "description": "(String) Group search filter, to retrieve the groups of which the user is a member (only set if memberOf attribute is not available).\nGroup search filter, to retrieve the groups of which the user is a member (only set if memberOf attribute is not available).", "type": "string" }, "groupSearchFilterUserAttribute": { "description": "(String) The %s in the search filter will be replaced with the attribute defined in this field.\nThe %s in the search filter will be replaced with the attribute defined in this field.", "type": "string" }, "host": { "description": "(String) The LDAP server host.\nThe LDAP server host.", "type": "string" }, "minTlsVersion": { "description": "(String) Minimum TLS version allowed. Accepted values are: TLS1.2, TLS1.3.\nMinimum TLS version allowed. Accepted values are: TLS1.2, TLS1.3.", "type": "string" }, "port": { "description": "(Number) The LDAP server port.\nThe LDAP server port.", "type": "number" }, "rootCaCert": { "description": "(String) The path to the root CA certificate.\nThe path to the root CA certificate.", "type": "string" }, "rootCaCertValue": { "description": "(List of String) The Base64 encoded values of the root CA certificates.\nThe Base64 encoded values of the root CA certificates.", "items": { "type": "string" }, "type": "array" }, "searchBaseDns": { "description": "(List of String) An array of base DNs to search through.\nAn array of base DNs to search through.", "items": { "type": "string" }, "type": "array" }, "searchFilter": { "description": "(String) The user search filter, for example \"(cn=%s)\" or \"(sAMAccountName=%s)\" or \"(uid=%s)\".\nThe user search filter, for example \"(cn=%s)\" or \"(sAMAccountName=%s)\" or \"(uid=%s)\".", "type": "string" }, "sslSkipVerify": { "description": "(Boolean) If set to true, the SSL cert validation will be skipped.\nIf set to true, the SSL cert validation will be skipped.", "type": "boolean" }, "startTls": { "description": "(Boolean) If set to true, use LDAP with STARTTLS instead of LDAPS.\nIf set to true, use LDAP with STARTTLS instead of LDAPS.", "type": "boolean" }, "timeout": { "description": "(Number) The timeout in seconds for connecting to the LDAP host.\nThe timeout in seconds for connecting to the LDAP host.", "type": "number" }, "tlsCiphers": { "description": "(List of String) Accepted TLS ciphers. For a complete list of supported ciphers, refer to: https://go.dev/src/crypto/tls/cipher_suites.go.\nAccepted TLS ciphers. For a complete list of supported ciphers, refer to: https://go.dev/src/crypto/tls/cipher_suites.go.", "items": { "type": "string" }, "type": "array" }, "useSsl": { "description": "(Boolean) Set to true if LDAP server should use an encrypted TLS connection (either with STARTTLS or LDAPS).\nSet to true if LDAP server should use an encrypted TLS connection (either with STARTTLS or LDAPS).", "type": "boolean" } }, "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "enabled": { "description": "(Boolean) Define whether this configuration is enabled for LDAP. Defaults to true.\nDefine whether this configuration is enabled for LDAP. Defaults to `true`.", "type": "boolean" }, "skipOrgRoleSync": { "description": "(Boolean) Prevent synchronizing users\u2019 organization roles from LDAP.\nPrevent synchronizing users\u2019 organization roles from LDAP.", "type": "boolean" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "oauth2Settings": { "description": "(Block Set, Max: 1) The OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic_oauth providers. (see below for nested schema)\nThe OAuth2 settings set. Required for github, gitlab, google, azuread, okta, generic_oauth providers.", "items": { "properties": { "allowAssignGrafanaAdmin": { "description": "(Boolean) If enabled, it will automatically sync the Grafana server administrator role.\nIf enabled, it will automatically sync the Grafana server administrator role.", "type": "boolean" }, "allowSignUp": { "description": "(Boolean) Whether to allow new Grafana user creation through LDAP login. If set to false, then only existing Grafana users can log in with LDAP.\nIf not enabled, only existing Grafana users can log in using OAuth.", "type": "boolean" }, "allowedDomains": { "description": "or space-separated domains. The user should belong to at least one domain to log in.\nList of comma- or space-separated domains. The user should belong to at least one domain to log in.", "type": "string" }, "allowedGroups": { "description": "or space-separated groups. The user should be a member of at least one group to log in. For Generic OAuth, if you configure allowed_groups, you must also configure groups_attribute_path.\nList of comma- or space-separated groups. The user should be a member of at least one group to log in. For Generic OAuth, if you configure allowed_groups, you must also configure groups_attribute_path.", "type": "string" }, "allowedOrganizations": { "description": "or space-separated organizations. The user should be a member of at least one organization to log in.