SSO and how to set OrgID and Roles

We have configured the generic_auth of Grafana and OpenID Connect to authenticate our users in Grafana.

[auth.generic_oauth]
enabled = true
name = OAuth
allow_sign_up = true
client_id = toto
client_secret = 41d1fa6a-2a5c-43a1-9b13-d798f111111e
scopes = openid profile email address phone entities
auth_url = https://website.net/auth/realms/protocol/openid-connect/auth
token_url = https://website.net/auth/realms/protocol/openid-connect/token
api_url = https://website.net/auth/realms/protocol/openid-connect/userinfo
;team_ids =
;allowed_organizations =

As of today, is it possible to define an attribute in OpenId that would be used by Grafana to set the user’s orgId ?

Thanks for the help

1 Like

org id and roles cannot be defined via oauth, you need to do that in the Grafana UI

Thank you for the quick reply. Would it be possible to use the HTTP API to set the orgId and user’s role after it has been created ? We prefer not to use the UI to create users .

Sorry to bump this, but I came across this thread as we are also looking for ways to this. Namely, assign new users to a particular organization based on OAuth attributes.

@torkel, is this functionality something that’s on the horizon, or should we just find a work-around?

@abrilhault you can certainly set organizational memberships and roles via the API (e.g. http://docs.grafana.org/http_api/org/#add-a-new-user-to-the-current-organisation, http://docs.grafana.org/http_api/org/#updates-the-given-user).

@torkel, When can we expect this feature ?

Hello,

You can get roles from Authorization server. see Link

But the orgs, it’s more difficult because grafana try to gets organisation from the endpoint “userinfo/orgs” on the authorization server.

HI all,

I understand that it’s not possibile assign user to particular OrgID by OAuth attributes.

But is it possible instead pre-create users (also with Grafana UI), ad assign them to a particular organization with OAuth login mode enabled?

I tried but seems that when a user login for first time after I created it inside Grafana, it is duplicated inside user list (no match on email or username).

Is this way possible ? what am I doing wrong?

Thanks for your help…

Currently it is not possible to assign a user to an organisation through OAuth login.
see this PR:23661 for completely supporting of organisations <-> role mapping

The workaround is to manually create organisations and assign users to multiple organisation with roles (Admin, Editor, Viewer).
This will work only if you delete the property role_attribute_path from grafana.ini otherwise upon OAuth login, Grafana would remove the logged-in user from other organisations except the main org with id = 1.

1 Like

For this reason I would know if It’s possible assign manually users to organization BEFORE they login for first time…

@marcoboffi did you find a solution?

@marcoboffi @gtaspider Been struggling with this same thing for weeks, any suggestions?

The only thing i’m currently leaning to is to allow basic auth and using the API to create users. But man i really don’t like that solution. If there just would be a way of assigning the org, or team or anything when a user logs in for the first time

No, I switched to Grafana Cloud so we are using Team sync to overcome this problem.

I know this post is super old, and I know most of it is around oauth.

  • Does this “not supporting org id assignment during user auto-creation” apply to all authentication providers (oauth, jwt, etc?).

And it sounds like the general solutions to OrgId assignments are:

1.) setup user/role/org id assignment via api. Turn off the role attribute path stuff.

– or –

2.) Use the Team Sync feature.

Or did I miss something?

No, SAML has that.

@jangaraj , thanks for the quick reply.

Okay, so the SAML provider has it. And I know the Auth Proxy integration appears to support it as well via headers.

  • Are those the only auth providers that supports the org id assignment on auto user creation?

(I’m currently evaluating the oauth and JWT providers for authentication integration in my environment.)

It appears that this is now available in more recent releases: Configure Okta OIDC authentication | Grafana documentation

(see also Add ability to map OAuth users to Grafana organizations · Issue #73448 · grafana/grafana · GitHub and associated PRs)