b324ff09ef
Some checks failed
CI/CD Pipeline / Code Quality & Linting (push) Has been cancelled
CI/CD Pipeline / Policy Validation (push) Has been cancelled
CI/CD Pipeline / Test Suite (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-coverage) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-extract) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-firm-connectors) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-forms) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-hmrc) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-ingestion) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-kg) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-normalize-map) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-ocr) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-rag-indexer) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-rag-retriever) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-reason) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-rpa) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (ui-review) (push) Has been cancelled
CI/CD Pipeline / Security Scanning (svc-coverage) (push) Has been cancelled
CI/CD Pipeline / Security Scanning (svc-extract) (push) Has been cancelled
CI/CD Pipeline / Security Scanning (svc-kg) (push) Has been cancelled
CI/CD Pipeline / Security Scanning (svc-rag-retriever) (push) Has been cancelled
CI/CD Pipeline / Security Scanning (ui-review) (push) Has been cancelled
CI/CD Pipeline / Generate SBOM (push) Has been cancelled
CI/CD Pipeline / Deploy to Staging (push) Has been cancelled
CI/CD Pipeline / Deploy to Production (push) Has been cancelled
CI/CD Pipeline / Notifications (push) Has been cancelled
86 lines
2.9 KiB
YAML
86 lines
2.9 KiB
YAML
# Authentik Configuration - Grafana SSO Integration
|
|
# Generated: 2025-09-20 07:25:00
|
|
# This file contains the Authentik configuration for Grafana OAuth2/OIDC integration
|
|
# Apply this blueprint to automate the setup of Grafana SSO with Authentik
|
|
|
|
version: 1
|
|
|
|
metadata:
|
|
name: AI Tax Agent Grafana SSO Integration
|
|
labels:
|
|
blueprints.goauthentik.io/generated: "true"
|
|
|
|
entries:
|
|
# Grafana OAuth2 Provider
|
|
- attrs:
|
|
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
|
|
invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
|
|
name: grafana
|
|
client_type: confidential
|
|
client_id: grafana
|
|
client_secret: ${AUTHENTIK_GRAFANA_CLIENT_SECRET:-changeme-grafana-secret}
|
|
redirect_uris:
|
|
- https://grafana.${DOMAIN:-local.lan}/login/generic_oauth
|
|
sub_mode: hashed_user_id
|
|
include_claims_in_id_token: true
|
|
issuer_mode: per_provider
|
|
signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
|
|
property_mappings:
|
|
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
|
|
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
|
|
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
|
|
- !KeyOf grafana-groups-mapping
|
|
conditions: []
|
|
identifiers:
|
|
name: grafana
|
|
model: authentik_providers_oauth2.oauth2provider
|
|
permissions: []
|
|
state: present
|
|
|
|
# Custom Groups Mapping for Grafana
|
|
- attrs:
|
|
name: Grafana Groups Mapping
|
|
description: Maps Authentik groups to Grafana roles
|
|
scope_name: groups
|
|
expression: |
|
|
# Map Authentik groups to Grafana roles
|
|
groups = []
|
|
user_groups = [group.name for group in request.user.ak_groups.all()]
|
|
|
|
# Admin role mapping
|
|
if "authentik Admins" in user_groups or "Administrators" in user_groups:
|
|
groups.append("Admin")
|
|
|
|
# Editor role mapping
|
|
if "Tax Reviewers" in user_groups or "Accountants" in user_groups:
|
|
groups.append("Editor")
|
|
|
|
# Viewer role mapping (default for all authenticated users)
|
|
groups.append("Viewer")
|
|
|
|
return {
|
|
"groups": groups,
|
|
"role": groups[0] if groups else "Viewer" # Primary role
|
|
}
|
|
conditions: []
|
|
identifiers:
|
|
name: Grafana Groups Mapping
|
|
model: authentik_providers_oauth2.scopemapping
|
|
permissions: []
|
|
state: present
|
|
|
|
# Grafana Application
|
|
- attrs:
|
|
name: Grafana
|
|
slug: grafana
|
|
provider: !KeyOf grafana
|
|
policy_engine_mode: any
|
|
meta_description: Grafana monitoring and observability platform
|
|
meta_publisher: Grafana Labs
|
|
conditions: []
|
|
identifiers:
|
|
slug: grafana
|
|
model: authentik_core.application
|
|
permissions: []
|
|
state: present
|