Grafana is an Open Source dashboard for monitoring databases such as Prometheus, Graphite or Elasticsearch

Grafana offers social login through a generic OAuth 2 connector. Thankfully, it is close enough to OpenID Connect to work well with LemonLDAP::NG


Grafana configuration

You should start by following the generic OAuth2 documentation provided by Grafana:

Your configuration file will have to look something like this:

enabled = true
client_id = CHOOSE_A_CLIENT_ID
client_secret = CHOOSE_A_CLIENT_SECRET
scopes = openid email profile
auth_url =
token_url =
api_url =
allow_sign_up = true
name = LemonLDAP::NG
send_client_credentials_via_post = false
email_attribute_name = email


Make sure you have already enabled OpenID Connect on your LemonLDAP::NG server

Then, add a Relying Party with the following configuration:

  • Options » Authentification » Client ID : same as client_id above

  • Options » Authentification » Client Secret : same as client_secret above

  • Options » Allowed redirection address : https://<grafana domain>/login/generic_oauth

If you want to transmit extra user attributes to Grafana, you also need to configure:

  • Scope values content »

    • add a key named profile to override the default claim list

    • set a value of name username display_name upn

  • Exported Attributes (not all of them are mandatory)

    • replace the existing keys with the following 5 new keys:

      • name

      • username

      • display_name

      • upn

      • email

    • map them to your corresponding LemonLDAP::NG session attribute


To trigger OIDC authentication directly, you can register grafana in application menu and set as URL: https://<grafana domain>/login/generic_oauth