Oracle SSO for Sauron Endpoints

Use this page to enable Oracle Single Sign-On (SSO) for Sauron UI endpoints and restrict access with Oracle Identity Manager (OIM) entitlements.

SSO access uses OIM entitlements to map users to Sauron roles. Create and verify the OIM entitlement model before enabling Global SSO.

Who does what?
Task Who usually does it
Decide which users need Admin, Viewer, or Grafana Editor access Sauron owner or customer team
Create new Sauron OIM entitlements Sauron team
Approve or add users to existing OIM entitlements OIM entitlement approver
Enable Global SSO for the Sauron Sauron admin through the Sauron API
Sign out and back in after an entitlement change Affected user
Before you enable SSO

Check these items first:

  1. OIM entitlements exist for the team.
  2. Users know whether they need Admin, Viewer, or Grafana Editor access.
  3. Required users have requested or received the correct entitlement.
  4. You know the ssoGroup value to use for the Sauron.
  5. You have access to the Sauron API endpoint.

When Global SSO is enabled, restricting access using OIM entitlements is mandatory.

HTTP basic authentication credentials still work after SSO is enabled for Sauron endpoints.

OIM role behavior

If a user belongs to multiple OIM entitlements, the higher-privileged role takes precedence. For example, if a Grafana user belongs to both [Team]Editor and [Team]Viewer, the user is assigned the [Team]Editor role.

Entitlement Access
[Team]Admin Full access to the Sauron API endpoint.
[Team]Viewer Read-only access to the Sauron API endpoint. Non-GET APIs return Access Denied.
[Team]Editor Grafana Editor access for Grafana 8.x and above.

OIM permission changes are not reflected until the user logs out and logs back in using SSO.

If a user is not part of any Sauron OIM entitlement, Sauron shows an access error in the browser.

SSO access error for a user without required entitlement

Enable SSO

Global SSO enables SSO for these Sauron UI endpoints:

  • Alertmanager
  • API
  • Console
  • Grafana
  • Help
  • OpenSearch Dashboards
  • Prometheus
  • Thanos
  • Thanos Rule

Steps:

  1. Create OIM entitlements first. See OIM Entitlements for RBAC.
  2. Open PUT /v1/global/sso/actions.
  3. Click Try it Out.
  4. Select enable.
  5. Enter the ssoGroup value.
  6. Click Execute.
  7. Confirm the response status is 200.
  8. Wait 2-3 minutes for Sauron pods to restart.
  9. Open a Sauron endpoint, such as https://kibana.stage.apatil.developers.oracledx.com, and confirm it prompts for Oracle SSO credentials.

For example, if the team name is MyTeam, set ssoGroup to MyTeam when the entitlements are named MyTeamAdmin and MyTeamViewer.

Global SSO API request in Sauron API Server

If the browser still uses an old session, restart the browser or clear the browser cache, then try again.

Prove it works before production

After enabling SSO:

  1. Confirm PUT /v1/global/sso/actions?action=enable returned 200.
  2. Confirm the Sauron pods restarted.
  3. Open each required endpoint in a browser.
  4. Confirm the endpoint prompts for Oracle SSO.
  5. Sign in as a user with the expected entitlement.
  6. Confirm the user receives the expected role.
  7. For a recent entitlement change, sign out and back in before treating access as failed.
Grafana role notes
Grafana 7.x only

Grafana 7.x does not support passing roles as auth proxy headers in its OSS version. For this reason, by default only one admin created on the Sauron instance account has admin access to the Grafana 7.x endpoint.

To add more Grafana 7.x administrators:

  1. Add the user to the MyTeamAdmin entitlement in OIM.
  2. Follow the SSO enablement step and provide each user's email address for the oracleEmailAddress parameter.
  3. Use the correct ssoGroup value every time you call PUT /v1/grafana/sso/actions.
  4. Check the current ssoGroup with GET /v1/sso/status if needed.

If ssoGroup is empty, all Oracle users have Viewer access to the Grafana endpoint.

Grafana 8.x and above

For Grafana 8.x and above, Sauron supports Admin, Editor, and Viewer roles out of the box. Sauron maps MyTeamAdmin, MyTeamEditor, and MyTeamViewer OIM entitlements to the corresponding Grafana roles. No extra manual step is needed.

Self-check before escalation

Most questions for this topic can be resolved with the steps above. For SSO or access-denied questions, collect:

  • Sauron URL.
  • Endpoint that failed.
  • Component.
  • Authentication method: SSO.
  • Affected user email.
  • Expected role.
  • ssoGroup value if known.
  • Exact OIM entitlement name if known.
  • Exact error/status or screenshot.
  • Start time.
  • Recent SSO, entitlement, or browser-session changes.
  • Checks completed.
  • Production impact, if any.
  • Whether the user signed out and back in after access was approved.
Architecture
Grafana SSO flow

Grafana SSO architecture