Setting SSO for grafana via keycloak with multiple realms?

1

Hi all,

I was using keycloak to set sso for grafana by config [auth.generic_oauth] in grafana.ini

However, only one realm can be set in [auth.generic_oauth], just like:

[auth.generic_oauth]
enabled = true
name = Oauth
allow_sign_up = true
client_id = grafana
client_secret = 7105436b-45a8-4563-9cea-f1460d88dff9
auth_url = http://keycloak.domain/auth/realms/**<realm_name>**/protocol/openid-connect/auth
token_url = http://keycloak.domain/auth/realms/**<realm_name>**/protocol/openid-connect/token
api_url = http://keycloak.domain/auth/realms/**<realm_name>**/protocol/openid-connect/userinfo

And here is a normal use case:

  1. setup keycloak.
  2. add a new realm <realm_test1> in keycloak.
  3. add a new client in <realm_test1>
  4. add a new user in <realm_test1>
  5. setup [auth.generic_oauth] part in grafana.ini
  6. restart grafana-server
  7. SSO complete.

However, in my condition, we have several clusters, and multiple realms need to be set, so if user in different realms can login grafana via keycloak (SSO), how to get there?

I have tried:

  1. setup keycloak.
  2. add a new realm <realm_test1> in keycloak.
  3. add a new client in <realm_test1>
  4. add a new user in <realm_test1>
  5. setup [auth.generic_oauth] part in grafana.ini
  6. while I add new realm <realm_test2> and add new client & user under <realm_test2>, a script should setup [auth.generic_oauth] part and regenerate grafana.ini automatically.
  7. grafana-server should be restarted to take effect.

I didn’t find any reload API or any other signal that can trigger grafana to reload configuration.

So, how can I setup SSO with multiple realms? Any suggestions here? Thanks a lot.

2

That’s unusual SSO implementation. I haven’t seen any user app with multirealm login support. Are you sure, that you have correct SSO design? Anyway, you need to fork Grafana and implement your own OIDC SSO there.

3

Thanks @jangaraj for your reply.

In my use case, serveral clusters share one grafana instance, each cluster has a realm. That means each user in different cluster/realm should login grafana. and that’s why we need an multi-realm login support.

Is there any chance we can get there without implement our own OIDC SSO?

4

Configure auth proxy https://grafana.com/docs/auth/auth-proxy/ and implement own authN outside of Grafana. IMHO multirealm authN is bad design. You can have a user with the same login id in different realms - are they different users or is it the same user, because login id is the same. Your mutlirealm SSO design can introduce serious security risk.

5

Hello,

I also have a similar usecase. We have multiple realms/tenants/org. A user can only belong to a single organization.

While Grafana doesn’t have out-of-box support for org-specific OAuth configuration as mentioned above, I wanted to understand if there has been any success with using Auth proxy as aforementioned by @jangaraj ?