[Yandex Cloud documentation](../../../../index.md) > [Yandex Identity Hub](../../../index.md) > [Tutorials](../../index.md) > [Setting up single sign-on (SSO) for apps](../index.md) > Grafana Cloud > SAML

# Creating a SAML application in Yandex Identity Hub for integration with Grafana Cloud

[Grafana Cloud](https://grafana.com/products/cloud/) is a managed cloud monitoring and observability platform that brings together Grafana, Prometheus, Loki, and other tools for data visualization and analysis. Grafana Cloud supports SAML authentication to provide secure SSO for your organization's users.

For the users of your [organization](../../../concepts/organization.md) to be able to authenticate to Grafana Cloud via [SAML](https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language) SSO, create a [SAML app](../../../concepts/applications.md#saml) in Yandex Identity Hub and configure it both in Yandex Identity Hub and Grafana Cloud.

SAML apps can be managed by users with the `organization-manager.samlApplications.admin` [role](../../../security/index.md#organization-manager-samlApplications-admin) or higher.

To give access to Grafana Cloud to the users of your organization:

1. [Create a Grafana Cloud account](#grafana-account).
1. [Create an app](#create-app).
1. [Set up the integration](#setup-integration).
1. [Make sure the application works correctly](#validate).

## Create a Grafana Cloud account {#grafana-account}

If you do not have a Grafana Cloud account, create one:

1. Go to the [Grafana Cloud sign up page](https://grafana.com/auth/sign-up/).
1. Fill out the registration form:
    - Enter your email address.
    - Create a secure password.
1. Click **Create my account**.
1. Verify your new account by following the instructions sent to the email address you provided.
1. Select a name for your organization; this name will be part of your instance's URL, e.g., `your-org`.
1. Once logged in, make sure you have administrator permissions to configure SAML in Grafana Cloud.

{% note info %}

To configure SAML in Grafana Cloud, you need organization administrator permissions. If you do not have the required permissions, contact your organization's administrator in Grafana Cloud.

{% endnote %}

## Create an app {#create-app}

{% list tabs group=instructions %}

- Cloud Center UI {#cloud-center}

    1. Log in to [Yandex Identity Hub](https://center.yandex.cloud/organization).
    1. In the left-hand panel, select ![shapes-4](../../../../_assets/console-icons/shapes-4.svg) **Apps**.
    1. In the top-right corner, click ![Circles3Plus](../../../../_assets/console-icons/circles-3-plus.svg) **Create application** and in the window that opens:
        1. Select the **SAML (Security Assertion Markup Language)** single sign-on method.
        1. In the **Name** field, specify a name for your new app: `grafana-cloud-app`.

        1. Optionally, in the **Description** field, enter a description for the new app.
        1. Optionally, add [labels](../../../../resource-manager/concepts/labels.md):

            1. Click **Add label**.
            1. Add a label in `key: value` format.
            1. Press **Enter**.
        1. Click **Create application**.

{% endlist %}

## Set up the integration {#setup-integration}

To integrate Grafana Cloud with the SAML app you created in Yandex Identity Hub, complete the setup both on the Grafana Cloud side and in Yandex Identity Hub.

### Set up the SAML application in Grafana Cloud {#setup-sp}

1. To configure SAML authentication in Grafana Cloud, in the left-hand panel, navigate to **Administration** and then to **Authentication**.
1. In the main window, select **SAML**.

Then complete the steps below:

#### General settings {#general-settings}

Make sure to enable the **Allow signup** option to automatically create users in Grafana Cloud when they log in via SSO. If this option is off, only users who already have a Grafana Cloud account will be able to log in.

#### Signing requests {#sign-requests}

Configure a certificate to sign outgoing requests.

{% note tip %}

Yandex Identity Hub does not currently support request signature verification, so we recommend you leave the **Sign requests** option disabled.

{% endnote %}

#### Connecting Grafana to the IdP {#conect-idp}

Configure a link between Grafana Cloud and Yandex Identity Hub:

1. Under **Configure IdP using Grafana metadata**, copy and save the endpoint addresses for receiving metadata (*Metadata URL*) and sending user authentication requests (*Assertion Consumer Service URL*). You will need the latter in later steps when setting up integration in Yandex Identity Hub.
1. Configure the endpoint address to receive metadata from Yandex Identity Hub:

    1. Log in to [Yandex Identity Hub](https://center.yandex.cloud/organization).
    1. In the left-hand panel, select ![shapes-4](../../../../_assets/console-icons/shapes-4.svg) **Apps** and then, the SAML app.
    1. On the **Overview** tab, under **Identity provider (IdP) configuration**, copy the **Metadata URL** field value.
    1. Return to Grafana Cloud and under **Finish configuring Grafana using IdP data**, paste the copied address into the **Metadata URL** field.

#### Mapping user attributes {#user-mapping}

Set up mapping between user object fields in Grafana Cloud and Yandex Identity Hub:

1. Under **Assertion attributes mappings**, specify:

    - **Name attribute**: `fullname`
    - **Login attribute**: `login`
    - **Email attribute**: `emailaddress`

1. If you want Grafana Cloud users to get one of the basic roles (Viewer, Editor, Admin) when they log in, add the user group attribute. To do this, select `groups` in the **Role attribute** field.

    {% note info %}

    If you do not configure role mapping, all users will log in with the default `Viewer` role.

