Integration with Grafana
Interlock Configuration
- Log into Interlock.
- Go to
SSO Applications
. - Create an application with the following details:
- Name:
Proxmox VE
- Enabled:
True
- Redirect URI:
https://gitlab.example.com/users/auth/openid_connect/callback
- Response Types:
code
- Scopes: Default (
openid
,profile
,email
,groups
)
- Name:
- Once the
SSO Application
has been created, open it’s View dialog to copy theClient ID
andClient Secret
.
Grafana Configuration
- Go to
Administration
→Authentication
→Generic OAuth
. - Set the following parameters:
- Display Name:
Interlock SSO
- Client Id:
your-client-id
- Client Secret:
your-client-secret
- Auth style:
AutoDetect
- Scopes:
openid
groups
email
profile
- OpenID Connect Discovery URL:
https://interlock.example.com/openid/.well-known/openid-configuration
- Display Name:
- The Auth and Token URLs should automatically be fetched from the well-known
configuration URL. If not then you may set the following manually:
- Auth URL:
https://interlock.example.com/openid/authorize
- Token URL:
https://interlock.example.com/openid/token
- API URL:
https://interlock.example.com/openid/userinfo
- Auth URL:
User Mapping Options
Below are the recommended User Mapping Options:
- Name Attribute Path:
profile.username
- Login Attribute Path:
profile.sub
- Email Attribute Path:
profile.email
- Role Attribute Path:
groups.groups[*]
Extra Security Measures
- Use PKCE:
True
Note on Keeping LDAP Back-end Enabled
If you wish to be able to use OAuth and keep your LDAP Back-end enabled in
Grafana, you might want to enable the following option in
/etc/grafana/grafana.ini
to properly sync LDAP and OAuth Users.
[auth]
# Allow insecure email lookup
oauth_allow_insecure_email_lookup = true