Cribl LogStream ‚Äď Docs

Cribl LogStream Documentation

Questions? We'd love to help you! Meet us in #Cribl Community Slack (sign up here)
Download entire manual as PDF ‚Äď v.3.1.2

OpenID + Azure AD Configuration

This page outlines how to integrate Azure Active Directory with LogStream's SSO/OpenID Connect authentication.

Configure Azure AD App

Start at the Azure portal to configure an OpenID Connect provider:

Register Your Azure AD App

  1. Open the Azure Active Directory Service.

  2. In the left nav's Manage section, select App registrations.

  3. Add a new registration. For details, see Microsoft's Quickstart: Register an Application topic.

    In the example below, substitute the appropriate callback URL for your own LogStream Leader instance.

Registering an Azure AD appRegistering an Azure AD app

Registering an Azure AD app

Get the Azure AD App's Basic Credentials

You'll need to copy and paste these credentials into LogStream's Authentication page below.

  1. You can find the OIDC Client ID on the new app's Overview page, as the Application (client) ID.
Finding the OIDC Client IDFinding the OIDC Client ID

Finding the OIDC Client ID

  1. Click the Endpoints button at the page top to display the OAuth endpoints. You can use either the v2 or the v1 endpoints.
Copying OAuth 2 v2 endpointsCopying OAuth 2 v2 endpoints

Copying OAuth 2 v2 endpoints

Create and Copy a Client Secret

  1. To create a client secret: From the Azure portal's left nav, select Certificate & secrets. Then select New client secret.
Accessing client secretsAccessing client secrets

Accessing client secrets

  1. Add a new client secret with a descriptive name, and an expiration timeframe.
Adding a client secretAdding a client secret

Adding a client secret

  1. Click Add.

  2. Immediately copy the Value and Secret ID from the resulting page. You'll need to paste the Value into LogStream's Authentication > Client secret field below.

Copy that secret!Copy that secret!

Copy that secret!


This is the only time the secret is shown! Make sure you copy it while it’s visible. (If you missed your chance, you can start over by creating a new secret.)

Configure Token and Claims

Here, you'll add the groups claim to the OIDC ID token.

  1. From the Azure portal's left nav, select Token configuration, then select Add groups claim.
Configuring a tokenConfiguring a token

Configuring a token

  1. Configure the groups claim as necessary, then click Add.
Editing the groups claimEditing the groups claim

Editing the groups claim


Unless you synchronize Azure AD with your on-premises Active Directory, AD will return only GUIDs for your group names. If you've synchronized, you'll then be able to configure returning the sAMAccountName instead.

  1. Your token is now configured, and you're all done on the Azure side.
Azure AD token configuration completeAzure AD token configuration complete

Azure AD token configuration complete

Configure LogStream Authentication

Switch to LogStream, and navigate to its global ‚öôÔłŹ¬†Settings (lower left)¬†> Access¬†Management > Authentication page. Configure this as indicated below (with reactions):

  • Type: OpenID¬†Connect. This will expose relevant fields, setting several default values and placeholders.

  • Provider¬†name: Enter an arbitrary identifier for this Azure¬†AD integration.

  • Audience: Enter your LogStream Leader instance's base URL. Use the format: https://<your‚ÄĎdomain.ext>:9000

  • Client¬†ID: Enter you r Azure AD Application¬†(client) ID. (In the Azure portal, see above to copy this from your app's Overview page.)

  • Client secret: Enter the Client¬†secret > Value that you earlier generated and copied from the Azure app's Certificates¬†&¬†secrets page.

  • Scope: Accept the default openid profile email scopes.

  • Authentication¬†URL: Paste the OAuth¬†2.0 authorization¬†endpoint that you copied above from the Azure app's Overview > Endpoints drawer.

  • Token¬†URL: Paste the OAuth¬†2.0 token¬†endpoint that you copied above from the Azure app's Overview > Endpoints drawer.

  • User¬†Info¬†URL, Logout¬†URL: Leave both fields blank.

  • User¬†identifier: Adjust this based on the endpoint you choose (v1 or v2) above. In¬†v2, the preferred_username, name, and email fields are set, matching this field's default values.

    In v1, only the name field is included in the token by default, so an acceptable entry here might be: `${unique_name || upn || username || name}`. You can check the token fields returned by enabling debug-level logging on LogStream's auth:sso channel.

  • Change the Filter¬†type to User info filter.

  • Optionally, enable Allow¬†local auth as a fallback login method.

Sample LogStream Authentication Settings for Azure AD (v2 endpoints)Sample LogStream Authentication Settings for Azure AD (v2 endpoints)

Sample LogStream Authentication Settings for Azure AD (v2 endpoints)

Sample User identifier entry for v1 endpointsSample User identifier entry for v1 endpoints

Sample User identifier entry for v1 endpoints

Map Azure AD Groups to LogStream Roles

Next, map your Azure AD groups to LogStream Roles. The group names might appear as GUIDs. You can translate these on the Azure AD Groups page.

Unless you synchronize Azure AD with your on-premises Active Directory, you will need to obtain the Group GUIDs from the Azure AD Groups page. Place these GUIDs in the mappings box and then choose the appropriate LogStream Role. Here is a simple example.

Azure AD groups...Azure AD groups...

Azure AD groups...

...mapped to LogStream Roles...mapped to LogStream Roles

...mapped to LogStream Roles

Updated 3 months ago

OpenID + Azure AD Configuration

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.