{"id":9989,"date":"2023-04-20T12:33:21","date_gmt":"2023-04-20T17:33:21","guid":{"rendered":"https:\/\/www.rushworth.us\/lisa\/?p=9989"},"modified":"2023-04-20T12:33:21","modified_gmt":"2023-04-20T17:33:21","slug":"grafana-sso-with-pingid-oauth","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=9989","title":{"rendered":"Grafana &#8212; SSO With PingID (OAuth)"},"content":{"rendered":"<p>I enabled SSO in our development Grafana system today. There&#8217;s not a great user experience with SSO enabled <em>because<\/em> there is a local &#8216;admin&#8217; user that has extra special rights that aren&#8217;t given to users put into the admin role. If you just enable SSO, there is a new button added under the logon dialogue that users can use to initiate an SSO authentication. That&#8217;s not great, though, since <em>most<\/em> users really should be using the SSO workflow. And people are absolutely going to be putting their login information into that really obvious set of text input fields.<\/p>\n<p><a href=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2023\/04\/Grafana-WithLogonButton.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-9990 size-full\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2023\/04\/Grafana-WithLogonButton.png\" alt=\"\" width=\"516\" height=\"571\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2023\/04\/Grafana-WithLogonButton.png 516w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2023\/04\/Grafana-WithLogonButton-271x300.png 271w\" sizes=\"auto, (max-width: 516px) 100vw, 516px\" \/><\/a><\/p>\n<p>Grafana has a configuration to bypass the logon form and just <em>always<\/em> go down the OAUTH authentication:<\/p>\n<pre># Set to true to attempt login with OAuth automatically, skipping the login screen.\r\n# This setting is ignored if multiple OAuth providers are configured.\r\noauth_auto_login = true<\/pre>\n<p>Except, now, the rare occasion we need to use the local admin account requires us to set this to false, restart the service, do our thing, change the setting back, and restart the service again. Which is what we&#8217;ll do &#8230; but it&#8217;s not a great solution either.<\/p>\n<p>&nbsp;<\/p>\n<p>Config to authenticate Grafana to PingID using OAUTH<\/p>\n<pre>#################################### Generic OAuth ##########################\r\n[auth.generic_oauth]\r\nname = PingID\r\nenabled = true\r\nallow_sign_up = true\r\nclient_id = 12345678-1234-4567-abcd-123456789abc\r\nclient_secret = abcdeFgHijKLMnopqRstuvWxyZabcdeFgHijKLMnopqRstuvWxyZ\r\nscopes = openid profile email\r\nemail_attribute_name = email:primary\r\nemail_attribute_path =\r\nlogin_attribute_path = user\r\nrole_attribute_path =\r\nid_token_attribute_name =\r\nauth_url = https:\/\/login.example.com\/as\/authorization.oauth2\r\ntoken_url = https:\/\/login.example.com\/as\/token.oauth2\r\napi_url = https:\/\/login.example.com\/idp\/userinfo.openid\r\nallowed_domains =\r\nteam_ids =\r\nallowed_organizations =\r\ntls_skip_verify_insecure = true\r\ntls_client_cert =\r\ntls_client_key =\r\ntls_client_ca =<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>I enabled SSO in our development Grafana system today. There&#8217;s not a great user experience with SSO enabled because there is a local &#8216;admin&#8217; user that has extra special rights that aren&#8217;t given to users put into the admin role. If you just enable SSO, there is a new button added under the logon dialogue &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30],"tags":[1842,1488,1843],"class_list":["post-9989","post","type-post","status-publish","format-standard","hentry","category-system-administration","tag-grafana","tag-oauth","tag-pingid"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/9989","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=9989"}],"version-history":[{"count":1,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/9989\/revisions"}],"predecessor-version":[{"id":9991,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/9989\/revisions\/9991"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=9989"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=9989"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=9989"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}