Okta OAuth2 authentication

    The Okta authentication allows your Grafana users to log in by using an external Okta authorization server.

    Before you can sign a user in, you need to create an Okta application from the Okta Developer Console.

    1. Log in to the .

    2. Go to Admin and then select Developer Console.

    3. Select Applications, then Add Application.

    5. Add the Base URI of your application, such as https://grafana.example.com.

    6. Enter values for the Login redirect URI. Use Base URI and append it with , for example: .

    7. Click Done to finish creating the Okta application.

    Enable Okta OAuth in Grafana

    1. Add the following to the :

    To limit access to authenticated users that are members of one or more groups, set allowed_groups to a comma- or space-separated list of Okta groups.

    Grafana can attempt to do role mapping through Okta OAuth. In order to achieve this, Grafana checks for the presence of a role using the JMESPath specified via the configuration option.

    Grafana uses JSON obtained from querying the /userinfo endpoint for the path lookup. The result after evaluating the role_attribute_path JMESPath expression needs to be a valid Grafana role, i.e. , Editor or Admin. Refer to for more information about roles and permissions in Grafana.

    Read about how to add custom claims to the user info in Okta. Also, check Generic OAuth page for .

    Map your Okta groups to teams in Grafana so that your users will automatically be added to the correct teams.

    Okta groups can be referenced by group name, like .