These docs are for Cribl Iam 4.16 and are no longer actively maintained.

See the latest version (4.17).

The Cribl Suite supports setting up SSO using SAML to provide user authentication (login/password) and authorization (by mapping SSO users to Cribl Roles).

This page presents a walkthrough of setting up a SAML SSO, using Okta as the example.

This page is a guide for configuring SSO for an on-prem installation. For Cribl.Cloud, see SSO with Okta and SAML (Cribl.Cloud).

Limitations

​

Cribl offers an SP-initiated (Cribl-initiated) flow, but does not support an IdP-initiated SSO flow. As an alternative, you can allow users to initiate login from your IdP instance by creating a chiclet.

Set Up Fallback Access

​

When you configure OIDC or SAML SSO, enable local authenticaton to ensure that users aren’t locked out if you have issues with SSO. Local authentication provides fallback access so that users can log in with a username and password.

1. In the sidebar, select Settings > Global.

2. Under Access Management, select Authentication.

3. In the Type drop-down menu, select OpenID Connect or SAML 2.0.

4. In the configuration options, enable Allow login as Local User. Enabling this option means that the login page will include the Log in as Local User button so that users can log in with a username and password.

After you confirm that your SSO integration is working, you can disable Allow login as Local User in the SSO configuration. If you do get locked out, see Manual Password Replacement.

Create SAML 2.0 App Integration

​

To create your app integration:

1. In Okta, navigate to the Applications section and select Create App Integration.
2. In Sign-in method, select SAML 2.0.
3. Proceed with Next.

General Settings

​

4. Configure the app integration’s General Settings with the options below:

SAML Settings

​

5. In the Configure SAML tab configure the following options:

6. Define custom Attribute Statements that Okta will insert in the SAML assertions shared with Cribl. This applies only when creating a custom Application username, as described in the previous step.
7. Configure Group Attribute Statements. Similar to the previous step, except that here, Cribl supports creating a custom attribute whose value is one or more Okta groups that will populate Cribl’s Group name field.
8. To check the SAML assertion in XML form, click Preview the SAML Assertion.
9. Skip thought the Feedback pane and Save your application.

Submit Your App Info to Cribl

​

Next, provide Cribl with essential details about your application to implement the SSO setup on the Cribl side.

1. In Cribl Stream or Cribl Edge, in the sidebar, select Settings, then Global.

2. In Access Management, select Authentication.

3. From the Type dropdown, choose SAML 2.0.

4. In the Audience (SP entity ID) field, enter the base URL of your Cribl instance, for example, https://yourDomain.com:9000. Do not append a trailing slash.

   If you have a Distributed deployment with a fallback Leader configured, modify the Audience (SP entity ID) field to point to the load balancer instead of the Leader Node.

5. Return to your Okta environment to the Sign On tab and in the right pane, select View SAML setup instructions. Use the provided fields to fill in the information in Cribl:

Map Okta Groups to Cribl Teams or Roles

​

LDAP group membership alone does not define access rights in Cribl. You must use mapping to explicitly associate LDAP groups with Cribl access rights. Whether to use Team or Role mapping depends on which Cribl access control model you use:

• If you are using the Cribl Permissions model for access control, follow the instructions to map Okta groups to Cribl Teams.
• If you are using the legacy Roles and Policies model for access control, follow the instructions to map Okta groups to Cribl Roles.

Map Okta Groups to Cribl Teams

​

Use the Team tab at Settings > Global > Access Management > Members and Teams rather than the Okta configuration to map LDAP groups to a Cribl Team as follows:

1. In the Mapping ID field, enter the exact name (case-sensitive) of the Okta group that you want to map to the Team.

2. Select Add ID to map more than one Okta group to the Team as needed.

3. Select Save. The users assigned to the specified Okta groups will have the Permissions that are configured for the Team.

Map Okta Groups to Cribl Roles

​

On Distributed deployments (Stream, Edge) with an Enterprise License, the Authentication page at Settings > Global > Access Management > Authentication includes a Role mapping section. With a Standard license, all external users will be imported to Cribl with the admin Role. If you are running Cribl Stream or Cribl Edge in Single-instance mode, you cannot map Okta groups to Cribl Roles, although you can still set up SSO with Okta.

Use these fields in the Role mapping section to map IdP Groups to Cribl Roles as follows:

• Default role: Default Cribl Role to assign to all IdP groups that are not explicitly mapped. Cribl recommends that you set the Default role to user, meaning that this Role will be assigned to users who are not in any groups.

• Mapping: On each mapping row, enter the IdP group name (case-sensitive) on the left, and select the corresponding Cribl Role in the right drop-down list. Click Add Mapping to add more rows for additional mappings. Okta group names in the left column must match the values returned by Okta (those you saw earlier when configuring Okta and SAML).

Keep these principles in mind when you map IdP groups to Cribl Roles:

• An Okta group can map to more than one Cribl Role. Likewise, a Cribl Role can map to more than one Okta group.
• If a user has no mapped Roles, Cribl automatically assigns the Default role that you specify.
• If a user has multiple Roles, Cribl applies the most permissive levels of access.
• The value used to identify groups in Okta is case-sensitive and must exactly match the value that you enter in the Cribl Role mapping configuration.

Verify that SSO with Okta Is Working

​

1. Log out of the Cribl Suite, and verify that Okta is now an option on the login page.
2. Select Log in with Okta.
3. You should be redirected to Okta to authenticate yourself.
4. The SAML connect flow should complete the authentication process.

Get Temporary Access Credentials for AWS S3 Buckets

​

You can use your SSO/SAML IdP to issue temporary access credentials so your on-prem Stream Worker or Edge Node can access AWS S3 buckets.

Call the AssumeRoleWithSAML API endpoint. It will return the STS access, secret, and session tokens. These can be written into the ~/.aws/ credentials file, which Cribl will pick up because it uses the native AWS SDK.

You can set up multiple S3 Sources with different credentials. Cribl relies on the AWS SDK for authentication support, and the SDK evaluates credentials in the following order:

1. Loaded from AWS Identity and Access Management (IAM) roles for Amazon EC2.
2. Loaded from the shared credentials file (~/.aws/credentials).
3. Loaded from environment variables.
4. Loaded from a JSON file on disk.
5. Other credential-provider classes provided by the JavaScript SDK.

To enable the use of multiple Sources, set the S3 Source Authentication method to Auto.

See the AWS SDK documentation and AWS CLI documentation for further information on setting credentials.

SAML/Okta Chiclet Setup (Optional)

​

If you want to initiate login from an Okta instance on which you have configured SAML authentication, an Okta admin can configure an app integration as follows:

1. From Okta’s left nav, select the Applications page.
2. Select Browse App Catalog.
3. From the resulting catalog, use the search bar to find and select the Bookmark App application.
4. From that application’s page, select Add Integration.
5. On the General settings page, enter an Application label that will identify this app as supporting Cribl login. (Cribl is a good choice, but the label is arbitrary.)
6. In the URL field, enter the <host>:<port> of your Cribl Leader Node.
7. Confirm with Done.
8. Select Assign and assign all of the Cribl groups to the application.
9. The Cribl chiclet should now be available for all users in the Cribl groups you’ve assigned.

Troubleshooting

​

If you encounter issues when setting up SSO integration, refer to SSO Troubleshooting.