Sign in Subscribe
Authentik

Authentik + Grafana: Add Single Sign-On to Your Dashboards

Michael Soto

4 min read
Share
Authentik + Grafana: Add Single Sign-On to Your Dashboards

The first time someone leaves your team, you remember every place they had a login. Grafana is always one of them, and it's always the one nobody disabled. Local Grafana accounts are fine for a homelab of one, but the moment two or more people share dashboards, you want one identity provider deciding who gets in and who's an admin. That's what wiring Authentik into Grafana buys you: one login, central control, and a clean off-boarding story.

This guide sets up Authentik as the OpenID Connect provider for Grafana, maps Authentik groups to Grafana roles, and closes the default door everyone forgets to lock.

What you'll need

  • A running Authentik instance and a running Grafana instance. Both deploy fully managed on Elestio: Authentik here and Grafana here, each with SSL already terminated, which OAuth requires.
  • Admin access to both.
  • Five minutes.

A quick note on URLs: everything below assumes HTTPS. OAuth redirects over plain HTTP will fail, and Grafana's own root_url has to match the address users actually visit.

Step 1: Create the provider and application in Authentik

In the Authentik admin interface, go to Applications > Providers and create a new OAuth2/OpenID Connect provider. Set:

  • Authorization flow: your default "authorize application" flow (implicit consent is fine for an internal tool).
  • Client type: Confidential.
  • Redirect URIs: https://grafana.example.com/login/generic_oauth

Authentik generates a Client ID and Client Secret. Copy both, you'll need them in a moment.

Now go to Applications > Applications, create an application named "Grafana", and bind it to the provider you just made. The application is also what controls who can see Grafana in the Authentik dashboard, so bind it to the right users or groups here.

Step 2: Make sure the groups claim is sent

Role mapping depends on Grafana seeing the user's groups. In your provider, open Advanced protocol settings > Scopes and make sure the scope mappings include the default OpenID, email, profile, and the groups scope. Without the groups claim in the token, every user lands as a Viewer and your admin mapping silently does nothing.

Then create the groups themselves under Directory > Groups: make a Grafana Admins and a Grafana Editors group and add the right people. Everyone else falls through to Viewer.

Step 3: Configure Grafana

Grafana reads OAuth settings from its configuration. On a managed instance you set these as environment variables, which map one-to-one onto the config file keys. Here's the full block in grafana.ini form:

[server]
root_url = https://grafana.example.com/

[auth.generic_oauth]
enabled = true
name = Authentik
client_id = YOUR_CLIENT_ID
client_secret = YOUR_CLIENT_SECRET
scopes = openid email profile groups
auth_url = https://authentik.example.com/application/o/authorize/
token_url = https://authentik.example.com/application/o/token/
api_url = https://authentik.example.com/application/o/userinfo/
# Map Authentik groups to Grafana roles
role_attribute_path = contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'
allow_assign_grafana_admin = true

The role_attribute_path line is the important one. It's a JMESPath expression evaluated against the token: if the user is in Grafana Admins they become an Admin, else if they're in Grafana Editors they're an Editor, otherwise they get Viewer. No group, no elevated access.

If you set these as environment variables instead of editing the file, the equivalents are GF_AUTH_GENERIC_OAUTH_ENABLED, GF_AUTH_GENERIC_OAUTH_CLIENT_ID, and so on, with the section and key uppercased and joined by underscores.

Restart Grafana, and a "Sign in with Authentik" button appears on the login page.

Step 4: Lock the front door

This is the step people skip, and it's the whole point of doing SSO. By default Grafana still allows local logins and, on some setups, anonymous access. Once Authentik works, shut the rest:

[auth]
disable_login_form = true

[auth.anonymous]
enabled = false

[auth.basic]
enabled = false

Keep one break-glass local admin account noted somewhere safe before you disable the login form, in case Authentik is ever unreachable. If that happens, you can temporarily set disable_login_form = false and restart Grafana to get the local login back, so make sure you still have console or environment access to your instance.

Troubleshooting

Everyone logs in as Viewer, even admins. The groups claim isn't reaching Grafana. Confirm the groups scope is in both the Authentik provider's scope mappings and Grafana's scopes line, then decode the token at the userinfo endpoint to verify the group names match exactly. Grafana Admins and grafana-admins are not the same string.

"login.OAuthLogin(missing saved state)" or redirect mismatch. The redirect URI in Authentik doesn't exactly match root_url + /login/generic_oauth. Trailing slashes and http-vs-https both count.

Login works but Grafana shows a blank page or wrong links. Your root_url doesn't match the real address. Set it to the exact public URL users type, including https.

Role doesn't update when I change someone's group. Grafana maps roles at login. Have the user log out and back in, and confirm role_attribute_path isn't overridden by a leftover auto_assign_org_role setting.

You're done

One identity provider now decides who reaches your dashboards and what they can do once they're in. When someone leaves, you remove them in Authentik and Grafana access disappears with everything else, no orphaned local account waiting to be forgotten.

Both pieces run fully managed on Elestio with automatic SSL, backups, and updates, so the integration above is the only part you have to think about. Deploy Authentik and Grafana and you can have SSO working before your coffee's cold.

Thanks for reading ❤️ See you in the next one 👋

Sign up for more like this.

Enter your email
Subscribe