Skip to content

Grafana

Last reviewed: 4 months ago

This guide covers how to configure Grafana as an OIDC application in Cloudflare Zero Trust.

Prerequisites

  • An identity provider configured in Cloudflare Zero Trust
  • Admin access to a Grafana account

1. Add a SaaS application to Cloudflare Zero Trust

  1. In Zero Trust, go to Access > Applications.
  2. Select SaaS.
  3. For Application, select Grafana.
  4. For the authentication protocol, select OIDC.
  5. Select Add application.
  6. In Scopes, select the attributes that you want Access to send in the ID token.
  7. In Redirect URLs, enter https://<your-grafana-domain>/login/generic_oauth.
  8. (Optional) Enable Proof of Key Exchange (PKCE) if the protocol is supported by your IdP. PKCE will be performed on all login attempts.
  9. Copy the Client secret, Client ID, Token endpoint, and Authorization endpoint.
  10. Select Save configuration.
  11. (Optional) configure App Launcher settings by turning on Enable App in App Launcher and, in App Launcher URL, entering https://<your-grafana-domain>/login.
  12. Configure Access policies for the application.
  13. Select Done.

2. Add a SSO provider to Grafana

  1. In Grafana, select the menu icon > Administration > Authentication > Generic OAuth.
  2. (Optional) For Display name, enter a new display name (for example, Cloudflare Access). Users will select Sign in with (display name) when signing in via SSO.
  3. Fill in the following fields:
    • Client Id: Client ID from application configuration in Cloudflare Zero Trust
    • Client secret: Client secret from application configuration in Cloudflare Zero Trust
    • Scopes: Delete user:email and enter the scopes configured in Cloudflare Zero Trust
    • Auth URL: Authorization endpoint from application configuration in Cloudflare Zero Trust
    • Token URL: Token endpoint from application configuration in Cloudflare Zero Trust
  4. Select Save.

3. Test the integration

Log out, then select Sign in with (display name). You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider.