Sign In to Grafana with WSO2 Identity Server using OAuth2
Hi guys, Hope all are safe. Today we are going to discuss an integration story about WSO2 Identity Server with Grafana.
WSO2 Identity Server is a fully open source Identity and Access Management solution which is available free on GitHub. Also WSO2 Identity Server is recognized as An Overall Leader in The KuppingerCole Leadership Compass in 2020 and also A Strong Performer in Forrester WaveTM in 2020 Q4. You can get more information from WSO2 Identity Server Official web page.
Grafana is also an open source solution which can be used as an analytics and monitoring solution for the systems. Grafana connects with every possible data source such as Graphite, Prometheus, ElasticSearch, MySQL, PostgreSQL etc. You can find more on Grafana from [1] and [2] in the below resources.
Ok. Let’s start the construction site.
For this integration I am using the latest WSO2 Identity Server 5.12.0 M32 version (as for today) and Grafana 7.5.7 version.
Start WSO2 Identity Server and login to the Management Console using the admin credentials and configure a service provider as below.
Go to Identity -> Service Providers -> Add and add a name to the service provider and then click Register. Refer the screenshot below for more information.
After registering the service provider you will be redirected to the below page and there, go to the Inbound Authentication Configurations -> OAuth/OpenID Connect Configuration and click the Configure.
Now you will be redirected to the OAuth2 configuration page and there add the following URL as the Callback Url and click Update.
After that you need to do the Claim Configuration for this service provider. Go to the Claim Configuration in the created service provider and configure the claims as the screenshot below. In brief emailaddress claim is needed to get the email address of the user, groups claim is needed to determine the user role and givenname claim is needed to get the first name of the corresponding user. After completing the configuration, click update.
Now you have successfully created the service provider for Grafana. Now you have a Client Key and a Client Secret. You will need them for the Grafana Configurations.
Since we need the groups claim, we need to add the claim to an OIDC scope in order to retrieve it from the id_token. For this scenario we are using openid, email and profile scopes to get the details(Details are mentioned below). So we will add the groups claim is more suitable to be added to the profile scope. We can go to OIDC Scopes -> List and then click Add Claims of scope profile. Add the groups claim to the scope. You can refer the screenshots below.
Now we need some users and roles in the WSO2 Identity Server in order to login to Grafana. Based on the Grafana Organization Roles there are three main roles as Admin, Editor and Viewer. So we need these user roles to be extracted from the WSO2 Identity Server. Since WSO2 Identity Server needs to manage several admin roles, I created grafanaadmin(Admin in Grafana) and grafanaeditor(Editor in Grafana) by referring this. Decision of these names is totally up to you, but we need them in the Grafana Configurations. ;-)
Now you need to create users in WSO2 Identity Server by following Configuring Users and assign the above created roles by referring Assigning Roles. To keep things simple I created three(03) users and assign grafanaadmin and grafanaeditor roles to two of them.
Now let’s configure Grafana server. Here we need to create a custom configuration file to keep the OAuth2 related configurations in Grafana side. This custom file called custom.ini needs to be created in the following location.
<GRAFANA_HOME>/conf/custom.ini
Now you need to add the following configurations to the created custom.ini file. For more information about these configurations you can refer this.
Save the file and start the Grafana Server. Now you have successfully done the integration.
Now let’s do the T E S T I N G . . . . . ! ! ! !
Load the login page by executing http://localhost:3000/login in the browser. Now you will be redirected to the following grafana login page which displays the option to Sign in with WSO2 Identity Server option.
Click the Sign in with WSO2 Identity Server button and you will be redirected to the WSO2 Identity Server authentication endpoint like below.
Now you can enter the credentials of the created users and test. I will enter my admin user’s credential which I created for Grafana login and click Continue. Now you will be redirected to the consent page for the Grafana SP.
I will tick the Select All and click Allow. Then I was redirected to the Grafana Home page as below. You can see that Grafana allowed this user to use the Admin functionalities from the left side pane.
You can go to the user profile from Grafana and see the content like below. My admingrafana user details in WSO2 Identity Server are as below.
As you can see all my required user details are available in the Grafana Side. Now I will Sign Out and see what happens. I was redirected to the logout consent page from WSO2 Identity Server and when I click Yes, I was logged out from Grafana.
As for a reference I will now login from tom which the role is grafanaeditor.
Tadaaaaa….…...
Now you can login from a normal user an see what will be the role and the operations that the user can do in Grafana. :-)
That’s all for today. Hope this will help you guys for your works. StayHome, StaySafe guys.
hasta la vista….....!!!!!
Resources