SSO with Ping Identity (Cribl.Cloud)
This topic provides details to help you configure Single Sign-On (SSO) using OpenID Connect (OIDC) or Security Assertion Markup Language (SAML) with Ping Identity as the identity provider (IdP).
To configure Ping Identity as an IdP, refer to the Ping Identity documentation.
This page describes how to configure SSO for Cribl.Cloud. For on-prem installations, see SSO with Ping Identity (On-Prem).
Set Up Fallback Access
Before you configure SSO, create a fallback user so that you aren’t locked out of your Organization if you have issues with SSO. In your Cribl.Cloud Organization, invite a new Member using an email domain that’s different from the corporate domain on which you’re configuring SSO. Assign the Owner Permission for the Member. You can use this account to log in with a username and password and fix SSO issues if needed.
After you confirm that your SSO integration is working, you can remove the fallback user. If you do so, do not disable the SSO integration without first re-creating a fallback user. Otherwise, you might get locked out of your Organization.
OIDC SSO with Ping Identity
This section provides OIDC SSO configuration details that are specific to using Ping Identity as the IdP. For general step-by-step procedures, read Configure OIDC SSO.
Configuring OIDC SSO requires an OIDC application in Ping Identity. Read Adding an application and Editing an application - OIDC in the Ping Identity documentation for more information. Make sure that the OIDC application includes at least one user so that you can test the configuration.
When you create the OIDC application as you configure OIDC SSO, provide the values from the following fields in Cribl.Cloud:
| Field in Cribl.Cloud | Field in Ping Identity |
|---|---|
| App integration name | Application Name |
| Sign-in redirect URIs | Redirect URIs |
| Sign-out redirect URIs | Signoff URLs |
| Groups map key value | Resources > Attributes |
| Scopes | Resources > Scopes |
In addition, configure the OIDC application to use the following settings:
- Response Type: Code
- Grant Type: Authorization Code
- PCKE Enforcement: Optional
- Refresh Token Configuration: Configure according to your best practices
- Token Endpoint Authentication Method: Client Secret Post
After you save the OIDC application, you will need the values from the following fields to finish SSO setup in Cribl.Cloud:
| Field in Ping Identity | Field in Cribl |
|---|---|
| Client ID | Client ID |
| Client Secret | Client secret |
| Signon URL | Issuer URL |
The field names and documentation for adding an OIDC application in Ping Identity might change without notice due to product changes in Ping Identity. Refer to the Ping Identity documentation for the latest information.
SAML SSO with Ping Identity
This section provides SAML SSO configuration details that are specific to using Ping Identity as the IdP. For general step-by-step procedures, read Configure SAML SSO.
Configuring SSO in Cribl.Cloud requires a SAML 2.0 application in Ping Identity. Read Add a SAML application in the Ping Identity documentation for more information. Make sure that the SAML application includes at least one user so that you can test the configuration.
When you create the SAML application as you configure SAML SSO, provide the values from the following fields in Cribl.Cloud:
| Field in Cribl.Cloud | Field in Ping Identity |
|---|---|
| Single Sign on URL | ACS URLs |
| Audience URI | Entity ID |
After you save the SAML application, you will need the values from the following fields to finish SSO setup in Cribl.Cloud:
| Field in Ping Identity | Field in Cribl.Cloud |
|---|---|
| Single Signon Service | IDP Login/Logout URL |
| Issuer ID | IDP issuer |
| Signing Certificate | X.509 certificate (base64-encoded) |
The field names and documentation for adding a SAML application in Ping Identity might change without notice due to product changes in Ping Identity. Refer to the Ping Identity documentation for the latest information.
General SSO Configuration in Cribl.Cloud
The procedures in this section generally describe how to configure OIDC SSO and SAML SSO in Cribl.Cloud using any IdP.
Configure OIDC SSO
In Cribl.Cloud, in the sidebar, select Organization > SSO Management.
Scroll down to the end of the Product-Level Mappings and select OIDC.
In the IdP, create the OIDC application. Use the information from Cribl.Cloud under Web Application Settings:
App integration name: The name to use for the OIDC application you configure in the IdP.
Application type: The kind of OIDC application to integrate (Web).