\nList of comma- or space-separated organizations. The user should be a member of at least one organization to log in.", "type": "string" }, "apiUrl": { "description": "(String) The user information endpoint of your OAuth2 provider. Required for okta and generic_oauth providers.\nThe user information endpoint of your OAuth2 provider. Required for okta and generic_oauth providers.", "type": "string" }, "authStyle": { "description": "(String) It determines how client_id and client_secret are sent to Oauth2 provider. Possible values are AutoDetect, InParams, InHeader. Default is AutoDetect.\nIt determines how client_id and client_secret are sent to Oauth2 provider. Possible values are AutoDetect, InParams, InHeader. Default is AutoDetect.", "type": "string" }, "authUrl": { "description": "(String) The authorization endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.\nThe authorization endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.", "type": "string" }, "autoLogin": { "description": "(Boolean) Log in automatically, skipping the login screen.\nLog in automatically, skipping the login screen.", "type": "boolean" }, "clientId": { "description": "(String) The client Id of your OAuth2 app.\nThe client Id of your OAuth2 app.", "type": "string" }, "custom": { "additionalProperties": { "type": "string" }, "description": "(Map of String) Custom fields to configure for OAuth2 such as the force_use_graph_api field.\nCustom fields to configure for OAuth2 such as the [force_use_graph_api](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/azuread/#force-fetching-groups-from-microsoft-graph-api) field.", "type": "object", "x-kubernetes-map-type": "granular" }, "defineAllowedGroups": { "description": "(Boolean) Define allowed groups.\nDefine allowed groups.", "type": "boolean" }, "defineAllowedTeamsIds": { "description": "(Boolean) Define allowed teams ids.\nDefine allowed teams ids.", "type": "boolean" }, "emailAttributeName": { "description": "(String) Name of the key to use for user email lookup within the attributes map of OAuth2 ID token. Only applicable to Generic OAuth.\nName of the key to use for user email lookup within the attributes map of OAuth2 ID token. Only applicable to Generic OAuth.", "type": "string" }, "emailAttributePath": { "description": "(String) JMESPath expression to use for user email lookup from the user information. Only applicable to Generic OAuth.\nJMESPath expression to use for user email lookup from the user information. Only applicable to Generic OAuth.", "type": "string" }, "emptyScopes": { "description": "(Boolean) If enabled, no scopes will be sent to the OAuth2 provider.\nIf enabled, no scopes will be sent to the OAuth2 provider.", "type": "boolean" }, "enabled": { "description": "(Boolean) Define whether this configuration is enabled for LDAP. Defaults to true.\nDefine whether this configuration is enabled for the specified provider. Defaults to `true`.", "type": "boolean" }, "groupsAttributePath": { "description": "(String) JMESPath expression to use for user group lookup. If you configure allowed_groups, you must also configure groups_attribute_path.\nJMESPath expression to use for user group lookup. If you configure allowed_groups, you must also configure groups_attribute_path.", "type": "string" }, "idTokenAttributeName": { "description": "(String) The name of the key used to extract the ID token from the returned OAuth2 token. Only applicable to Generic OAuth.\nThe name of the key used to extract the ID token from the returned OAuth2 token. Only applicable to Generic OAuth.", "type": "string" }, "loginAttributePath": { "description": "(String) JMESPath expression to use for user login lookup from the user ID token. Only applicable to Generic OAuth.\nJMESPath expression to use for user login lookup from the user ID token. Only applicable to Generic OAuth.", "type": "string" }, "loginPrompt": { "description": "(String) Indicates the type of user interaction when the user logs in with the IdP. Available values are login, consent and select_account.\nIndicates the type of user interaction when the user logs in with the IdP. Available values are `login`, `consent` and `select_account`.", "type": "string" }, "name": { "description": "(String) Helpful if you use more than one identity providers or SSO protocols.\nHelpful if you use more than one identity providers or SSO protocols.", "type": "string" }, "nameAttributePath": { "description": "(String) JMESPath expression to use for user name lookup from the user ID token. This name will be used as the user\u2019s display name. Only applicable to Generic OAuth.\nJMESPath expression to use for user name lookup from the user ID token. This name will be used as the user\u2019s display name. Only applicable to Generic OAuth.", "type": "string" }, "orgAttributePath": { "description": "(String) JMESPath expression to use for the organization mapping lookup from the user ID token. The extracted list will be used for the organization mapping (to match \"Organization\" in the \"org_mapping\"). Only applicable to Generic OAuth and Okta.