SSO with Microsoft Entra ID (Cribl.Cloud)
This topic provides details to help you configure Single Sign-On (SSO) with Microsoft Entra ID as the identity provider (IdP).
To configure Microsoft Entra ID as an IdP, refer to the Microsoft Entra ID documentation.
This page describes how to configure SSO for Cribl.Cloud. For on-prem installations, see SSO with Microsoft Entra ID (On-Prem).
Set Up Fallback Access
Before you configure SSO, create a fallback user so that you aren’t locked out of your Organization if you have issues with SSO. In your Cribl.Cloud Organization, invite a new Member using an email domain that’s different from the corporate domain on which you’re configuring SSO. Assign the Owner Permission for the Member. You can use this account to log in with a username and password and fix SSO issues if needed.
After you confirm that your SSO integration is working, you can remove the fallback user. If you do so, do not disable the SSO integration without first re-creating a fallback user. Otherwise, you might get locked out of your Organization.
Fallback Access and Non-Corporate Email Addresses
Fallback users with email addresses from a non-corporate domain cannot manage SSO settings. For these users, to restore access in case of issues with SSO:
Log in as the fallback user and invite a new member with an email address from the corporate domain (the domain registered for SSO).
Assign the Owner Permission to the new corporate domain user.
The newly invited Owner with an email address from the corporate domain can then log in and modify SSO settings to resolve the issue.
You can also contact Cribl support to delete or update an SSO connection if needed.
Limitations
Cribl offers a service provider-initiated (Cribl-initiated) workflow, but does not support an IdP-initiated SSO flow. To allow users to initiate login from the IdP instance, create a chiclet.
OIDC SSO with Microsoft Entra ID
This section provides OIDC SSO configuration details that are specific to using Microsoft Entra ID as the IdP. For general step-by-step procedures, read Configure OIDC SSO.
Configuring SSO in Cribl requires creating an OIDC application and a client secret and adding a groups claim in Microsoft Entra ID. Follow the instructions in these pages in the Microsoft Entra ID documentation:
- Register an application in Microsoft Entra ID
- Create a new client secret
- Configure groups optional claims
Make sure that the OIDC application includes at least one user so that you can test the configuration.
As you configure OIDC SSO, provide the values from the following fields in Cribl:
| Field in Cribl | Field in Microsoft Entra ID |
|---|---|
| App integration name | Name |
| Sign-in redirect URIs | Redirect URI |
| Sign-out redirect URIs | Logout URL |
When you register your app in Microsoft Entra ID, under Supported account types, select Accounts in this organizational directory only.
When you create the client secret in Microsoft Entra ID, copy the Value. This is the only time the Value is visible, so make sure to copy it. If you missed your chance, start over by creating a new secret. The Value is sensitive information and should be kept private.
You will need the following values from Microsoft Entra ID to finish SSO setup in Cribl:
| Field in Microsoft Entra ID | Field in Cribl |
|---|---|
| Application (client) ID | Client ID |
| Value for the client secret | Client secret |
issuer value fromOverview > Endpoints > OpenID Connect metadata document | Issuer URL |
In the Advanced settings for SSO configuration in Cribl, set the following values:
- Scopes:
openid profile email(removegroups) - Read groups from:
ID token claim - Profile attribute:
groups
To configure groups claims in Microsoft Entra ID, update the manifest to emit group names in the format of sam_account_name for on-premises synced groups and cloud_displayname for cloud groups as shown in Configure groups optional claims in the Microsoft Entra ID documentation.
Synchronize Microsoft Entra ID with your on-prem Active Directory to configure returning
sAMAccountNamefor group names. Otherwise, Microsoft Entra ID will return only Globally Unique Identifiers (GUIDs).For the groups claim configuration, select Groups assigned to the application and set the Source attribute to
sAMAccountName. Enable Emit group name for cloud-only groups to return thesAMAccountNameattribute for cloud-only groups.
The field names and documentation for adding an OIDC application might change without notice due to product changes in Microsoft Entra ID. Refer to the Microsoft Entra ID documentation for the latest information.
SAML SSO with Microsoft Entra ID
This section provides SAML SSO configuration details that are specific to using Microsoft Entra ID as the IdP. For general step-by-step procedures, read Configure SAML SSO.
