OAuth: Support mapping generic OAuth users to Grafana organizations


We are using Grafana 9.2.5 (Enterprise) with Generic OAuth by Keycloak.
We now got an authentication issue.
If Grafana support mapping generic OAuth users(or even generic OAuth group) to Grafana organizations? How to configurate it?
l have found a possible solution in a pull request which the configuration looks like below

role_attribute_path = contains(groups[*], 'my_first_group_name') && 'Admin'
org_id = 1

role_attribute_path = contains(groups[*], 'my_second_group_name') && 'Editor' || 'Viewer'
org_id = 2

However it doesn’t work. So if there is any other way to realize this requirement?


You have Grafana Enterprise, so use SAML where org mapping is supported.

Hi Jangaraj.
Thanks for your fantastic advice! We made it possible by using the setting below
asassertion_attribute_org = groups
org_mapping = *:2:Editor
Can l also kindly ask do you know if it possible to make the org_mapping automatically?
For example. if l create a new group in ldP, if it possible to also generate the organization in Grafana and map with that group automatically instead modify the config manually?

IMHO that’s not possible. But you have enterprise version, where is support included, so you can ask official support about it + eventually, register interest about this feature.

1 Like

Thank you so much for your valuable information!