Grafana
  Last reviewed:  8 months ago  
 This guide covers how to configure Grafana ↗ as an OIDC application in Cloudflare Zero Trust.
- An identity provider configured in Cloudflare Zero Trust
- Admin access to a Grafana account
- In Zero Trust ↗, go to Access > Applications.
- Select SaaS.
- For Application, select Grafana.
- For the authentication protocol, select OIDC.
- Select Add application.
- In Scopes, select the attributes that you want Access to send in the ID token.
- In Redirect URLs, enter https://<your-grafana-domain>/login/generic_oauth.
- (Optional) Enable Proof of Key Exchange (PKCE) ↗ if the protocol is supported by your IdP. PKCE will be performed on all login attempts.
- Copy the Client secret, Client ID, Token endpoint, and Authorization endpoint.
- Configure Access policies for the application.
- (Optional) In Experience settings, configure App Launcher settings by turning on Enable App in App Launcher and, in App Launcher URL, entering https://<your-grafana-domain>/login.
- Save the application.
- In Grafana, select the menu icon > Administration > Authentication > Generic OAuth.
- (Optional) For Display name, enter a new display name (for example, Cloudflare Access). Users will select Sign in with (display name) when signing in via SSO.
- Fill in the following fields:
- Client Id: Client ID from application configuration in Cloudflare Zero Trust
- Client secret: Client secret from application configuration in Cloudflare Zero Trust
- Scopes: Delete user:emailand enter the scopes configured in Cloudflare Zero Trust
- Auth URL: Authorization endpoint from application configuration in Cloudflare Zero Trust
- Token URL: Token endpoint from application configuration in Cloudflare Zero Trust
 
- Select Save.
Log out, then select Sign in with (display name). You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider.