Grafana Cloud
Last reviewed: 3 months ago
This guide covers how to configure Grafana Cloud ↗ as an OIDC application in Cloudflare Zero Trust.
- An identity provider configured in Cloudflare Zero Trust
- Admin access to a Grafana Cloud account
- In Zero Trust ↗, go to Access > Applications.
- Select SaaS.
- For Application, enter
Grafana Cloud
and select the corresponding textbox that appears. - For the authentication protocol, select OIDC.
- Select Add application.
- In Scopes, select the attributes that you want Access to send in the ID token.
- In Redirect URLs, enter
https://<your-grafana-domain>/login/generic_oauth
. - (Optional) Enable Proof of Key Exchange (PKCE) ↗ if the protocol is supported by your IdP. PKCE will be performed on all login attempts.
- Copy the Client secret, Client ID, Token endpoint, and Authorization endpoint.
- Select Save configuration.
- (Optional) configure App Launcher settings by turning on Enable App in App Launcher and, in App Launcher URL, entering
https://<your-grafana-domain>/login
. - Configure Access policies for the application.
- Select Done.
- In Grafana Cloud, select the menu icon > Administration > Authentication > Generic OAuth.
- (Optional) For Display name, enter a new display name (for example,
Cloudflare Access
). Users will select Sign in with (display name) when signing in via SSO. - Fill in the following fields:
- Client Id: Client ID from application configuration in Cloudflare Zero Trust
- Client secret: Client secret from application configuration in Cloudflare Zero Trust
- Scopes: Delete
user:email
and enter the scopes configured in Cloudflare Zero Trust - Auth URL: Authorization endpoint from application configuration in Cloudflare Zero Trust
- Token URL: Token endpoint from application configuration in Cloudflare Zero Trust
- Select Save.
Open an incognito browser window and go to your Grafana domain (https://<your-grafana-domain>/login
). Select Sign in with (display name). You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider.