SSO and how to set OrgID and Roles

We have configured the generic_auth of Grafana and OpenID Connect to authenticate our users in Grafana.

[auth.generic_oauth]
enabled = true
name = OAuth
allow_sign_up = true
client_id = toto
client_secret = 41d1fa6a-2a5c-43a1-9b13-d798f111111e
scopes = openid profile email address phone entities
auth_url = https://website.net/auth/realms/protocol/openid-connect/auth
token_url = https://website.net/auth/realms/protocol/openid-connect/token
api_url = https://website.net/auth/realms/protocol/openid-connect/userinfo
;team_ids =
;allowed_organizations =

As of today, is it possible to define an attribute in OpenId that would be used by Grafana to set the user’s orgId ?

Thanks for the help

org id and roles cannot be defined via oauth, you need to do that in the Grafana UI

Thank you for the quick reply. Would it be possible to use the HTTP API to set the orgId and user’s role after it has been created ? We prefer not to use the UI to create users .

Sorry to bump this, but I came across this thread as we are also looking for ways to this. Namely, assign new users to a particular organization based on OAuth attributes.

@torkel, is this functionality something that’s on the horizon, or should we just find a work-around?

@abrilhault you can certainly set organizational memberships and roles via the API (e.g. http://docs.grafana.org/http_api/org/#add-a-new-user-to-the-current-organisation, http://docs.grafana.org/http_api/org/#updates-the-given-user).

@torkel, When can we expect this feature ?

Hello,

You can get roles from Authorization server. see Link

But the orgs, it’s more difficult because grafana try to gets organisation from the endpoint “userinfo/orgs” on the authorization server.

HI all,

I understand that it’s not possibile assign user to particular OrgID by OAuth attributes.

But is it possible instead pre-create users (also with Grafana UI), ad assign them to a particular organization with OAuth login mode enabled?

I tried but seems that when a user login for first time after I created it inside Grafana, it is duplicated inside user list (no match on email or username).

Is this way possible ? what am I doing wrong?

Thanks for your help…

Currently it is not possible to assign a user to an organisation through OAuth login.
see this PR:23661 for completely supporting of organisations <-> role mapping

The workaround is to manually create organisations and assign users to multiple organisation with roles (Admin, Editor, Viewer).
This will work only if you delete the property role_attribute_path from grafana.ini otherwise upon OAuth login, Grafana would remove the logged-in user from other organisations except the main org with id = 1.

For this reason I would know if It’s possible assign manually users to organization BEFORE they login for first time…

@marcoboffi did you find a solution?

@marcoboffi @gtaspider Been struggling with this same thing for weeks, any suggestions?

The only thing i’m currently leaning to is to allow basic auth and using the API to create users. But man i really don’t like that solution. If there just would be a way of assigning the org, or team or anything when a user logs in for the first time

No, I switched to Grafana Cloud so we are using Team sync to overcome this problem.