Integration with Grafana

Interlock Configuration #

1. Log into Interlock.
2. Go to SSO Applications.
3. Create an application with the following details:
   • Name: Proxmox VE
   • Enabled: True
   • Redirect URI: https://gitlab.example.com/users/auth/openid_connect/callback
   • Response Types: code
   • Scopes: Default (openid, profile, email, groups)
4. Once the SSO Application has been created, open it’s View dialog to copy the Client ID and Client Secret.

Grafana Configuration #

1. Go to Administration → Authentication → Generic OAuth.
2. Set the following parameters:
   • Display Name: Interlock SSO
   • Client Id: your-client-id
   • Client Secret: your-client-secret
   • Auth style: AutoDetect
   • Scopes: openid groups email profile
   • OpenID Connect Discovery URL: https://interlock.example.com/openid/.well-known/openid-configuration
3. The Auth and Token URLs should automatically be fetched from the well-known configuration URL. If not then you may set the following manually:
   • Auth URL: https://interlock.example.com/openid/authorize
   • Token URL: https://interlock.example.com/openid/token
   • API URL: https://interlock.example.com/openid/userinfo

User Mapping Options #

Below are the recommended User Mapping Options:

• Name Attribute Path: profile.username
• Login Attribute Path: profile.sub
• Email Attribute Path: profile.email
• Role Attribute Path: groups.groups[*]

Extra Security Measures #

• Use PKCE: True

Note on Keeping LDAP Back-end Enabled #

If you wish to be able to use OAuth and keep your LDAP Back-end enabled in Grafana, you might want to enable the following option in /etc/grafana/grafana.ini to properly sync LDAP and OAuth Users.

[auth]
# Allow insecure email lookup
oauth_allow_insecure_email_lookup = true