I have tried to implement sso in grafana using Oauth and ping id which is working as expected . Access token provides the list of attributes, it shows all groups that i'm member of .so My workaround is to only members of the group mydomain_Monitoring_Portal can able to join sso using grafana
Used data-
{
"scope":[]
"client_id":"xxx-xxx-xxx-xxx-xxx",
" firstName": "myname",
"LastName":"lastname",
"emailAddress":"abc@gmail.com",
:memberOf":[
"CN=mydomain_Monitoring_Portal,OU=xyz,OU=SecurityGroup,DC=fiat,DC=com"
"CN=Monitoring,OU=abc,OU=Secret,DC=fiat,DC=com"
"CN=service,OU=def,OU=mount,DC=fiat,DC=com
],
"userType":"Employee",
"userId":"nb656",
"username":"n656",
"exp":167895258
},
scope : openid email profile
i had tried to implement group_attribute_path in grafana.ini file no luck. all members of the other group also able to join
groups_attribute_path = memberOf[?contains(@, 'mydomain_Monitoring_Portal') == `true`]
expecting is Only employees which is in group mydomain_Monitoring_Portal can able to join garfana using sso
Doc is your friend: https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/generic-oauth/#role-mapping
You need to configure role mapping role_attribute_path + role_attribute_strict = true which denies user access if no role or an invalid role is returned.