diff --git a/chart/templates/monitoring/secret-sso.yaml b/chart/templates/monitoring/secret-sso.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..ffc9daf1a8596d828886c7b0e8e420cd03a000ed
--- /dev/null
+++ b/chart/templates/monitoring/secret-sso.yaml
@@ -0,0 +1,15 @@
+{{- if and .Values.monitoring.enabled .Values.monitoring.sso.enabled .Values.monitoring.sso.grafana.client_id }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: grafana-sso
+  namespace: monitoring
+type: kubernetes.io/opaque
+stringData:
+  {{- if .Values.monitoring.sso.grafana.client_id }}
+  client_id: {{ .Values.monitoring.sso.grafana.client_id }}
+  {{- end }}
+  {{- if .Values.monitoring.sso.grafana.client_secret }}
+  client_secret: {{ .Values.monitoring.sso.grafana.client_secret }}
+  {{- end }}
+{{- end }}
diff --git a/chart/templates/monitoring/values.yaml b/chart/templates/monitoring/values.yaml
index 8c8aeab8104040d024fa9b9fffdbc774143ea2b0..e59206aabd9db3ddf2894d9b00ff5b402331b4fd 100644
--- a/chart/templates/monitoring/values.yaml
+++ b/chart/templates/monitoring/values.yaml
@@ -314,8 +314,12 @@ grafana:
       {{- if .Values.sso.name }}
       name: {{ .Values.sso.name }}
       {{- end }}
-      client_id: {{ .Values.monitoring.sso.grafana.client_id }}
-      client_secret: {{ .Values.monitoring.sso.grafana.client_secret }}
+      {{- if and .Values.monitoring.sso.enabled .Values.monitoring.sso.grafana.client_id }}
+      client_id: $__file{/etc/secrets/auth_generic_oauth/client_id}
+      {{- end }}
+      {{- if and .Values.monitoring.sso.enabled .Values.monitoring.sso.grafana.client_secret }}
+      client_secret: $__file{/etc/secrets/auth_generic_oauth/client_secret}
+      {{- end }}
       scopes: {{ .Values.monitoring.sso.grafana.scopes | default "openid profile email" }}
       auth_url: {{ default (include "sso.oidc.auth" .) .Values.monitoring.sso.grafana.auth_url }}
       token_url: {{ default (include "sso.oidc.token" .) .Values.monitoring.sso.grafana.token_url }}
@@ -330,6 +334,15 @@ grafana:
       {{- list "tls_client_key" .tls_client_key | include "bigbang.addValueIfSet" | indent 6 }}
     {{- end }}
 
+  {{- if and .Values.monitoring.sso.enabled .Values.monitoring.sso.grafana.client_id }}
+  extraSecretMounts:
+    - name: auth-generic-oauth-secret
+      mountPath: /etc/secrets/auth_generic_oauth
+      secretName: grafana-sso
+      defaultMode: 0440    
+      readOnly: true
+  {{- end }}
+
   {{- if $istioInjection }}
   serviceMonitor:
     scheme: https