BizFirst Observe
Grafana Enterprise
Grafana Enterprise adds features required for large-scale corporate deployments: SAML/OIDC SSO, query audit logging, data source caching, fine-grained data source permissions, and scheduled PDF/Excel report generation. It is a drop-in replacement for Grafana OSS — the same configuration applies.
Enterprise Feature Comparison
| Feature | OSS | Enterprise |
|---|---|---|
| LDAP integration | Yes | Yes (enhanced) |
| SAML 2.0 SSO | No | Yes |
| OIDC / OAuth2 SSO | Yes (generic) | Yes (Azure AD, Okta, Ping optimized) |
| Query audit log | No | Yes — who queried what data source and when |
| Data source permissions | Basic (role-based) | Granular (team + user + role) |
| Data source caching | No | Yes — reduces backend query load |
| Report generation | No | Yes — schedule dashboards as PDF/Excel email reports |
| Team provisioning | Via API only | Via provisioning YAML |
SAML SSO Configuration (Grafana Enterprise)
# grafana.ini — SAML SSO configuration
[auth.saml]
enabled = true
certificate_path = /etc/grafana/saml/grafana.crt
private_key_path = /etc/grafana/saml/grafana.key
idp_metadata_path = /etc/grafana/saml/idp-metadata.xml
max_issue_delay = 90s
metadata_valid_duration = 48h
# Map SAML attributes to Grafana user fields:
assertion_attribute_name = displayName
assertion_attribute_login = mail
assertion_attribute_email = mail
assertion_attribute_groups = memberOf
# Map SAML groups to Grafana org roles:
role_values_admin = cn=platform-engineering,ou=groups,dc=bizfirstai,dc=com
role_values_editor = cn=operations,ou=groups,dc=bizfirstai,dc=com
role_values_viewer = cn=business-users,ou=groups,dc=bizfirstai,dc=comQuery Audit Log
# grafana.ini — enable query audit logging
[auditing]
enabled = true
loggers = file,loki # Write to local file AND forward to Loki
[auditing.loki]
url = http://loki:3100
basicAuthUser = ""
# Audit log captures:
# - Every Explore query (LogQL, PromQL, TraceQL) with full query text
# - Who executed it (user, IP)
# - Which data source
# - Response size and duration
# Query the audit log in Grafana Explore (Loki):
{job="grafana-audit"} | json | action = "data-request" | dataSource = "Loki"
| line_format "User={{.user}} Query={{.query}} Duration={{.duration}}ms"
Enterprise Licensing Is Per Active User
Grafana Enterprise is licensed per active user (users who log in within the billing period). For BizFirstGO deployments where only the platform team uses Grafana directly (and tenant admins use pre-built dashboards via tenant-scoped data sources), the active user count may be surprisingly small — making Enterprise cost-effective compared to building equivalent audit and SSO infrastructure yourself.