Integrations · OIDC
Graylog SSO
Configure Graylog Operations to authenticate users via Clavex using the
built-in OpenID Connect authentication provider (available in Graylog ≥ 4.3).
Group-to-role mapping is supported via the groups claim.
Graylog Enterprise: OIDC SSO is available in the open-source
Graylog ≥ 4.3. The Enterprise version additionally supports automatic team sync and
advanced role mapping.
Prerequisites
- Graylog ≥ 4.3
- Graylog admin access
- Clavex at
https://id.acme.eu, org slugacme
Step 1 — Register OIDC Client in Clavex
$ curl -X POST https://id.acme.eu/api/v1/organizations/acme/clients \
-H 'Authorization: Bearer $ADMIN_TOKEN' \
-H 'Content-Type: application/json' \
-d '{
"client_id": "graylog",
"client_name": "Graylog",
"grant_types": ["authorization_code"],
"redirect_uris": ["https://graylog.acme.eu/api/plugins/org.graylog.plugins.auth.sso/callback"],
"scopes": ["openid", "profile", "email"],
"token_endpoint_auth_method": "client_secret_basic"
}'
Step 2 — Configure OIDC in Graylog
- Go to System → Authentication → Authentication Services → Create new
- Choose OpenID Connect/OAuth
- Fill in:
Field Value Service name ClavexClient ID graylogClient secret cs_xxxxxxxxxxxxxxxxDiscovery URL https://id.acme.eu/acme/.well-known/openid-configurationCallback URL https://graylog.acme.eu/api/plugins/org.graylog.plugins.auth.sso/callbackUsername claim preferred_usernameFull name claim nameEmail claim email - Click Create
- Set this provider as the Active authenticator in Authentication → Active Backend
Step 3 — Role Synchronization
Configure Team Synchronization (Enterprise) or manually assign Graylog roles to users after their first OIDC login. Create roles in System → Authentication → Roles.
# Get user ID first
$ curl -u admin:$GRAYLOG_PW \
"https://graylog.acme.eu/api/users?query=alice" | jq .users[0].id
# Assign Reader role to the SSO user $ curl -u admin:$GRAYLOG_PW -X PUT \ "https://graylog.acme.eu/api/users/{userID}/roles" \ -H 'Content-Type: application/json' \ -d '{"roles": ["Reader", "Graylog Admin"]}'
# Assign Reader role to the SSO user $ curl -u admin:$GRAYLOG_PW -X PUT \ "https://graylog.acme.eu/api/users/{userID}/roles" \ -H 'Content-Type: application/json' \ -d '{"roles": ["Reader", "Graylog Admin"]}'
Step 4 — Test
- Open
https://graylog.acme.eu - Click Sign in with SSO or navigate directly to the SSO login
- Authenticate via Clavex and verify you land on the Graylog dashboard
Troubleshooting
| Symptom | Cause | Fix |
|---|---|---|
| SSO not shown on login page | OIDC provider not set as active backend | System → Authentication → Active Backend → select Clavex provider |
Failed to retrieve user info |
UserInfo endpoint unreachable from Graylog | Check firewall/network: Graylog must reach https://id.acme.eu/acme/userinfo |
| User logs in but has no streams | No role assigned to user | Assign Reader or custom role via Graylog API or UI |
| Discovery URL fetch fails at startup | Graylog starts before Clavex is ready | Add health check ordering in Docker Compose / Kubernetes; restart Graylog after Clavex is up |