Hi,
I am trying to integrate OKTA for Grafana login. Everything on Grafana side looks correct as per the https://grafana.com/docs/grafana/latest/auth/okta/. OKTA app is created. Is the document up to date? Is CORS needed? What is the behavior once OKTA link redirects? If anyone has successfully integrated OKTA with Grafana, please share the procedure -
My Grafana config is as follows -
name = Okta
enabled = true
allow_sign_up = true
client_id =
client_secret =
scopes = “openid profile email”
auth_url = https://.okta.com/oauth2/v1/authorize
token_url = https://.okta.com/oauth2/v1/token
api_url = https://.okta.com/oauth2/v1/userinfo
;allowed_domains =
;allowed_groups =
;role_attribute_path =
One thing I ended up spending lots of time figuring out was how to support logging out of Okta when logging out of Grafana. What I was being faced with was that I would log out of Grafana, but then when I would come to log back in, it would log me back in right away since the Okta user was still logged in.
I didn’t find a solution to that in the Auth Guide (explain wells how to get us to log in with Okta, but not so much how to log out).
Grafana does not seem to fully support oauth logout . It does however support a generic signout_redirect_url value that you can specify in its configuration file.
You need to combine this with Okta functionality which allows as well a generic signout function (not the oauth application logout endpoint, which Grafana doesn’t support) with the ability to specify a redirect URL.
On Okta.
The URL given in the fromURI field needs to be configured as a Trusted Origin. Otherwise, it will be ignored by Okta. To do this:
1 - login to Okta as an administrator
2- Security Menu - API menu, go to Trusted Origins tab
3 - Add your redirect URL (the one you specified in the fromURI field in the Grafana config) and make it of Type ‘Redirect’
At that point, the logout from Grafana also triggers a logout from Okta and we are sent back to the login page of Grafana.
