--- description: Learn how to configure SAML authentication in Grafana's UI. labels: products: - cloud - enterprise menuTitle: Troubleshooting title: Troubleshoot SAML configuration weight: 590 --- ## Troubleshooting Following are common issues found in configuring SAML authentication in Grafana and how to resolve them. ### Troubleshoot SAML authentication in Grafana To troubleshoot and get more log information, enable SAML debug logging in the configuration file. Refer to [Configuration](/docs/grafana//setup-grafana/configure-grafana/#filters) for more information. ```ini [log] filters = saml.auth:debug ``` ### Infinite redirect loop / User gets redirected to the login page after successful login on the IdP side If you experience an infinite redirect loop when `auto_login = true` or redirected to the login page after successful login, it is likely that the `grafana_session` cookie's SameSite setting is set to `Strict`. This setting prevents the `grafana_session` cookie from being sent to Grafana during cross-site requests. To resolve this issue, set the `security.cookie_samesite` option to `Lax` in the Grafana configuration file. ### SAML authentication fails with error: - `asn1: structure error: tags don't match` We only support one private key format: PKCS#8. The keys may be in a different format (PKCS#1 or PKCS#12); in that case, it may be necessary to convert the private key format. The following command creates a pkcs8 key file. ```bash openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes ``` #### **Convert** the private key format to base64 The following command converts keys to base64 format. Base64-encode the cert.pem and key.pem files: (-w0 switch is not needed on Mac, only for Linux) ```sh $ base64 -w0 key.pem > key.pem.base64 $ base64 -w0 cert.pem > cert.pem.base64 ``` The base64-encoded values (`key.pem.base64, cert.pem.base64` files) are then used for certificate and `private_key`. The keys you provide should look like: ``` -----BEGIN PRIVATE KEY----- ... ... -----END PRIVATE KEY----- ``` ### SAML login attempts fail with request response `origin not allowed` When the user logs in using SAML and gets presented with `origin not allowed`, the user might be issuing the login from an IdP (identity provider) service or the user is behind a reverse proxy. This potentially happens as the CSRF checks in Grafana deem the requests to be invalid. For more information [CSRF](https://owasp.org/www-community/attacks/csrf). To solve this issue, you can configure either the [`csrf_trusted_origins`](/docs/grafana//setup-grafana/configure-grafana/#csrf_trusted_origins) or [`csrf_additional_headers`](/docs/grafana//setup-grafana/configure-grafana/#csrf_additional_headers) option in the SAML configuration. Example of a configuration file: ```ini # config.ini ... [security] csrf_trusted_origins = https://grafana.example.com csrf_additional_headers = X-Forwarded-Host ... ``` ### SAML login attempts fail with request response "login session has expired" Accessing the Grafana login page from a URL that is not the root URL of the Grafana server can cause the instance to return the following error: "login session has expired". If you are accessing Grafana through a proxy server, ensure that cookies are correctly rewritten to the root URL of Grafana. Cookies must be set on the same URL as the `root_url` of Grafana. This is normally the reverse proxy's domain/address. Review the cookie settings in your proxy server configuration to ensure that cookies are not being discarded Review the following settings in your Grafana configuration: ```ini [security] cookie_samesite = none ``` This setting should be set to none to allow Grafana session cookies to work correctly with redirects. ```ini [security] cookie_secure = true ``` Ensure `cookie_secure` is set to true to ensure that cookies are only sent over HTTPS.