How can I configure Grafana to authenticate users via ITRS Analytics?

Learn how you can configure Grafana to authenticate users via ITRS Analytics.

Do the following steps after downloading the latest supported Grafana version.

Retrieve the client secret from Keycloak Copied

  1. Log in to the ITRS Analytics Keycloak instance. This is accessible via https://<external-itrs-analytics-hostname>/auth.
  2. Navigate to Obcerv realm > Clients > obcerv-apps > Credentials.
  3. Locate and copy the Client Secret. This value will be used later in the Grafana configuration.

Configure valid redirect URLs in Keycloak Copied

  1. Navigate to Obcerv realm > Clients > obcerv-apps > Settings.
  2. Add the URL of your Grafana server into the valid redirect URLs list. For example, http://localhost:3000/*.

Configure the realm roles mapper in Keycloak Copied

  1. Navigate to Obcerv realm > Clients > obcerv-apps > Client scopes > obcerv-apps-dedicated, and then create a new mapper.
  2. Select From predefined mappers, then search for and select realm roles.
  3. Click Add.
  4. In the mapper configuration, set Token Claim Name: roles by selecting the following:
    • Add to ID token
    • Add to access token
    • Add to lightweight access token
    • Add to userinfo
    • Add to token introspection
  5. Save your changes.

Edit Grafana’s conf/defaults.ini file Copied

  1. Open the conf/defaults.ini file.

  2. Set the domain to the correct fully qualified domain name (FQDN) of your Grafana server. Adjust the http_port as needed.

  3. Locate the auth.generic_oauth section and replace it with the following configuration:

    • enabled = true
    • name = ITRS Analytics
    • allow_sign_up = true
    • client_id = obcerv-apps
    • client_secret =

    Use the value from the client secret.

    • scopes = openid profile email offline_access roles

    Adding required scopes, such as “email,” enforces that all user profiles have a value for that attribute. If a user’s profile is missing the required attribute, authentication will fail.

    • email_attribute_path = email
    • login_attribute_path = username
    • name_attribute_path = full_name
    • auth_url = https://<ITRS Analytics URL>/auth/realms/obcerv/protocol/openid-connect/auth
    • token_url = https://<ITRS Analytics URL>/auth/realms/obcerv/protocol/openid-connect/token
    • api_url = https://<ITRS Analytics URL>/auth/realms/obcerv/protocol/openid-connect/userinfo
    • role_attribute_path = contains(roles[*], 'admin') && 'GrafanaAdmin' || 'Editor'

Install the ITRS Analytics Grafana Datasource app Copied

  1. Log in to Grafana using standard authentication (not ITRS Analytics) with an admin role. This initial login is required to install the data source.
  2. Navigate to Home > Connections > Add new connection.
  3. Search for ITRS, click ITRS Group Obcerv, then click the install button.
  4. Log out of Grafana.

Configure ITRS Analytics with the new data source Copied

  1. Log in to Grafana using your ITRS Analytics credentials with an admin role.
  2. Navigate to Home > Connections > Data Sources, then click Add new data source.
  3. Select ITRS Group Obcerv.
  4. In the API URL field, enter the base URL for the API. This is usually https://<ITRS Analytics URL>/obcerv-app-api-gateway
  5. Click Save & Test.
["ITRS Analytics"] ["ITRS Analytics > Grafana"] ["FAQ"]

Was this topic helpful?