\nJMESPath expression to use for the organization mapping lookup from the user ID token. The extracted list will be used for the organization mapping (to match \"Organization\" in the \"org_mapping\"). Only applicable to Generic OAuth and Okta.", "type": "string" }, "orgMapping": { "description": "or space-separated Organization:OrgIdOrOrgName:Role mappings. Organization can be * meaning \u201cAll users\u201d. Role is optional and can have the following values: None, Viewer, Editor or Admin.\nList of comma- or space-separated Organization:OrgIdOrOrgName:Role mappings. Organization can be * meaning \u201cAll users\u201d. Role is optional and can have the following values: None, Viewer, Editor or Admin.", "type": "string" }, "roleAttributePath": { "description": "(String) JMESPath expression to use for Grafana role lookup.\nJMESPath expression to use for Grafana role lookup.", "type": "string" }, "roleAttributeStrict": { "description": "(Boolean) If enabled, denies user login if the Grafana role cannot be extracted using Role attribute path.\nIf enabled, denies user login if the Grafana role cannot be extracted using Role attribute path.", "type": "boolean" }, "scopes": { "description": "or space-separated OAuth2 scopes.\nList of comma- or space-separated OAuth2 scopes.", "type": "string" }, "signoutRedirectUrl": { "description": "(String) The URL to redirect the user to after signing out from Grafana.\nThe URL to redirect the user to after signing out from Grafana.", "type": "string" }, "skipOrgRoleSync": { "description": "(Boolean) Prevent synchronizing users\u2019 organization roles from LDAP.\nPrevent synchronizing users\u2019 organization roles from your IdP.", "type": "boolean" }, "teamIds": { "description": "(String) String list of Team Ids. If set, the user must be a member of one of the given teams to log in. If you configure team_ids, you must also configure teams_url and team_ids_attribute_path.\nString list of Team Ids. If set, the user must be a member of one of the given teams to log in. If you configure team_ids, you must also configure teams_url and team_ids_attribute_path.", "type": "string" }, "teamIdsAttributePath": { "description": "(String) The JMESPath expression to use for Grafana Team Id lookup within the results returned by the teams_url endpoint. Only applicable to Generic OAuth.\nThe JMESPath expression to use for Grafana Team Id lookup within the results returned by the teams_url endpoint. Only applicable to Generic OAuth.", "type": "string" }, "teamsUrl": { "description": "(String) The URL used to query for Team Ids. If not set, the default value is /teams. If you configure teams_url, you must also configure team_ids_attribute_path. Only applicable to Generic OAuth.\nThe URL used to query for Team Ids. If not set, the default value is /teams. If you configure teams_url, you must also configure team_ids_attribute_path. Only applicable to Generic OAuth.", "type": "string" }, "tlsClientCa": { "description": "(String) The path to the trusted certificate authority list. Is not applicable on Grafana Cloud.\nThe path to the trusted certificate authority list. Is not applicable on Grafana Cloud.", "type": "string" }, "tlsClientCert": { "description": "(String) The path to the certificate. Is not applicable on Grafana Cloud.\nThe path to the certificate. Is not applicable on Grafana Cloud.", "type": "string" }, "tlsClientKey": { "description": "(String) The path to the key. Is not applicable on Grafana Cloud.\nThe path to the key. Is not applicable on Grafana Cloud.", "type": "string" }, "tlsSkipVerifyInsecure": { "description": "in-the-middle attacks.\nIf enabled, the client accepts any certificate presented by the server and any host name in that certificate. You should only use this for testing, because this mode leaves SSL/TLS susceptible to man-in-the-middle attacks.", "type": "boolean" }, "tokenUrl": { "description": "(String) The token endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.\nThe token endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.", "type": "string" }, "usePkce": { "description": "(Boolean) If enabled, Grafana will use Proof Key for Code Exchange (PKCE) with the OAuth2 Authorization Code Grant.\nIf enabled, Grafana will use Proof Key for Code Exchange (PKCE) with the OAuth2 Authorization Code Grant.", "type": "boolean" }, "useRefreshToken": { "description": "(Boolean) If enabled, Grafana will fetch a new access token using the refresh token provided by the OAuth2 provider.\nIf enabled, Grafana will fetch a new access token using the refresh token provided by the OAuth2 provider.", "type": "boolean" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "providerName": { "description": "(String) The name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml, ldap.\nThe name of the SSO provider. Supported values: github, gitlab, google, azuread, okta, generic_oauth, saml, ldap.", "type": "string" }, "samlSettings": { "description": "(Block Set, Max: 1) The SAML settings set. Required for the saml provider. (see below for nested schema)\nThe SAML settings set. Required for the saml provider.", "items": { "properties": { "allowIdpInitiated": { "description": "initiated login is allowed.