We were trying to integrate Okta and Grafana7 as per https://grafana.com/docs/grafana/latest/auth/okta/
and as per the docs, we are using the following JMES path notation to assign the roles.
GF_AUTH_OKTA_ROLE_ATTRIBUTE_PATH: "contains(groups[*], 'grafana-admin') && 'Admin' || contains(groups[*], 'grafana-editor') && 'Editor' || 'Viewer'"
We are able to make everything work, and users are able to get the roles based on their Okta groups, but this applies only to the default Org.
We have multiple organisations, and even when we assign a person an editor access to a different organisation than the default one, it remains valid only until the session is valid, and once the logout is initiated, the user gets removed from that organisation. This doesn’t happen when we use
GF_AUTH_PROXY_ENABLED instead of Okta. With
GF_AUTH_PROXY_ENABLED, once a user is added to another organisation, the change persists. I suspect this could be because of the JMES path notation, but I am not sure. Is there any way we can persist a user’s Org membership while the authentication is handled by Okta?
We are running this on k8s, and the backend database is postgres. Please let me know if you need any more info that could probably of help.