Sign-in redirect URIs lists two URLs:
https://login.cribl.cloud/login/callbackis the primary OIDC redirect URI, also called the callback URL. After a user authenticates with the IdP, the IdP sends an authorization code to this endpoint. Cribl.Cloud exchanges the authorization code for tokens and completes the login. Register this URI in the OIDC application in the IdP as an allowed redirect/callback URI.https://manage.cribl.cloud/organizations/<organizationId>/ssois a testing URL to use during setup. After you successfully test the connection, remove this URL from the list of allowed redirect URIs in the IdP.
Sign-out redirect URIs: The endpoint where Cribl.Cloud redirects users after they log out. Register this URI in the OIDC application in the IdP settings to allow Cribl.Cloud to complete the logout flow.
Groups map key value: The key value to use to map groups from the IdP to Cribl.Cloud. Read Configuring SSO Groups for information about valid IdP group names and Permission mapping.
Scopes: The set of user attributes that the IdP should return to Cribl.Cloud in its authentication response. For example, if you omit the
groupscope in the OIDC application, IdP group membership won’t be available to Cribl.Cloud.
For OIDC applications, you must use backchannel authentication. Cribl.Cloud does not support front-channel authentication via OIDC.
After you create and save the OIDC application in the IdP, return to Cribl.Cloud to finish OIDC SSO setup. Scroll down to Cribl Cloud SSO settings and enter the following information from the OIDC application in the IdP:
Client ID: The unique identifier that the IdP assigned to the OIDC application. Cribl.Cloud uses the Client ID to identify itself to the IdP during authentication flows .
Client secret: The confidential string that the IdP generated for the OIDC application. Cribl.Cloud uses the Client secret to authenticate to the IdP when exchanging authorization codes for tokens. Keep the Client secret secure and do not expose it publicly.
Issuer URL: The unique URL that identifies the IdP as an OIDC authority. Cribl.Cloud uses the Issuer URL to discover the IdP metadata and to validate tokens. Provide the exact Issuer URL from the OIDC configuration in the IdP.
Select Save.
Configure SAML SSO
In Cribl.Cloud, in the sidebar, select Organization > SSO Management.
Scroll down to the end of the Product-Level Mappings and select SAML.
In the IdP, create the SAML application. Use the information from Cribl.Cloud under Web Application Settings and SAML Assertion Mappings:
Web Application Settings > Single Sign on URL lists two URLs:
https://login.cribl.cloud/login/callback?connection=<organizationId>is the Assertion Consumer Service (ACS) URL. This is the endpoint that receives and processes authentication responses from the IdP.https://manage.cribl.cloud/api/assertis a testing URL to use during setup. After you successfully test the connection, replace this URL withhttps://login.cribl.cloud/login/callback?connection=<organizationId>in the SAML application.
Web Application Settings > Audience URI: The SAML entity ID for Cribl.Cloud. The Audience URI is a unique string that identifies Cribl.Cloud in SAML assertions. The IdP uses the Audience URI to specify the intended recipient of the assertion and prevent replay attacks.
SAML Assertion Mappings define the attribute names that Cribl.Cloud must receive in the SAML assertions from the IdP to correctly provision and authorize users:
email: The user’s email address (used as the user’s unique identifier).given_name: The user’s first name.family_name: The user’s last name.groups: The user’s group memberships (used for role-based access control and Team assignments). Read Configuring SSO Groups for information about valid IdP group names and Permission mapping.
After you create and save the SAML application in the IdP, return to Cribl.Cloud to finish setting up SAML SSO. Scroll down to SAML configuration and enter the following information from the SAML application in the IdP:
IDP Login/Logout URL: The SAML SSO endpoint URL for the IdP, where Cribl.Cloud should send SAML authentication requests. If the IdP supports SAML Single Logout (SLO) at the same endpoint, Cribl will use this URL for both login and logout flows.
IDP issuer: The SAML entity ID for the IdP. The IDP issuer is a unique string (often a URI or URL) that identifies the IdP in SAML assertions. Cribl uses the IDP issuer to validate the authenticity of SAML responses.
X.509 certificate (base64-encoded): The public certificate that the IdP uses to sign SAML responses. Paste the entire PEM-encoded certificate, including the
-----BEGIN CERTIFICATE-----and-----END CERTIFICATE-----lines.
Select Save.
Verify that SSO Is Working
In Cribl.Cloud, in the sidebar, select Organization > SSO Management.
Scroll to the bottom of the page and select Test Connection.
If the test encounters a configuration error, Crib.Cloud will display an error message.
Troubleshooting
If you encounter issues when setting up SSO, refer to SSO Troubleshooting in Cribl.Cloud.