-
What Grafana version and what operating system are you using?
11.1.0 -
What are you trying to achieve?
We want to implement a SSO login in Grafana. The users would login to our product using our own auth service (wrapper around Keycloak) and from there they can reach Grafana and the user should get logged in automatically. We are exploring all types of auth mechanisms - oauth, jwt, auth proxy to achieve this.
The main question here is - is it possible to just let the user in without creating a user entry for them on grafana’s end. We want the user records to be just present in our keycloak or microsoft AD etc and that there should be no user record in Grafana. This reduces extra overhead to maintain the user lifecycle and sync the user from Keycloak to Grafana. -
How are you trying to achieve it?
We are not creating the users in Grafana beforehand but are setting the auto_sign_up property as true. I don’t think the login would work without that property.
Is this something even possible in Grafana? -
What happened?
-
What did you expect to happen?
-
Can you copy/paste the configuration(s) that you are having problems with?
-
Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.
-
Did you follow any online instructions? If so, what is the URL?
Why is there a need for that sync? If you have SSO properly configured, then there shouldn’t be a need for any sync.
Thank you for the response.
So if some user info is updated in keycloak, would it be updated in grafana user database upon login?
Also what about the delete case? If user is deleted from keycloak, how would it be deleted from grafana. Thats the sync I was referring to.
It depends what is updated, but I guess that yes. That’s the point of SSO protocol.
If user is deleted from the Keycloak, then user won’t be able to login to Grafana. So I’m still missing point of that sync.
I recommended to test your use cases first.