Setting SSO for grafana via keycloak with multiple realms?

zhwlx22 · April 11, 2019, 2:19am

Hi all,

I was using keycloak to set sso for grafana by config [auth.generic_oauth] in grafana.ini

However, only one realm can be set in [auth.generic_oauth], just like:

[auth.generic_oauth]
enabled = true
name = Oauth
allow_sign_up = true
client_id = grafana
client_secret = 7105436b-45a8-4563-9cea-f1460d88dff9
auth_url = http://keycloak.domain/auth/realms/**<realm_name>**/protocol/openid-connect/auth
token_url = http://keycloak.domain/auth/realms/**<realm_name>**/protocol/openid-connect/token
api_url = http://keycloak.domain/auth/realms/**<realm_name>**/protocol/openid-connect/userinfo

And here is a normal use case:

setup keycloak.
add a new realm <realm_test1> in keycloak.
add a new client in <realm_test1>
add a new user in <realm_test1>
setup [auth.generic_oauth] part in grafana.ini
restart grafana-server
SSO complete.

However, in my condition, we have several clusters, and multiple realms need to be set, so if user in different realms can login grafana via keycloak (SSO), how to get there?

I have tried:

setup keycloak.
add a new realm <realm_test1> in keycloak.
add a new client in <realm_test1>
add a new user in <realm_test1>
setup [auth.generic_oauth] part in grafana.ini
while I add new realm <realm_test2> and add new client & user under <realm_test2>, a script should setup [auth.generic_oauth] part and regenerate grafana.ini automatically.
grafana-server should be restarted to take effect.

I didn’t find any reload API or any other signal that can trigger grafana to reload configuration.

So, how can I setup SSO with multiple realms? Any suggestions here? Thanks a lot.

jangaraj · April 11, 2019, 5:52am

That’s unusual SSO implementation. I haven’t seen any user app with multirealm login support. Are you sure, that you have correct SSO design? Anyway, you need to fork Grafana and implement your own OIDC SSO there.

zhwlx22 · April 11, 2019, 9:18am

Thanks @jangaraj for your reply.

In my use case, serveral clusters share one grafana instance, each cluster has a realm. That means each user in different cluster/realm should login grafana. and that’s why we need an multi-realm login support.

Is there any chance we can get there without implement our own OIDC SSO?

jangaraj · April 11, 2019, 9:45am

Configure auth proxy https://grafana.com/docs/auth/auth-proxy/ and implement own authN outside of Grafana. IMHO multirealm authN is bad design. You can have a user with the same login id in different realms - are they different users or is it the same user, because login id is the same. Your mutlirealm SSO design can introduce serious security risk.

amandeepchugh · August 17, 2020, 11:15am

Hello,

I also have a similar usecase. We have multiple realms/tenants/org. A user can only belong to a single organization.

While Grafana doesn’t have out-of-box support for org-specific OAuth configuration as mentioned above, I wanted to understand if there has been any success with using Auth proxy as aforementioned by @jangaraj ?

Topic		Replies	Views
Keycloak Multitenancy Authentication in Grafana with Helm Authentication	0	27	November 25, 2024
SSO Grafana & Keycloak problem redirect Grafana	5	2754	April 15, 2022
Multiple Keylcoak Realms in Single Grafana Project Configuration	0	412	February 14, 2022
Setting up role mapping with generic Oauth Grafana	2	1936	July 29, 2020
Problems setting up SSO with Keycloak Authentication	3	10266	July 9, 2020

Setting SSO for grafana via keycloak with multiple realms?

Related topics