Enable Grafana Single Sign-On with Keycloak
The Monitoring Portal (Grafana) can use Keycloak as an OAuth 2.0/OpenID Connect identity provider. This section describes the configuration that's required to let Grafana users sign in with Keycloak and to ensure that logout ends the SSO session.
Prerequisites
-
Keycloak is enabled and working for the Manager.
-
Users are available in Keycloak either as local Keycloak users or federated directory users.
-
Keycloak groups are mapped to Grafana roles (Admin, Editor, Viewer) as required by the environment.
Configure Grafana for OAuth sign-up
For Keycloak-based SSO, Grafana must be allowed to create a local Grafana user on first
sign-in. Set allow_sign_up to true.
-
On the Manager host, edit
/etc/grafana/grafana.ini. -
In the
[auth.generic_oauth]section, set:############################## Generic OAuth ####################### [auth.generic_oauth] name = oVirt Engine Auth enabled = true allow_sign_up = true -
Restart Grafana:
sudo systemctl restart grafana-server
Configure single logout (recommended)
If users aren't prompted to authenticate after logging out, configure a sign-out redirect URL so that logout ends the Keycloak session and returns the user to Grafana.
-
On the Manager host, edit
/etc/grafana/grafana.ini. -
In the
[auth.generic_oauth]section, add the following setting (replace fqdn with the Manager host name):signout_redirect_url = https://fqdn/ovirt-engine-auth/realms/ovirt-internal/protocol/openid-connect/logout?post_logout_redirect_uri=https://fqdn/ovirt-engine-grafana/ -
Restart Grafana:
sudo systemctl restart grafana-server
Troubleshooting
If users can't sign in and Grafana logs show an error similar to Error getting
email address, ensure that the user has an email address populated and (if
required) verified in the identity source (Active Directory/LDAP or Keycloak).
Note:
As a best practice, ensure all IAM user accounts have an associated email address.