\nWhether SAML IdP-initiated login is allowed.", "type": "boolean" }, "allowSignUp": { "description": "(Boolean) Whether to allow new Grafana user creation through LDAP login. If set to false, then only existing Grafana users can log in with LDAP.\nWhether to allow new Grafana user creation through SAML login. If set to false, then only existing Grafana users can log in with SAML.", "type": "boolean" }, "allowedOrganizations": { "description": "or space-separated organizations. The user should be a member of at least one organization to log in.\nList of comma- or space-separated organizations. User should be a member of at least one organization to log in.", "type": "string" }, "assertionAttributeEmail": { "description": "(String) Friendly name or name of the attribute within the SAML assertion to use as the user email.\nFriendly name or name of the attribute within the SAML assertion to use as the user email.", "type": "string" }, "assertionAttributeExternalUid": { "description": "(String) Friendly name of the attribute within the SAML assertion to use as the external user ID. Only used for SCIM provisioned users.\nFriendly name of the attribute within the SAML assertion to use as the external user ID. Only used for SCIM provisioned users.", "type": "string" }, "assertionAttributeGroups": { "description": "(String) Friendly name or name of the attribute within the SAML assertion to use as the user groups.\nFriendly name or name of the attribute within the SAML assertion to use as the user groups.", "type": "string" }, "assertionAttributeLogin": { "description": "(String) Friendly name or name of the attribute within the SAML assertion to use as the user login handle.\nFriendly name or name of the attribute within the SAML assertion to use as the user login handle.", "type": "string" }, "assertionAttributeName": { "description": "(String) Friendly name or name of the attribute within the SAML assertion to use as the user name. Alternatively, this can be a template with variables that match the names of attributes within the SAML assertion.\nFriendly name or name of the attribute within the SAML assertion to use as the user name. Alternatively, this can be a template with variables that match the names of attributes within the SAML assertion.", "type": "string" }, "assertionAttributeOrg": { "description": "(String) Friendly name or name of the attribute within the SAML assertion to use as the user organization.\nFriendly name or name of the attribute within the SAML assertion to use as the user organization.", "type": "string" }, "assertionAttributeRole": { "description": "(String) Friendly name or name of the attribute within the SAML assertion to use as the user roles.\nFriendly name or name of the attribute within the SAML assertion to use as the user roles.", "type": "string" }, "autoLogin": { "description": "(Boolean) Log in automatically, skipping the login screen.\nWhether SAML auto login is enabled.", "type": "boolean" }, "certificatePath": { "description": "(String) Path for the SP X.509 certificate.\nPath for the SP X.509 certificate.", "type": "string" }, "clientId": { "description": "(String) The client Id of your OAuth2 app.\nThe client Id of your OAuth2 app.", "type": "string" }, "clientSecret": { "description": "(String, Sensitive) The client secret of your OAuth2 app.\nThe client secret of your OAuth2 app.", "type": "string" }, "enabled": { "description": "(Boolean) Define whether this configuration is enabled for LDAP. Defaults to true.\nDefine whether this configuration is enabled for SAML. Defaults to `true`.", "type": "boolean" }, "entityId": { "description": "(String) The entity ID is a globally unique identifier for the service provider. It is used to identify the service provider to the identity provider. Defaults to the URL of the Grafana instance if not set.\nThe entity ID is a globally unique identifier for the service provider. It is used to identify the service provider to the identity provider. Defaults to the URL of the Grafana instance if not set.", "type": "string" }, "forceUseGraphApi": { "description": "(Boolean) If enabled, Grafana will fetch groups from Microsoft Graph API instead of using the groups claim from the ID token.\nIf enabled, Grafana will fetch groups from Microsoft Graph API instead of using the groups claim from the ID token.", "type": "boolean" }, "idpMetadata": { "description": "encoded string for the IdP SAML metadata XML.\nBase64-encoded string for the IdP SAML metadata XML.", "type": "string" }, "idpMetadataPath": { "description": "(String) Path for the IdP SAML metadata XML.\nPath for the IdP SAML metadata XML.", "type": "string" }, "idpMetadataUrl": { "description": "(String) URL for the IdP SAML metadata XML.\nURL for the IdP SAML metadata XML.", "type": "string" }, "maxIssueDelay": { "description": "(String) Duration, since the IdP issued a response and the SP is allowed to process it. For example: 90s, 1h.