Skip to content

Grafana SAML Authentication Error — Quick Fix

DodaTech Updated 2026-06-24 3 min read

In this tutorial, you'll learn about Grafana SAML Authentication Error. We cover key concepts, practical examples, and best practices.

The Problem

Users cannot log in to Grafana via SAML. The Identity Provider (IdP) may redirect back to Grafana with an error, or Grafana may reject the SAML assertion. Single sign-on (SSO) may work for other applications but not Grafana.

Error example:

SAML authentication failed: Assertion validation error: Audience mismatch
SAML login failed: Certificate not trusted
Error: unable to parse SAML response: XML parse error

The Fix

Step 1: Verify the SAML configuration

WRONG — copying SAML configuration from another application:

# Each application has unique ACS URL and certificate requirements

RIGHT — check the Grafana SAML configuration:

[auth.saml]
enabled = true
certificate_path = /etc/grafana/saml-cert.pem
private_key_path = /etc/grafana/saml-key.pem
idp_metadata_url = https://idp.example.com/metadata
assertion_attribute_name = displayName
assertion_attribute_login = email
assertion_attribute_email = email
assertion_attribute_roles = Role

Step 2: Fix certificate and ACS URL issues

WRONG — using a self-signed certificate without configuring the IdP:

# The IdP must trust Grafana's SAML certificate

RIGHT — ensure the certificate is trusted:

# Export Grafana's SAML certificate and import it into the IdP
openssl x509 -in /etc/grafana/saml-cert.pem -text -noout

# Verify the ACS URL matches what is registered in the IdP
# The ACS URL is: https://grafana.example.com/login/saml

Use DodaTech's SAML Debugger to inspect SAML assertions, validate certificates, and test the full SSO flow against your Identity Provider.

Prevention Tips

  • Register the exact ACS URL in the IdP: https://<a href="/devops/prometheus-grafana/">grafana</a>.example.com/login/saml
  • Use an external certificate authority for SAML certificates
  • Configure the IdP to include the Role attribute for Grafana authorization
  • Enable SAML debug logging in Grafana for troubleshooting
  • Use DodaTech's SSO Implementation Guide for step-by-step IdP integration

Common Mistakes with saml error

  1. Overlapping type class instances that cause GHC to reject the program with ambiguous dispatch errors
  2. Non-exhaustive pattern matches that compile with warnings then crash at runtime
  3. Misunderstanding that String is [Char] with poor performance for large text operations

These mistakes appear frequently in real-world GRAFANA code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.

Practice Exercise

Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.

This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.

FAQ

### Why does SAML fail with "Audience mismatch"?

The SAML assertion's Audience element must match Grafana's entity ID. Set entity_id in the Grafana SAML config (default is https://<a href="/devops/prometheus-grafana/">grafana</a>.example.com/saml/metadata). Ensure the IdP is configured to use this same entity ID as the audience.

How do I enable SAML debug logging in Grafana?

Add log.level = debug and log.filters = saml:debug to the Grafana configuration under [log]. This logs all SAML request and response details, making it easier to diagnose assertion validation failures.

Can I use multiple IdPs with Grafana SAML?

Grafana supports one SAML configuration at a time. For multiple IdPs, use an identity federation proxy (like Keycloak or Azure AD) that acts as a single SAML IdP for multiple backend IdPs.

Related: DodaTech's Grafana Enterprise Guide covers SAML, LDAP, and OAuth configuration for identity federation in large organizations.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro