SSO and how to set OrgID and Roles

We have configured the generic_auth of Grafana and OpenID Connect to authenticate our users in Grafana.

[auth.generic_oauth]
enabled = true
name = OAuth
allow_sign_up = true
client_id = toto
client_secret = 41d1fa6a-2a5c-43a1-9b13-d798f111111e
scopes = openid profile email address phone entities
auth_url = https://website.net/auth/realms/protocol/openid-connect/auth
token_url = https://website.net/auth/realms/protocol/openid-connect/token
api_url = https://website.net/auth/realms/protocol/openid-connect/userinfo
;team_ids =
;allowed_organizations =

As of today, is it possible to define an attribute in OpenId that would be used by Grafana to set the user’s orgId ?

Thanks for the help

org id and roles cannot be defined via oauth, you need to do that in the Grafana UI

Thank you for the quick reply. Would it be possible to use the HTTP API to set the orgId and user’s role after it has been created ? We prefer not to use the UI to create users .

1 Like

Sorry to bump this, but I came across this thread as we are also looking for ways to this. Namely, assign new users to a particular organization based on OAuth attributes.

@torkel, is this functionality something that’s on the horizon, or should we just find a work-around?

@abrilhault you can certainly set organizational memberships and roles via the API (e.g. http://docs.grafana.org/http_api/org/#add-a-new-user-to-the-current-organisation, http://docs.grafana.org/http_api/org/#updates-the-given-user).

@torkel, When can we expect this feature ?

Hello,

You can get roles from Authorization server. see Link

But the orgs, it’s more difficult because grafana try to gets organisation from the endpoint “userinfo/orgs” on the authorization server.