Configuring SSO in Cribl.Cloud requires a SAML 2.0 application in Microsoft Entra ID. Read Quickstart: Add an enterprise application and Overview of the Microsoft Entra application gallery to learn how to create an application in Microsoft Entra ID. Make sure that the SAML application includes at least one user so that you can test the configuration.
As you configure SAML SSO, provide the values from the following fields in Cribl.Cloud:
| Field in Cribl.Cloud | Field in Microsoft Entra ID |
|---|---|
| Single Sign on URL | Reply URL (Assertion Consumer Service URL) |
| Audience URI | Identifier (Entity ID) |
When you add the Single Sign-on URL values from Cribl.Cloud to Reply URL (Assertion Consumer Service URL), select the Default checkbox for the URL that includes connection.
You must also add Cribl.Cloud groups to the SAML application according to the Microsoft Entra ID documentation. Do not configure roles in Microsoft Entra ID. Instead, Cribl groups will manage access control.
Customize the group claim names in Microsoft Entra ID to make sure that they match the group names in Cribl.Cloud:
| Name in Microsoft Entra ID | Name in Cribl.Cloud |
|---|---|
surname | family_name |
emailaddress | email |
givenname | given_name |
To configure the group claim to include the group display name for the cloud-only groups, select Groups assigned to the application and set the Source attribute to Cloud-only group display names.
If Microsoft Entra ID is synchronized with external Active Directory, select Groups assigned to the application and set the Source attribute to
sAMAccountName. Otherwise, Microsoft Entra ID will return only Globally Unique Identifiers (GUIDs).Enable Emit group name for cloud-only groups to return the group names if Microsoft Entra ID is defaulting to GUID or Object ID.
You will need the values from the following fields in the SAML application to finish SSO setup in Cribl.Cloud:
| Field in Microsoft Entra ID | Field in Cribl.Cloud |
|---|---|
| Login URL | IDP Login/Logout URL |
| Microsoft Entra ID Identifier | IDP issuer |
| Signing Certificate | Certificate (Base64) under SAML Certificates |
The field names and documentation for adding a SAML application and configuring groups might change without notice due to product changes in Microsoft Entra ID. Refer to the Microsoft Entra ID documentation for the latest information.
General SSO Configuration in Cribl.Cloud
The procedures in this section generally describe how to configure OIDC SSO and SAML SSO in Cribl.Cloud using any IdP.
The registration process uses the email domain of the authenticated user who configures SSO in Cribl.Cloud, regardless of the domain that is specified in the IdP configuration.
Configure OIDC SSO
In Cribl.Cloud, in the sidebar, select Organization > SSO Management.
Scroll down to the end of the Product-Level Mappings and select OIDC.
In the IdP, create the OIDC application. Use the information from Cribl.Cloud under Web Application Settings:
App integration name: The name to use for the OIDC application you configure in the IdP.
Application type: The kind of OIDC application to integrate (Web).
Sign-in redirect URIs lists two URLs:
https://login.cribl.cloud/login/callbackis the primary OIDC redirect URI, also called the callback URL. After a user authenticates with the IdP, the IdP sends an authorization code to this endpoint. Cribl.Cloud exchanges the authorization code for tokens and completes the login. Register this URI in the OIDC application in the IdP as an allowed redirect/callback URI.https://manage.cribl.cloud/organizations/<organizationId>/ssois a testing URL to use during setup. After you successfully test the connection, remove this URL from the list of allowed redirect URIs in the IdP.
Sign-out redirect URIs: The endpoint where Cribl.Cloud redirects users after they log out. Register this URI in the OIDC application in the IdP settings to allow Cribl.Cloud to complete the logout flow.
Groups map key value: The key value to use to map groups from the IdP to Cribl.Cloud. Read Configuring SSO Groups for information about valid IdP group names and Permission mapping.
Scopes: The set of user attributes that the IdP should return to Cribl.Cloud in its authentication response. For example, if you omit the
groupscope in the OIDC application, IdP group membership won’t be available to Cribl.Cloud.
