On This Page

Home / Stream/ Access Management/ SSO/ Cribl.Cloud SSO/SSO with Okta and SAML (Cribl.Cloud)

SSO with Okta and SAML (Cribl.Cloud)

This page presents a walkthrough of setting up a SAML SSO, using Okta as the example.

This page is a guide for configuring SSO for a Cribl.Cloud deployment. For information about an on-prem installation, see SSO with Okta and SAML (on-prem).

Limitations

Cribl offers an SP-initiated (Cribl-initiated) flow, but does not support an IDP-initiated SSO flow. As an alternative, you can allow users to initiate login from your IDP instance by creating a chiclet.

Set Up Fallback Access

Before you configure SSO, create a fallback user so that you aren’t locked out of your Organization if you have issues with SSO. In your Cribl.Cloud Organization, invite a new Member using an email domain that’s different from the corporate domain on which you’re configuring SSO. Assign the Owner Permission for the Member. You can use this account to log in with a username and password and fix SSO issues if needed.

After you confirm that your SSO integration is working, you can remove the fallback user. If you do so, do not disable the SSO integration without first re-creating a fallback user. Otherwise, you might get locked out of your Organization.

Create SAML 2.0 App Integration

To create your app integration:

  1. In Okta, navigate to the Applications section of your Okta environment and select Create App Integration.
  2. Create the app integration with Sign‑in method: SAML 2.0.
  3. Provide a name for your app and proceed with Next.

Configure SAML Settings

Before you start configuring SAML settings on Okta side, gather the required information from your Cribl.Cloud Organization.

  1. In the sidebar, under Organization, select SSO Management.

  2. Scroll down to the Web Application Settings section and select SAML.

  3. Note down the values for Single Sign on URL and Audience URI.

    Single Sign on URL lists two URLs that you use for SAML configuration.

    • https://login.cribl.cloud/login/callback?connection=<organizationId> is the URL you will use for the connection.
    • https://manage.cribl.cloud/api/assert is used during setup to test the connection. After you have successfully tested the connection, save the configuration and replace the second URL with the first one.
SSO information for configuring SAML integration
SSO information for configuring SAML integration

  1. Now, go to your Okta application.

  2. In the Configure SAML tab, in the SAML Settings section, you will use information you get from your Cribl.Cloud Organization. Configure the following options:

    • Single sign-on URL: enter the first of two URLs from Single Sign on URL: https://login.cribl.cloud/login/callback?connection=<organizationId>

    • Audience URI (SP Entity ID): enter the Audience URI from your Cribl.Cloud SAML settings. For example: urn:auth0:cribl-cloud-prod:<organizationId>

    • Application username: enter Email

      The nameidentifier assertion in SAML responses must be the user’s Email.

  3. Select Show Advanced Settings. Navigate down and configure a single row of Other Requestable SSO URLs, as follows:

    • URL is required to test your connection. Get it from your Cribl.Cloud Organization’s SSO > SAML tab, where it is the second Single sign‑on URL. It will be in this format: https://manage.cribl.cloud/api/assert
    • Index: Set this to 0.

Configure Attribute Statements

  1. Configure Attribute Statements for these attributes, as shown below:

    NameValue
    emailuser.email
    given_nameuser.firstName
    family_nameuser.lastName

  2. Next, configure Group Attribute Statements to include groups. The filter depends on the type of groups you are using.

    • If you are using static groups, use Cribl.* as the filter:

      NameFilter
      groupsMatches regex: Cribl.*

    • If you are using dynamic groups with Teams, you can use .* as the filter:

      NameFilter
      groupsMatches regex: .*

      In this case, we strongly recommend using a more specific regex that will match only the necessary groups.

  3. Save your app integration.

Submit Your App Info to Cribl

After you’ve created the SAML app integration in your IDP, provide Cribl with the essential metadata about your application to implement SSO setup on the Cribl side.

  1. In Cribl Stream, on the top bar, select Products, and then select Cribl.
  2. In the sidebar, select Organization, then SSO Management.
  3. Above Web Application Settings, select SAML.
  4. The Web Application Settings will be prefilled for you, and Cribl will also prefill the SAML Assertion Mappings based on the information you’ve registered with Cribl. So you only need to fill in the SAML configuration section with details from your IDP client configuration.
  5. Return to your Okta environment to the Sign On tab and in the right pane, select View SAML setup instructions. Use the provided fields to fill in the information in Cribl.Cloud:
    Cribl.Cloud fieldOkta field
    IDP Login/Logout URLIdentity Provider Single Sign-On URL
    IDP issuerIdentity Provider Issuer
    X.509 certificate (base64-encoded)X.509 Certificate

SAML/Okta Chiclet Setup (Optional)

If you want to initiate login from your Okta instance with SAML authentication configured, an Okta admin can configure an app integration as follows:

  1. From Okta’s left nav, select the Applications page.
  2. Select Browse App Catalog.
  3. From the resulting catalog, use the search bar to find and select the Bookmark App application.
  4. From that application’s page, select Add Integration.
  5. On the General settings page, enter an Application label that will identify this app as supporting Cribl.Cloud login. (Cribl.Cloud is a good choice, but the label is arbitrary.)
  6. In the URL field, enter https://manage.cribl.cloud/login?connection=<organizationId> (where <organizationId> is your Cribl.Cloud Organization’s ID).
  7. Confirm with Done.
  8. Select Assign and assign all of the Cribl.Cloud groups to the application.
  9. The Cribl.Cloud chiclet should now be available for all users in the Cribl groups you’ve assigned.

If your Cribl.Cloud Organization has existing users who have been using a username and password to log in, upon first login with SSO, these users will see a prompt to link their identities. They should accept this prompt to ensure that their existing profile is linked with their SSO profile.

Prompt to link accounts
Prompt to link accounts

Troubleshooting

If you encounter issues when setting up SSO integration, refer to SSO Troubleshooting.