    {% endnote %}

    Next, under **Role mapping**, specify the names of the groups whose users will receive the appropriate roles. For example:

    - Under **Viewer**: `grafana-viewer`
    - Under **Editor**: `grafana-editor`
    - Under **Admin**: `grafana-admin`

    You will need to create the groups when setting up the app in Yandex Identity Hub.

1. Below, in the **Name identifier format** field, select `Email address`.

    To view and configure user attribute names in Yandex Identity Hub, use the **Attributes** tab in your application.

1. Save the settings by clicking **Save and enable**.

### Set up the SAML application in Yandex Identity Hub {#setup-idp}

#### Set up service provider endpoints {#sp-endpoints}

{% list tabs group=instructions %}

- Cloud Center UI {#cloud-center}

  1. Log in to [Yandex Identity Hub](https://center.yandex.cloud/organization).
  1. In the left-hand panel, select ![shapes-4](../../../../_assets/console-icons/shapes-4.svg) **Apps** and then, the SAML app.
  1. At the top right, click ![pencil](../../../../_assets/console-icons/pencil.svg) **Edit** and in the window that opens:  
      1. In the **SP EntityID ** field, paste the endpoint address you copied from the **Metadata URL** field in the third step when setting up the integration in Grafana Cloud.
      1. In the **ACS URL** field, paste the endpoint address you copied from the **Assertion Consumer Service URL** field in the third step of setting up the integration in Grafana Cloud.
      1. Click **Save**.

{% endlist %}

#### Configure user attributes {#user-attributes}

{% note warning %}

For integration with Grafana Cloud, users need the `login` attribute.

{% endnote %}

If users do not have the `login` attribute, add it:

{% list tabs group=instructions %}

- Cloud Center UI {#cloud-center}

    1. Log in to [Yandex Identity Hub](https://center.yandex.cloud/organization).
    1. In the left-hand panel, select ![shapes-4](../../../../_assets/console-icons/shapes-4.svg) **Apps** and select the desired app.
    1. Navigate to the **Attributes** tab.
    1. In the top-right corner, click ![plus](../../../../_assets/console-icons/plus.svg) **Add attribute** and in the window that opens:

        1. In the **Attribute name** field, specify `login`.
        1. In the **Value** field, select `SubjectClaims.preferred_username`.
        1. Click **Add**.

{% endlist %}

If you have configured role mapping in Grafana Cloud, add the user group attribute. Follow these steps:

{% list tabs group=instructions %}

- Cloud Center UI {#cloud-center}

    1. In the top-right corner, click ![circles-3-plus](../../../../_assets/console-icons/circles-3-plus.svg) **Add group attribute** and in the window that opens.
    1. In the **Transmitted groups** field, select `Assigned groups only`.
    1. Click **Add**.

{% endlist %}

For more information about configuring attributes, see [Configure user and group attributes](../../../operations/applications/saml-create.md#setup-attributes).

### Add a user {#add-user}

For your organization's users to be able to authenticate in Grafana Cloud with Yandex Identity Hub's SAML app, you need to explicitly add these users and/or [user groups](../../../concepts/groups.md) to the SAML application.

{% note info %}

Users and groups added to a SAML application can be managed by a user with the `organization-manager.samlApplications.userAdmin` [role](../../../security/index.md#organization-manager-samlApplications-userAdmin) or higher.

{% endnote %}

1. If you have configured role mapping in Grafana Cloud, [create](../../../operations/create-group.md) the [groups](../../../concepts/groups.md) as needed:

    {% list tabs group=instructions %}

    - Cloud Center UI {#cloud-center}

        1. Log in to [Yandex Identity Hub](https://center.yandex.cloud/organization).
        1. In the left-hand panel, select ![groups](../../../../_assets/console-icons/persons.svg) **Groups**.
        1. In the top-right corner of the page, click ![Circles3Plus](../../../../_assets/console-icons/circles-3-plus.svg) **Create group**.
        1. Enter a name, e.g., `grafana-viewer`.
        1. Click **Create group**.
        1. Add users to the group:
            1. Navigate to the **Members** tab.  
            1. Click **Add member**.
            1. In the window that opens, select the required users.
            1. Click **Save**.

    {% endlist %}

    Similarly, create the `grafana-editor` and `grafana-admin` groups.

1. Add users to the application:

    {% list tabs group=instructions %}

    - Cloud Center UI {#cloud-center}

        1. Log in to [Yandex Identity Hub](https://center.yandex.cloud/organization).
        1. In the left-hand panel, select ![shapes-4](../../../../_assets/console-icons/shapes-4.svg) **Apps** and select the required app.
        1. Navigate to the **Users and groups** tab.
        1. Click ![person-plus](../../../../_assets/console-icons/person-plus.svg) **Add users**.
        1. In the window that opens, select the required user or user group.
        1. Click **Add**.

    {% endlist %}

## Make sure your application works correctly {#validate}

To make sure both your SAML app and Grafana Cloud integration work correctly, authenticate to Grafana Cloud as one of the users you added to the app. Follow these steps:

1. In your browser, navigate to the address of your Grafana Cloud instance, e.g., `https://your-org.grafana.net`.
1. If you were logged in to Grafana Cloud, log out.
1. On the Grafana Cloud sign in page, click **Sign in with SAML**.
1. On the Yandex Cloud sign in page, enter the user email and password. The user or group they belong to must be added to the application.
1. Make sure you have authenticated in Grafana Cloud.
1. If you have configured role mapping, go to the user profile in Grafana Cloud and make sure the appropriate role is displayed under **Organization**.