For OIDC applications, you must use backchannel authentication. Cribl.Cloud does not support front-channel authentication via OIDC.
After you create and save the OIDC application in the IdP, return to Cribl.Cloud to finish OIDC SSO setup. Scroll down to Cribl Cloud SSO settings and enter the following information from the OIDC application in the IdP:
Client ID: The unique identifier that the IdP assigned to the OIDC application. Cribl.Cloud uses the Client ID to identify itself to the IdP during authentication flows .
Client secret: The confidential string that the IdP generated for the OIDC application. Cribl.Cloud uses the Client secret to authenticate to the IdP when exchanging authorization codes for tokens. Keep the Client secret secure and do not expose it publicly.
Issuer URL: The unique URL that identifies the IdP as an OIDC authority. Cribl.Cloud uses the Issuer URL to discover the IdP metadata and to validate tokens. Provide the exact Issuer URL from the OIDC configuration in the IdP.
Select Save.
Configure SAML SSO
In Cribl.Cloud, in the sidebar, select Organization > SSO Management.
Scroll down to the end of the Product-Level Mappings and select SAML.
In the IdP, create the SAML application. Use the information from Cribl.Cloud under Web Application Settings and SAML Assertion Mappings:
Web Application Settings > Single Sign on URL lists two URLs:
https://login.cribl.cloud/login/callback?connection=<organizationId>is the Assertion Consumer Service (ACS) URL. This is the endpoint that receives and processes authentication responses from the IdP.https://manage.cribl.cloud/api/assertis a testing URL to use during setup. After you successfully test the connection, replace this URL withhttps://login.cribl.cloud/login/callback?connection=<organizationId>in the SAML application.
Web Application Settings > Audience URI: The SAML entity ID for Cribl.Cloud. The Audience URI is a unique string that identifies Cribl.Cloud in SAML assertions. The IdP uses the Audience URI to specify the intended recipient of the assertion and prevent replay attacks.
SAML Assertion Mappings define the attribute names that Cribl.Cloud must receive in the SAML assertions from the IdP to correctly provision and authorize users:
email: The user’s email address (used as the user’s unique identifier).given_name: The user’s first name.family_name: The user’s last name.groups: The user’s group memberships (used for role-based access control and Team assignments). Read Configuring SSO Groups for information about valid IdP group names and Permission mapping.
After you create and save the SAML application in the IdP, return to Cribl.Cloud to finish setting up SAML SSO. Scroll down to SAML configuration and enter the following information from the SAML application in the IdP:
IDP Login/Logout URL: The SAML SSO endpoint URL for the IdP, where Cribl.Cloud should send SAML authentication requests. If the IdP supports SAML Single Logout (SLO) at the same endpoint, Cribl will use this URL for both login and logout flows.
IDP issuer: The SAML entity ID for the IdP. The IdP issuer is a unique string (often a URI or URL) that identifies the IdP in SAML assertions. Cribl uses the IdP issuer to validate the authenticity of SAML responses.
X.509 certificate (base64-encoded): The public certificate that the IdP uses to sign SAML responses. Paste the entire PEM-encoded certificate, including the
-----BEGIN CERTIFICATE-----and-----END CERTIFICATE-----lines.
Select Save.
Verify that SSO Is Working
In Cribl.Cloud, in the sidebar, select Organization > SSO Management.
Scroll to the bottom of the page and select Test Connection.
If the test encounters a configuration error, Crib.Cloud will display an error message.
SAML/Entra ID Setup with My Apps Chiclet (Optional)
If you want to log into Cribl.Cloud via the Microsoft My Apps chiclet, complete the following procedure:
In Microsoft Entra ID, navigate to the enterprise application that you created to integrate SSO.
From the left nav, select Single Sign-on.
On the Enterprise Application’s Basic SAML Configurations page, select Edit.
In the Sign on URL (Optional) section, enter the following URL:
https://manage.cribl.cloud/login?connection=<organizationId>(where<organizationId>is your Cribl.Cloud Organization’s ID).
You also need to allow self-service access to the Cribl App, or assign AD groups permissions to access the application.
Troubleshooting
If you encounter issues when setting up SSO, refer to SSO Troubleshooting in Cribl.Cloud.