Documentation

Telegraf Controller

Authentication

This section describes how users sign in to Telegraf Controller. To authenticate API requests and Telegraf agent connections, see Manage API tokens.

Telegraf Controller supports three authentication providers that you can run individually or together:

ProviderAvailabilityHow users sign in
LocalFreeUsername and password stored in Telegraf Controller
LDAPTelegraf EnterpriseBind against an LDAP or Active Directory server
OIDCTelegraf EnterpriseAuthorization code + PKCE flow with an OIDC provider

Each provider is enabled and configured independently. You can run all three at once and let users choose at the sign-in screen, or restrict sign-in to a single provider.

Choose an authentication provider

  • Use local authentication when you don’t have a central identity provider, or when you need a non-enterprise deployment.
  • Use LDAP to authenticate against an existing LDAP directory or Active Directory and provision users from directory groups.
  • Use OIDC to authenticate against a modern identity provider (Okta, Auth0, Keycloak, Microsoft Entra ID, Google Workspace, and others) using authorization code flow with PKCE.

Local authentication can be disabled

If your security policy prohibits storing passwords in Telegraf Controller, you can disable local authentication after configuring LDAP or OIDC and bootstrapping an owner against that provider. For details, see Configure local authentication.

Multi-factor authentication and single sign-on

Telegraf Controller does not implement multi-factor authentication (MFA) or single sign-on (SSO) directly. Both are delegated to the configured identity provider:

  • Local authentication does not support MFA or SSO. Use LDAP or OIDC if either is required.
  • LDAP authentication enforces whatever MFA policy your LDAP or Active Directory server applies during the bind step.
  • OIDC authentication enforces whatever MFA and SSO policies your OpenID Connect provider applies during the authorization step. Users already signed into the provider get single sign-on automatically.

To require MFA for Telegraf Controller, configure it in your identity provider and disable local authentication so users sign in through that provider only.

Configuration model

Transport-level authentication settings such as URLs, bind credentials, client secrets, and claim or attribute names are read from environment variables (or command-line flags) at startup and are immutable until you restart Telegraf Controller.

Provisioning and identity-mapping settings (provisioning strategy, default role, allowed email domains, group-to-role mappings) are stored in the database and editable at runtime from the Settings page by an owner or administrator. The table below summarizes the split.

Setting categoryConfigured byEditable at runtime
Enable or disable a providerEnvironment variableNo
LDAP server URL, bind credentials, TLS, attribute mappingEnvironment variableNo
OIDC issuer, client credentials, scopes, claims, callbackEnvironment variableNo
Provisioning strategy and default roleSettings pageYes
Allowed email domainsSettings pageYes
Auto-link by verified emailSettings pageYes
Group-to-role mappingsSettings pageYes

Provisioning strategies

When an LDAP or OIDC user signs in for the first time, Telegraf Controller applies the provider’s provisioning strategy to decide whether to create a Telegraf Controller account for them.

StrategyBehavior on first sign-in
invite_onlyOnly users with a pending invite for the matching email and provider are admitted. Default.
domain_restrictedA pending invite admits the user; otherwise, the email must end with an allowed domain.
auto_createA pending invite admits the user; otherwise, any user the provider authenticates is auto-created.

Each external provider has its own provisioning strategy. For example, you can run LDAP in invite_only while OIDC is in auto_create.

Group-to-role mapping

For LDAP and OIDC, Telegraf Controller reads a list of groups from the identity provider and maps them to Telegraf Controller roles. You define mappings on the Settings page as rows of (provider, group name, role).

  • If a user belongs to multiple mapped groups, the highest role wins.
  • If a user matches no mapping, the provider’s default role is assigned or sign-in is rejected, depending on the provider’s On no group match setting.
  • The Owner role is never assigned through a mapping. You can Transfer ownership instead.

Owner account behavior

The owner is the only account that can change LDAP and OIDC settings and is treated specially across providers:

  • The owner always retains a local password hash, even if LDAP or OIDC is the account’s primary provider. This guarantees a recovery path if your identity provider becomes unreachable.
  • The owner’s role cannot be downgraded by LDAP or OIDC group mappings.
  • An external identity provider cannot auto-link to the owner account. Account-takeover protection prevents an external login from claiming the existing owner record.

You can bootstrap an owner against LDAP or OIDC on first startup using the OWNER_AUTH_PROVIDER and OWNER_EXTERNAL_ID environment variables. This is required if you intend to disable local authentication.

Local authentication

Bootstrap the owner account, tune login security, and optionally disable local username and password authentication in Telegraf Controller.

LDAP authentication

Authenticate Telegraf Controller users against an LDAP or Active Directory server, provision accounts from directory data, and map LDAP groups to Telegraf Controller roles.

