Microsoft Entra ID + OpenID Configuration
This page outlines how to integrate Azure Active Directory with Cribl Stream’s SSO/OpenID Connect authentication. <!– should the 5 instances of Azure Active Directory on this page be replaced with Microsoft Entra ID? ->
Configure Microsoft Entra ID App
Start at the Azure portal to configure an OpenID Connect provider: https://portal.azure.com/.
Register Your Microsoft Entra ID App
Open the Microsoft Entra ID Service.
In the left nav’s Manage section, select App registrations.
Add a new registration. For details, see Microsoft’s Quickstart: Register an Application topic.
In the example below, substitute the appropriate callback URL for your own Cribl Stream Leader instance:https://leader.cribl.io:9000/api/v1/auth/authorization-code/callback
Get the Microsoft Entra ID App’s Basic Credentials
You’ll need to copy and paste these credentials into Cribl Stream’s Authentication page below.
- You can find the OIDC Client ID on the new app’s Overview page, as the Application (client) ID.
- Click the Endpoints button at the page top to display the OAuth endpoints. You can use either the v2 or the v1 endpoints.
Create and Copy a Client Secret
- To create a client secret: From the Azure portal’s left nav, select Certificate & secrets. Then select New client secret.
- Add a new client secret with a descriptive name, and an expiration timeframe.
Click Add.
Immediately copy the Value and Secret ID from the resulting page. You’ll need to paste the Value into Cribl Stream’s Authentication > Client secret field below.
This is the only time the secret is shown! Make sure you copy it while it’s visible. (If you missed your chance, you can start over by creating a new secret.)
Configure Token and Claims
Here, you’ll add the groups claim to the OIDC ID token.
- From the Azure portal’s left nav, select Token configuration, then select Add groups claim.
- Configure the groups claim as necessary, then click Add.
Unless you synchronize Azure AD with your on-premises Active Directory, AD will return only GUIDs for your group names. If you’ve synchronized, you’ll then be able to configure returning the
sAMAccountName
instead.In the Group claims modal (shown below), check the Emit group name for cloud-only groups checkbox to ensure that
sAMAccountName
is added to the Group attribute.
- Your token is now configured, and you’re all done on the Azure side.
Configure Cribl Stream Authentication
Switch to Cribl Stream, and navigate to its Settings > [Global Settings >] Access Management > Authentication page. Configure this as indicated below (with reactions):
Type: OpenID Connect. This will expose relevant fields, setting several default values and placeholders.
Provider name: Enter an arbitrary identifier for this Azure AD integration.
Audience: Enter your Cribl Stream Leader instance’s base URL. Use the format:
https://<your‑domain.ext>:9000
(do not use a trailing slash).Client ID: Enter your Microsoft Entra ID Application (client) ID. (In the Azure portal, see above to copy this from your app’s Overview page.)
Client secret: Enter the Client secret > Value that you earlier generated and copied from the Azure app’s Certificates & secrets page.
Scope: Accept the default
openid profile email
scopes.Authentication URL: Paste the OAuth 2.0 authorization endpoint that you copied above from the Azure app’s Overview > Endpoints drawer.
Token URL: Paste the OAuth 2.0 token endpoint that you copied above from the Azure app’s Overview > Endpoints drawer.
User Info URL, Logout URL: Leave both fields blank.
User identifier: Adjust this based on the endpoint you choose (v1 or v2) above. In v2, the
preferred_username
,name
, andemail
fields are set, matching this field’s default values.
In v1, only thename
field is included in the token by default, so an acceptable entry here might be:`${unique_name || upn || username || name}`
. You can check the token fields returned by enabling debug-level logging on Cribl Stream’sauth:sso
channel.Change the Filter type to
User info filter
.Optionally, enable Allow local auth as a fallback login method.
Map Microsoft Entra ID Groups to Cribl Stream Roles
Next, map your Microsoft Entra ID groups to Cribl Stream Roles. The group names might appear as GUIDs. You can translate these on the Microsoft Entra ID Groups page.
Unless you synchronize Azure AD with your on-premises Active Directory, you will need to obtain the Group GUIDs from the Azure AD Groups page. Place these GUIDs in the mappings box and then choose the appropriate Cribl Stream Role. Here is a simple example.