1

I have tried to implement sso in grafana using Oauth and ping id which is working as expected . Access token provides the list of attributes, it shows all groups that i'm member of .so My workaround is to only members of the group mydomain_Monitoring_Portal can able to join sso using grafana

Used data-
{
   "scope":[]
   "client_id":"xxx-xxx-xxx-xxx-xxx",
   " firstName": "myname",
   "LastName":"lastname",
   "emailAddress":"abc@gmail.com",

:memberOf":[
  "CN=mydomain_Monitoring_Portal,OU=xyz,OU=SecurityGroup,DC=fiat,DC=com"
  "CN=Monitoring,OU=abc,OU=Secret,DC=fiat,DC=com"
  "CN=service,OU=def,OU=mount,DC=fiat,DC=com
],
"userType":"Employee",
"userId":"nb656",
"username":"n656",
"exp":167895258
},


scope : openid email profile

i had tried to implement group_attribute_path in grafana.ini file no luck. all members of the other group also able to join

groups_attribute_path = memberOf[?contains(@, 'mydomain_Monitoring_Portal') == `true`]

expecting is Only employees which is in group mydomain_Monitoring_Portal can able to join garfana using sso

Jan Garaj
  • 25,598
  • 3
  • 38
  • 59
linuxadmin
  • 15
  • 3

1 Answers1

0

Doc is your friend: https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/generic-oauth/#role-mapping

You need to configure role mapping role_attribute_path + role_attribute_strict = true which denies user access if no role or an invalid role is returned.

Jan Garaj
  • 25,598
  • 3
  • 38
  • 59
  • Thanks for your reply. my Oauth provider not returning any attribute roles, so how can I implement them based on your answer? any help would be much appreciated – linuxadmin Dec 19 '22 at 07:59
  • @linuxadmin so what's stopping you to use user group membership to determine user role? – Jan Garaj Dec 19 '22 at 08:44
  • i have added these 2 lines in grafana.ini role_attribute_path + role_attribute_strict = true groups_attribute_path = memberOf[?contains(@, 'mydomain_Monitoring_Portal') == `true`] – linuxadmin Dec 19 '22 at 10:02