Setup Single Sign On (SSO) for Grafana with Identity

September 18, 2024

Single Sign-On (SSO) enables users to log in to multiple applications with a single set of credentials, enhancing both security and ease of use. In this guide, we will show you how to configure Grafana to use Identity as the Identity Provider, utilizing the OpenID Connect (OIDC) protocol for authentication.

This step-by-step guide will walk you through the process of integrating Grafana with Identity, ensuring your users have a seamless login experience while maintaining a secure environment.

Why SSO with Grafana?

Grafana is widely used for visualizing and monitoring data from various sources. However, managing user access and credentials across multiple tools and platforms can be tedious and pose security risks. Here’s why integrating SSO with Grafana is beneficial:

  • Simplified User Experience Users can log in once and access multiple platforms, including Grafana, without needing separate usernames and passwords.
  • Centralized Access Control Admins can manage user permissions and roles in one place, reducing the complexity of handling access across different systems.
  • Enhanced Security By using a single, centralized authentication source, you reduce the risk of password mismanagement and improve your overall security posture.
  • Enterprise Scalability As your organization grows, managing multiple credentials for various tools becomes unsustainable. SSO provides a scalable solution, allowing new users to be onboarded quickly with predefined roles and permissions.
Prerequisites

Before we begin, ensure the following:

  • An active Identity account with administrator privileges
  • A Grafana account with admin access.
  • Basic understanding of OpenID Connect (OIDC), the protocol used for SSO in Grafana
Step 1: Register Grafana in Identity
  1. Log in to Identity as an administrator.
  2. Navigate to the Clients (OAuth 2.0 > Clients) and click on New Client.
  3. Fill in the following details:
    1. Name: Grafana
    2. Client ID: Choose a unique identifier for Grafana, e.g., Grafana.
    3. Secret: Set the client secret and confirm it
    4. Scopes: Scopes define what user information will be shared. Set this to openid, profile
    5. Grant Type: Select the grant type Authorization Code
    6. Redirect URI: Set this to http://<grafana_url>/login/generic_oauth (replace <grafana_url> with your Grafana instance URL)
    7. Post Logout Redirect URI: Set this to http://<grafana_url>/login/generic_oauth
  4. Save your changes
Grafana General Details in Identity
Grafana Authentication Details in Identity
Step 2: Configure Grafana to Use Identity as an OAuth Provider
  1. Log in to Grafana as an administrator.
  2. Navigate to Administration > Authentication.
  3. Click on Generic OAuth.
  4. Enable OAuth and fill in the following details:
    1. Display Name: Set this as Identity. This name will be displayed on your Login Button i.e. "Sign In with Identity"
    2. Client ID: Use the client ID you created earlier in Identity i.e. Grafana
    3. Client Secret: Enter the client secret generated in Identity.
    4. Scopes: Enter openid profile
    5. Auth URL: https://<identity_domain>/connect/authorize (replace <identity_domain> with your Identity server’s URL). E.g. https://identity.celusion.dev/connect/authorize
    6. Token URL: https://<identity_domain>/connect/token
    7. API URL: https://<identity_domain>/connect/userinfo
    8. Allow Sign Up: Disable this to prevent users to sign up automatically when they log in via SSO.
    9. Sign out Redirect URL: Set this to http://<grafana_url>/login
    10. Expand User mapping and set the Login attribute path to preferred_username
    11. Under User mapping set the Email attribute path to email
  5. Save the configuration.
Grafana General Settings
Grafana Authentication URL
Grafana User Mapping
Step 3: Test the Integration
  1. Navigate to your Grafana instance login page
  2. You will be shown an additional button "Sign In with Identity"
  3. Click the Sign In with Identity button
  4. Enter credentials of a user who has access to Grafana. i.e. The username in Identity and the username in Grafana should be the same
  5. Complete the login process. After authentication, you will be redirected to Grafana.
Grafana Login Screen

Video Tutorial

We've also created a comprehensive video tutorial on YouTube that walks you through the entire SSO setup process in Grafana using Identity as the Identity Provider. Watch it here to see each step in action!

Conclusion

By integrating Grafana with Identity for Single Sign-On using OIDC, you simplify user authentication and centralize access control across applications. This integration enhances security and provides a seamless experience for your users.

If you encounter any issues during the setup process, check both Grafana and Identity logs for any configuration errors. For further assistance, feel free to contact our support team or refer to the official Grafana and Identity documentation.

Banks at a crossroads navigating consumer expectations
May 21, 2024

The digital age has redefined what consumers expect from their service providers, placing a significant emphasis on quality, responsiveness, and customization.

The future of banking onboarding in India: Top trends in 2024
Jan 1, 2024

As we enter 2024, several key trends are emerging, reshaping the way banks onboard and interact with customers. Here are the top trends in banking onboarding.

When it comes to onboarding, it’s safety first!
Jun 16, 2023

Data safety and privacy is of key concern for institutions and customers alike. Our products such as ONBOARD can help you with safer and faster onboarding.