diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
index 2dd6d9b..d071f9a 100644
--- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
+++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
@@ -183,8 +183,8 @@ data:
 
   grafana-client-payload.json: |
     {
-      "clientId": "grafana-oauth",
-      "name": "grafana-oauth",
+      "clientId": "grafana",
+      "name": "Grafana Client",
       "description": "Used for Grafana SSO",
       "rootUrl": "https://{{{ .Env.DOMAIN }}}/grafana",
       "adminUrl": "https://{{{ .Env.DOMAIN }}}/grafana",
@@ -406,7 +406,30 @@ spec:
               ARGO_WORKFLOWS_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
               -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
               -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
+
+
+
+
+              echo "creating Grafana client"
+              curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X POST --data @/var/config/grafana-client-payload.json \
+                  ${KEYCLOAK_URL}/admin/realms/cnoe/clients
               
+              CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r  '.[] | select(.clientId == "grafana") | .id')
+              
+              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
+              curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
+              
+              GRAFANA_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
+              
+
+
+
               echo "creating Backstage client"
               curl -sS -H "Content-Type: application/json" \
                 -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
@@ -441,6 +464,8 @@ spec:
                 ARGOCD_SESSION_TOKEN: ${ARGOCD_SESSION_TOKEN}
                 BACKSTAGE_CLIENT_SECRET: ${BACKSTAGE_CLIENT_SECRET}
                 BACKSTAGE_CLIENT_ID: backstage
+                GRAFANA_CLIENT_SECRET: ${GRAFANA_CLIENT_SECRET}
+                GRAFANA_CLIENT_ID: grafana
               " > /tmp/secret.yaml
               
               ./kubectl apply -f /tmp/secret.yaml