OIDC authentication

Authenticate Telegraf Controller users against an OpenID Connect identity provider with authorization code flow and PKCE, provision accounts from claims, and map provider groups to Telegraf Controller roles.

Was this page helpful?

Thank you for your feedback!

© 2026 InfluxData, Inc.

Where are you running InfluxDB?

Select your InfluxDB Cloud region and cluster or your InfluxDB OSS URL and we’ll customize code examples for you. Identify your InfluxDB Cloud cluster.

  • InfluxDB Cloud
  • InfluxDB OSS or Enterprise
AWS

  • US West (Oregon)

GCP
Azure
Default
Custom

For more information, see InfluxDB Cloud regions or InfluxDB OSS URLs.

Thank you for your feedback!

Let us know what we can do better:

Thank you!

No thanks

InfluxDB OSS 2.9.0: API tokens are hashed by default

Stronger token security in InfluxDB OSS 2.9.0 — tokens are hashed on disk by default. Existing tokens are hashed on first startup and can’t be recovered afterward. Capture any plaintext tokens you still need before you upgrade.

View InfluxDB OSS 2.9.0 release notes

Hashed tokens authenticate exactly like unhashed tokens — clients and integrations keep working.

Also new in 2.9.0:

  • Configurable backup compression
  • Restore support for backups containing hashed tokens
  • Tighter Edge Data Replication queue validation
  • Flux upgrade
  • Compaction reliability improvements

Key enhancements in Explorer 1.9

Explorer 1.9 is now available with InfluxQL support, an AI-assisted Flux to SQL converter (beta), and new live sample data simulators.

View Explorer 1.9 release notes

Explorer 1.9 includes new features and improvements that make it easier to query, visualize, and manage data.

Highlights:

  • Flux to SQL converter (beta): Convert Flux queries to SQL with an AI-assisted converter.
  • InfluxQL support: Query data with InfluxQL in the Data Explorer and dashboards, and save and load InfluxQL queries.
  • InfluxQL visualizations: Render line and bar charts from InfluxQL results with per-tag series grouping.
  • Query error history: Review a history of query errors in the query tool.
  • Live sample data simulators: Generate continuous live sample data with new bird data and signal generator simulators.

For more details, see Explorer 1.9 release notes

InfluxDB 3.10 is now available

InfluxDB 3 Core 3.10 adds an automatic catalog format upgrade, a configurable query-concurrency limit, and processing engine improvements.

Key updates in InfluxDB 3 Core 3.10:

  • Catalog format upgrade: the on-disk catalog automatically upgrades from format v2 to v3 on first 3.10 startup. Migration is one-way—back up your catalog before upgrading.
  • --max-concurrent-queries: limit concurrent queries (adjustable at runtime).
  • GET /ready endpoint for readiness probes.
  • Processing engine: cross-database queries and trigger lockdown flags.

For more information, see the InfluxDB 3 Core release notes.

InfluxDB 3.10 is now available

InfluxDB 3 Enterprise 3.10 adds automated backup and restore, row-level deletions, and user management, with an automatic catalog format upgrade and performance preview improvements.

Key updates in InfluxDB 3 Enterprise 3.10:

  • Catalog format upgrade: the on-disk catalog automatically upgrades from format v2 to v3 on first 3.10 startup. Migration is one-way—back up your catalog before upgrading.
  • Automated backup and restore (beta)
  • Row-level deletions
  • User management (authentication and RBAC) — preview
  • Performance preview improvements

Backup and restore, row-level deletions, and the performance preview require the Enterprise storage engine upgrade (opt-in beta). Beta and preview features are subject to breaking changes and aren’t recommended for production use.

For more information, see the InfluxDB 3 Enterprise release notes

Telegraf Enterprise is now generally available

Telegraf Enterprise is now generally available, along with Telegraf Controller v1.0.

Telegraf Enterprise combines Telegraf Controller, a centralized management console for Telegraf, with official support from InfluxData. Manage configurations, monitor fleet health, and operate tens of thousands of Telegraf agents from a single system.

InfluxDB Docker latest tag changing to InfluxDB 3 Core

On September 15, 2026, the latest tag for InfluxDB Docker images will point to InfluxDB 3 Core. To avoid unexpected upgrades, use specific version tags in your Docker deployments.

If using Docker to install and run InfluxDB, the latest tag will point to InfluxDB 3 Core. To avoid unexpected upgrades, use specific version tags in your Docker deployments. For example, if using Docker to run InfluxDB v2, replace the latest version tag with a specific version tag in your Docker pull command–for example:

docker pull influxdb:2