These docs are for Cribl Edge 4.11 and are no longer actively maintained.
See the latest version (4.13).
SSO with Ping Identity and SAML (Cribl.Cloud)
This page presents a walkthrough of setting up a SAML SSO, using Ping Identity as the example.
This page is a guide for configuring SSO for Cribl.Cloud. For on-prem installations, see SSO with Ping Identity and SAML (on-prem).
Set Up Fallback Access
Before you start configuring SSO, set up fallback access so that you are not locked out if issues with SSO occur. To do this, you can create a fallback user or bypass SSO with multiple organizations.
Create a Fallback User
In your Cribl.Cloud Organization, ensure that at least one Owner creates a local account, using an email domain that’s separate from the corporate domain on which you’re configuring SSO.
After you confirm that your SSO integration is working, you can remove the fallback user. If you do so, do not disable the SSO integration without first re-creating the non-SSO user. Otherwise, you may get locked out of your Organization.
Bypass SSO with Multiple Organizations
If you have SSO configured and you want to sign up for an additional Cribl.Cloud Organization, you need to bypass SSO. Otherwise, you will be forced to log into your existing Organization, because SSO does Home Realm Discovery and recognizes your email address.
In that case, edit your login URL and delete the word identifier. For example:
Original URL:
https://login.cribl.cloud/u/login/identifier?state=<long_string_of_characters>Edited URL:
https://login.cribl.cloud/u/login/?state=<long_string_of_characters>
When you use this URL, instead of forcing you through SSO, Cribl.Cloud will ask for a username and password.
If the account you are trying to log in as has a bad state of permissions, the method above may not work. In that case, try to resolve the permission issue using a fallback Owner. See Create a Fallback User for more information.
Retrieve URLs in Cribl
In Cribl, retrieve the URLs you will need to create your Ping Identity application for SSO.
In the sidebar, select Organization > SSO Management.
Scroll down to Web Application Settings and select SAML.
Note the values for Single Sign on URL and Audience URI. Single Sign on URL lists two URLs that you use for SAML configuration:
https://login.cribl.cloud/login/callback?connection=<$organizationID>is the URL you will use for the connection.https://manage.cribl.cloud/api/assertis used during setup to test the connection. After you successfully test the connection, save the configuration and replace the second URL with the first one.
Create SAML 2.0 Application in Ping Identity
To create your SAML 2.0 application in Ping Identity:
In Ping Identity, in the sidebar, select Environments and choose your desired environment.
In the right panel, select Manage Environment.
Follow the Ping Identity tutorial to add a SAML application. Enter the URLs that you generated in Cribl as follows:
Field in Ping Identity Field in Cribl ACS URLs Single Sign on URL Entity ID Audience URI After you save the application, select it to display the Single Signon Service, Issuer ID, and Download Signing Certificate button. You will need this information to submit your application information to Cribl.
Submit Your App Info to Cribl
After you’ve created the SAML application in Ping Identity, provide Cribl with the essential metadata about your application to implement SSO setup on the Cribl side.
In the sidebar, select Organization > SSO Management.
Scroll down to Web Application Settings and select SAML. The Web Application Settings and SAML Assertion Mappings are prefilled based on the information you’ve registered with Cribl.
Under SAML configuration, enter the information from your Ping Identity application as follows:
Field in Cribl Field in Ping Identity IDP Login/Logout URL Single Signon Service IDP issuer Issuer ID X.509 certificate (base64-encoded) Signing Certificate Select Save.
Verify that SSO with Ping Identity Is Working
Log out of Cribl Edge, and verify that the Log in with Saml 2.0 option appears on the login page.
Select Log in with Saml 2.0.
You should be redirected to Ping Identity to authenticate yourself, and the SAML connect flow should complete the authentication process.
Troubleshooting
If you encounter issues when setting up SSO integration, refer to SSO Troubleshooting.