Grafana SSO Configuration

Prerequisites

• Ensure the Global SSO Settings have already been configured for this cluster.
• Access to Keycloak Master Realm

Create Keycloak Client

tip

If this client already exists due to it being configured for another cluster, consider adding the environment name as common prefix to the client name. For example, the client name could be my-org-run-grafana.

1. While you are in the smoothglue realm, click on Clients under Manage in the left pane.
2. Click Create client.
3. Enter client name grafana for Client ID.
4. Click on the Next button.
5. Toggle on Client authentication.
6. Click on the Next button. Note: The application's FQDN name may be obtained by running kubectl get virtualservice -A
7. Enter https://{{ application_fqdn }}/login/generic_oauth for Valid Redirect URIs.
8. Click on the Save button.

Creating Client Scopes

Grafana needs to be added in the Client Scopes.

1. While you are in the smoothglue realm, click on Client Scopes.
2. Click Create client scope.
3. Enter Grafana for Name, and click on the Save button.
4. Go to the Mappers tab.
5. Click Configure a new mapper.
6. Select Group Membership
7. Enter the following information:
   1. Name - Groups
   2. Token claim Name - groups
   3. Full group path - Enabled
   4. Add to ID token - Enabled
   5. Add to access token - Enabled
   6. Save
8. Go to Clients, and click on the same client name received for Grafana.
9. Go to the Client Scopes tab.
10. Click Add client scope.
11. Enable the Grafana client scope.
12. Click Add -> Default.

SSO Configuration

Retrieve the client_secret from the Keycloak client:

1. As a Keycloak Admin and within the smoothglue realm, click Clients on the left-hand panel.
2. Click on the grafana client.
3. Click on the Credentials tab.
4. Copy the value from the Client Secret field.

Add the following values to bigbang-secrets.yaml to configure SSO:

grafana:
  values:
    grafana.ini:
      auth.generic_oauth:
        role_attribute_strict: true
  sso:
    enabled: true
    grafana:
      client_id: grafana # should match the client name in keycloak
      client_secret: ""  # change to your Grafana client secret
      scopes: "openid"
      tls_client_ca: "/etc/oidc/ca.pem"
      role_attribute_path: "contains(groups[*], '/_structsureAdmins') && 'Admin' || contains(groups[*], '/_structsureAudit') && 'Viewer'"

info

See How to Configure Big Bang Values for more information on configuring Big Bang applications.