This is documentation for the next version of Grafana. For the latest stable release, go to the latest version.
Configure Okta OAuth2 authentication
Only available in Grafana v7.0+
The Okta authentication allows your Grafana users to log in by using an external Okta authorization server.
Create an Okta application
Before you can sign a user in, you need to create an Okta application from the Okta Developer Console.
Log in to the Okta portal.
Go to Admin and then select Developer Console.
Select Applications, then Add Application.
Pick Web as the platform.
Enter a name for your application (or leave the default value).
Add the Base URI of your application, such as https://grafana.example.com.
Enter values for the Login redirect URI. Use Base URI and append it with
/login/okta, for example: https://grafana.example.com/login/okta.
Click Done to finish creating the Okta application.
Enable Okta OAuth in Grafana
- Add the following to the Grafana configuration file:
[auth.okta] name = Okta icon = okta enabled = true allow_sign_up = true client_id = some_id client_secret = some_secret scopes = openid profile email groups auth_url = https://<tenant-id>.okta.com/oauth2/v1/authorize token_url = https://<tenant-id>.okta.com/oauth2/v1/token api_url = https://<tenant-id>.okta.com/oauth2/v1/userinfo allowed_domains = allowed_groups = role_attribute_path =
Configure allowed groups and domains
To limit access to authenticated users that are members of one or more groups, set
to a comma- or space-separated list of Okta groups.
allowed_groups = Developers, Admins
allowed_domains option limits access to the users belonging to the specific domains. Domains should be separated by space or comma.
allowed_domains = mycompany.com mycompany.org
Grafana can attempt to do role mapping through Okta OAuth. In order to achieve this, Grafana checks for the presence of a role using the JMESPath specified via the
role_attribute_path configuration option.
Grafana uses JSON obtained from querying the
/userinfo endpoint for the path lookup. The result after evaluating the
role_attribute_path JMESPath expression needs to be a valid Grafana role, i.e.
Admin. For more information about roles and permissions in Grafana, refer to Roles and permissions.
Team Sync (Enterprise only)
Map your Okta groups to teams in Grafana so that your users will automatically be added to the correct teams.
Okta groups can be referenced by group name, like
Related Grafana resources
Unify your data with Grafana plugins: Splunk, MongoDB, Datadog, and more
Show how Grafana can be used to take data from multiple different sources and unify it, without disrupting the investments that are working today.
Getting started with Grafana Enterprise and observability
Join the Grafana Labs team for a 30-minute demo of how to get started with the Grafana Stack, so you can go from zero to observability in just a few minutes.