I’m trying to set up Grafana with SSO authentication using client certificates. I have generated the necessary certificates and uploaded them to Azure KeyVault, but I’m unsure how to configure Grafana to use client certificate authentication instead of client ID and client secret.
[auth.azuread]
enabled = true
name = Azure AD
allow_sign_up = true
client_id = YOUR_AZURE_CLIENT_ID (This will be fetched via KeyVault)
client_secret = YOUR_AZURE_CLIENT_SECRET (This will be fetched via KeyVault)
scopes = openid email profile
auth_url = https://login.microsoftonline.com/org_id/oauth2/v2.0/authorize
token_url = https://login.microsoftonline.com/org_id/oauth2/v2.0/token
api_url = https://graph.microsoft.com/v1.0/me
allowed_domains = example.com
role_attribute_strict = false
allow_assign_grafana_admin = false
skip_org_role_sync = false
use_pkce = true
allowed_organizations = org_id
Specifically, I’m looking for guidance on the following points:
- How do I configure Grafana to use client certificate authentication for Azure AD instead client_id and client_secret?
- What settings should I specify in the [auth] section of the grafana.ini configuration file?
- Are there any specific Azure AD settings I need to adjust to accept client certificate authentication requests from Grafana?
- Are there any additional considerations or best practices I should be aware of when setting up client certificate authentication with Grafana and Azure AD?