These docs are for Cribl Edge 4.12 and are no longer actively maintained.
See the latest version (4.13).
SSO with Ping Identity (On-Prem)
This topic explains how to configure Single Sign-On (SSO) using Security Assertion Markup Language (SAML) in Cribl with Ping Identity as the identity provider (IdP).
To configure Ping Identity as an IdP, refer to the Ping Identity documentation.
Before you begin, make sure to enable TLS for UI access.
This page describes how to configure SSO for on-prem installations. For Cribl.Cloud, see SSO with Ping Identity (Cribl.Cloud).
Set Up Fallback Access
When you configure OIDC or SAML SSO, enable local authenticaton to ensure that users aren’t locked out if you have issues with SSO. Local authentication provides fallback access so that users can log in with a username and password.
In the sidebar, select Settings > Global.
Under Access Management, select Authentication.
In the Type drop-down menu, select OpenID Connect or SAML 2.0.
In the configuration options, enable Allow login as Local User. Enabling this option means that the login page will include the Log in as Local User button so that users can log in with a username and password.
After you confirm that your SSO integration is working, you can disable Allow login as Local User in the SSO configuration. If you do get locked out, see Manual Password Replacement.
SAML SSO with Ping Identity
This section provides SAML SSO configuration details that are specific to using Ping Identity as the IdP. For general step-by-step procedures, read Configure SAML SSO.
Configuring SSO in Cribl requires a SAML 2.0 application in Ping Identity. Read Add a SAML application in the Ping Identity documentation for more information. Make sure that the SAML application includes at least one user so that you can test the configuration.
When you create the SAML application as you configure SAML SSO, provide the values from the following fields in Cribl:
| Field in Cribl | Field in Ping Identity |
|---|---|
| Sign-on callback URL | ACS URLs |
| Audience (SP entity ID) | Entity ID |
After you save the SAML application, you will need the values from the following fields to finish SSO setup in Cribl:
| Field in Ping Identity | Field in Cribl |
|---|---|
| Issuer ID | Issuer (IDP entity ID) |
| Single Signon Service | Single sign-on (SSO) URL |
| Signing Certificate | Response validation certificate |
The field names and documentation for adding a SAML application in Ping Identity might change without notice due to product changes in Ping Identity. Refer to the Ping Identity documentation for the latest information.
General SSO Configuration in Cribl
The procedures in this section generally describe how to configure SAML SSO in Cribl using any IdP.
Configure SAML SSO
In Cribl, in the sidebar, select Settings > Global.
Under Access Management, select Authentication.
From the Type dropdown, choose
SAML 2.0.In the Audience (SP entity ID) field, enter the base URL of your Cribl instance (for example,
https://yourDomain.com:9000). Do not append a trailing slash, and make sure that your URL uses the HTTPS protocol.If you have a Distributed deployment with a fallback Leader configured, modify the Audience (SP entity ID) field to point to the load balancer instead of the Leader Node.
The following URLs automatically populate using the URL that you enter as the Audience (SP entity ID). Depending on the IdP, you might use some or all of these URLs, in addition to the Audience (SP entity ID), to create the SAML application in the next step:
Sign-on callback URL: The Assertion Consumer Service (ACS) URL. After a user authenticates with the IdP, this URL receives and processes the SAML assertion (authentication response) from the IdP to complete the login.
Logout callback URL: The Single Logout (SLO) endpoint. If you enable SLO in the SAML application, the IdP sends logout requests and responses to this URL so that Cribl can process SAML logout flows, ensuring that users are logged out from both Cribl and the IdP.
Metadata URL: The endpoint that serves the SAML Service Provider (SP) metadata in XML format. This metadata describes Cribl’s SAML endpoints, certificates, and configuration. You can include the Metadata URL in the SAML application settings if the IdP supports importing metadata.
Leave the Authentication page open in Cribl. You will complete setup in Cribl with information from your SAML application in a later step.
In the IdP, create and save the SAML application.
Return to the Authentication page in Cribl to complete SSO setup.
In the Authentication page, enter the following required information from the SAML application:
Issuer (IDP entity ID): The SAML entity ID for the IdP. The IDP issuer is a unique string (often a URI or URL) that identifies the IdP in SAML assertions. Cribl uses the IDP issuer to validate the authenticity of SAML responses.
Single sign-on (SSO) URL: The SAML SSO endpoint URL for the IdP, where Cribl should send SAML authentication requests. If the IdP supports SLO at the same endpoint, Cribl will use this URL for both login and logout flows.
Response validation certificate: The public certificate that the IdP uses to sign SAML responses. Paste the entire PEM-encoded certificate, including the
-----BEGIN CERTIFICATE-----and-----END CERTIFICATE-----lines.
Review the other fields on the Authentication page and update their values as needed depending on the IdP and your desired configuration.
To prevent lockout, we strongly recommend enabling Allow login as Local User until you’re certain that external authentication is working as intended. If you do get locked out, see Manual Password Replacement.
Select Save.
Verify that SSO Is Working
Log out of Cribl and verify that login page includes a button for the IdP.
Select Log in with … (the button should include the name of the IdP that you configured).
Cribl should redirect you to the IdP to authenticate.
Map Ping Identity Groups to Cribl Edge Roles
Mapping IDP groups to Cribl Roles is possible only for Cribl Edge deployments that are in Distributed mode, with an Enterprise license. With a Standard license, all your external users will be imported to Cribl Edge in the admin role.
If you are running Cribl Edge in Single-instance mode, you cannot map Ping Identity groups to Cribl Edge Roles, although you can still set up SSO with Ping Identity.
As you think through how best to map your Ping Identity groups to Cribl Edge Roles, keep these principles in mind:
- A Ping Identity group can map to more than one Cribl Edge Role.
- A Cribl Edge Role can map to more than one Ping Identity group.
- If a user has multiple Roles, Cribl Edge applies the union of the most permissive levels of access.
- Cribl Edge automatically assigns the default Role to any user who has no mapped Roles.
For details on mapping your external identity provider’s configured groups to corresponding Cribl Edge user access Roles, see External Groups and Roles.
You can assign a Cribl Edge Role to each Ping Identity group name, and you can specify a default Role for users who are not in any groups.
In Cribl Edge, in the sidebar, select Settings > Global.
Under Access Management, select Authentication.
Scroll down to Role Mapping. We recommend that you set the
defaultRole touser, meaning that this Role will be assigned to users who are not in any groups.Add mappings as needed. The Ping Identity group names in the left column are case-sensitive, and must match the values returned by Ping Identity.
Troubleshooting
If you encounter issues when setting up SSO integration, refer to SSO Troubleshooting (On-Prem).