Integration with Grafana

Interlock Configuration

  1. Log into Interlock.
  2. Go to SSO Applications.
  3. Create an application with the following details:
    • Name: Proxmox VE
    • Enabled: True
    • Redirect URI: https://gitlab.example.com/users/auth/openid_connect/callback
    • Response Types: code
    • Scopes: Default (openid, profile, email, groups)
  4. Once the SSO Application has been created, open it’s View dialog to copy the Client ID and Client Secret.

Grafana Configuration

  1. Go to AdministrationAuthenticationGeneric OAuth.
  2. Set the following parameters:
    • Display Name: Interlock SSO
    • Client Id: your-client-id
    • Client Secret: your-client-secret
    • Auth style: AutoDetect
    • Scopes: openid groups email profile
    • OpenID Connect Discovery URL: https://interlock.example.com/openid/.well-known/openid-configuration
  3. The Auth and Token URLs should automatically be fetched from the well-known configuration URL. If not then you may set the following manually:
    • Auth URL: https://interlock.example.com/openid/authorize
    • Token URL: https://interlock.example.com/openid/token
    • API URL: https://interlock.example.com/openid/userinfo

User Mapping Options

Below are the recommended User Mapping Options:

  • Name Attribute Path: profile.username
  • Login Attribute Path: profile.sub
  • Email Attribute Path: profile.email
  • Role Attribute Path: groups.groups[*]

Extra Security Measures

  • Use PKCE: True

Note on Keeping LDAP Back-end Enabled

If you wish to be able to use OAuth and keep your LDAP Back-end enabled in Grafana, you might want to enable the following option in /etc/grafana/grafana.ini to properly sync LDAP and OAuth Users.

[auth]
# Allow insecure email lookup
oauth_allow_insecure_email_lookup = true