Setup Single Sign On (SSO) for Grafana with Identity

September 18, 2024

Single Sign-On (SSO) enables users to log in to multiple applications with a single set of credentials, enhancing both security and ease of use. In this guide, we will show you how to configure Grafana to use Identity as the Identity Provider, utilizing the OpenID Connect (OIDC) protocol for authentication.

This step-by-step guide will walk you through the process of integrating Grafana with Identity, ensuring your users have a seamless login experience while maintaining a secure environment.

Why SSO with Grafana?

Grafana is widely used for visualizing and monitoring data from various sources. However, managing user access and credentials across multiple tools and platforms can be tedious and pose security risks. Here’s why integrating SSO with Grafana is beneficial:

  • Simplified User Experience Users can log in once and access multiple platforms, including Grafana, without needing separate usernames and passwords.
  • Centralized Access Control Admins can manage user permissions and roles in one place, reducing the complexity of handling access across different systems.
  • Enhanced Security By using a single, centralized authentication source, you reduce the risk of password mismanagement and improve your overall security posture.
  • Enterprise Scalability As your organization grows, managing multiple credentials for various tools becomes unsustainable. SSO provides a scalable solution, allowing new users to be onboarded quickly with predefined roles and permissions.
Prerequisites

Before we begin, ensure the following:

  • An active Identity account with administrator privileges
  • A Grafana account with admin access.
  • Basic understanding of OpenID Connect (OIDC), the protocol used for SSO in Grafana
Step 1: Register Grafana in Identity
  1. Log in to Identity as an administrator.
  2. Navigate to the Clients (OAuth 2.0 > Clients) and click on New Client.
  3. Fill in the following details:
    1. Name: Grafana
    2. Client ID: Choose a unique identifier for Grafana, e.g., Grafana.
    3. Secret: Set the client secret and confirm it
    4. Scopes: Scopes define what user information will be shared. Set this to openid, profile
    5. Grant Type: Select the grant type Authorization Code
    6. Redirect URI: Set this to http://<grafana_url>/login/generic_oauth (replace <grafana_url> with your Grafana instance URL)
    7. Post Logout Redirect URI: Set this to http://<grafana_url>/login/generic_oauth
  4. Save your changes
Grafana General Details in Identity
Grafana Authentication Details in Identity
Step 2: Configure Grafana to Use Identity as an OAuth Provider
  1. Log in to Grafana as an administrator.
  2. Navigate to Administration > Authentication.
  3. Click on Generic OAuth.
  4. Enable OAuth and fill in the following details:
    1. Display Name: Set this as Identity. This name will be displayed on your Login Button i.e. "Sign In with Identity"
    2. Client ID: Use the client ID you created earlier in Identity i.e. Grafana
    3. Client Secret: Enter the client secret generated in Identity.
    4. Scopes: Enter openid profile
    5. Auth URL: https://<identity_domain>/connect/authorize (replace <identity_domain> with your Identity server’s URL). E.g. https://identity.celusion.dev/connect/authorize
    6. Token URL: https://<identity_domain>/connect/token
    7. API URL: https://<identity_domain>/connect/userinfo
    8. Allow Sign Up: Disable this to prevent users to sign up automatically when they log in via SSO.
    9. Sign out Redirect URL: Set this to http://<grafana_url>/login
    10. Expand User mapping and set the Login attribute path to preferred_username
    11. Under User mapping set the Email attribute path to email
  5. Save the configuration.
Grafana General Settings
Grafana Authentication URL
Grafana User Mapping
Step 3: Test the Integration
  1. Navigate to your Grafana instance login page
  2. You will be shown an additional button "Sign In with Identity"
  3. Click the Sign In with Identity button
  4. Enter credentials of a user who has access to Grafana. i.e. The username in Identity and the username in Grafana should be the same
  5. Complete the login process. After authentication, you will be redirected to Grafana.
Grafana Login Screen

Video Tutorial

We've also created a comprehensive video tutorial on YouTube that walks you through the entire SSO setup process in Grafana using Identity as the Identity Provider. Watch it here to see each step in action!

Conclusion

By integrating Grafana with Identity for Single Sign-On using OIDC, you simplify user authentication and centralize access control across applications. This integration enhances security and provides a seamless experience for your users.

If you encounter any issues during the setup process, check both Grafana and Identity logs for any configuration errors. For further assistance, feel free to contact our support team or refer to the official Grafana and Identity documentation.

Nurturing Leads in the Banking and Financial Services Sector
Oct 14, 2024

Lead nurturing in banking boosts conversions and relationships through personalized communication, timely follow-ups, and data-driven tactics.

Enhance your FortiGate security with SSO integration
Oct 3, 2024

In this guide, we'll walk you through the steps to set up SSO integration in FortiGate using Identity, the workforce, customer and citizen identity management solution.

Enhancing Agility : Business Rule Engines for Fast Decisions
Oct 1, 2024

BREs enhance financial services' agility by enabling fast decisions, ensuring compliance, and reducing IT dependence, while adapting to regulatory changes