\nDuration, since the IdP issued a response and the SP is allowed to process it. For example: 90s, 1h.", "type": "string" }, "metadataValidDuration": { "description": "(String) Duration, for how long the SP metadata is valid. For example: 48h, 5d.\nDuration, for how long the SP metadata is valid. For example: 48h, 5d.", "type": "string" }, "name": { "description": "(String) Helpful if you use more than one identity providers or SSO protocols.\nName used to refer to the SAML authentication.", "type": "string" }, "nameIdFormat": { "description": "format:transient\nThe Name ID Format to request within the SAML assertion. Defaults to urn:oasis:names:tc:SAML:2.0:nameid-format:transient", "type": "string" }, "orgMapping": { "description": "or space-separated Organization:OrgIdOrOrgName:Role mappings. Organization can be * meaning \u201cAll users\u201d. Role is optional and can have the following values: None, Viewer, Editor or Admin.\nList of comma- or space-separated Organization:OrgId:Role mappings. Organization can be * meaning \u201cAll users\u201d. Role is optional and can have the following values: Viewer, Editor or Admin.", "type": "string" }, "privateKeyPath": { "description": "(String) Path for the SP private key.\nPath for the SP private key.", "type": "string" }, "relayState": { "description": "initiated login. Should match relay state configured in IdP.\nRelay state for IdP-initiated login. Should match relay state configured in IdP.", "type": "string" }, "roleValuesAdmin": { "description": "or space-separated roles which will be mapped into the Admin role.\nList of comma- or space-separated roles which will be mapped into the Admin role.", "type": "string" }, "roleValuesEditor": { "description": "or space-separated roles which will be mapped into the Editor role.\nList of comma- or space-separated roles which will be mapped into the Editor role.", "type": "string" }, "roleValuesGrafanaAdmin": { "description": "or space-separated roles which will be mapped into the Grafana Admin (Super Admin) role.\nList of comma- or space-separated roles which will be mapped into the Grafana Admin (Super Admin) role.", "type": "string" }, "roleValuesNone": { "description": "or space-separated roles which will be mapped into the None role.\nList of comma- or space-separated roles which will be mapped into the None role.", "type": "string" }, "roleValuesViewer": { "description": "or space-separated roles which will be mapped into the Viewer role.\nList of comma- or space-separated roles which will be mapped into the Viewer role.", "type": "string" }, "signatureAlgorithm": { "description": "sha1, rsa-sha256, rsa-sha512.\nSignature algorithm used for signing requests to the IdP. Supported values are rsa-sha1, rsa-sha256, rsa-sha512.", "type": "string" }, "singleLogout": { "description": "(Boolean) Whether SAML Single Logout is enabled.\nWhether SAML Single Logout is enabled.", "type": "boolean" }, "skipOrgRoleSync": { "description": "(Boolean) Prevent synchronizing users\u2019 organization roles from LDAP.\nPrevent synchronizing users\u2019 organization roles from your IdP.", "type": "boolean" }, "tokenUrl": { "description": "(String) The token endpoint of your OAuth2 provider. Required for azuread, okta and generic_oauth providers.\nThe token endpoint of your OAuth2 provider. Required for Azure AD providers.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "conditions": { "description": "Conditions of the resource.", "items": { "description": "A Condition that may apply to a resource.", "properties": { "lastTransitionTime": { "description": "LastTransitionTime is the last time this condition transitioned from one\nstatus to another.", "format": "date-time", "type": "string" }, "message": { "description": "A Message containing details about this condition's last transition from\none status to another, if any.", "type": "string" }, "observedGeneration": { "description": "ObservedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.", "format": "int64", "type": "integer" }, "reason": { "description": "A Reason for this condition's last transition from one status to another.", "type": "string" }, "status": { "description": "Status of this condition; is it currently True, False, or Unknown?", "type": "string" }, "type": { "description": "Type of this condition. At most one of each condition type may apply to\na resource at any point in time.", "type": "string" } }, "required": [ "lastTransitionTime", "reason", "status", "type" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-map-keys": [ "type" ], "x-kubernetes-list-type": "map" }, "observedGeneration": { "description": "ObservedGeneration is the latest metadata.generation\nwhich resulted in either a ready state, or stalled due to error\nit can not recover from without human intervention.", "format": "int64", "type": "integer" } }, "type": "object", "additionalProperties": false } }, "required": [ "spec" ], "type": "object" }