These docs are for Cribl Stream 4.2 and are no longer actively maintained.
See the latest version (4.13).
Common SSO Setup Steps
Whether you’re configuring Single Sign-On (SSO) via OIDC or SAML, these initial preparation steps are the same.
Set Up Fallback Access
On your Cribl.Cloud Organization, ensure that at least one Owner creates a local account, using an email domain that’s separate from the corporate domain on which you’re configuring SSO. This will ensure backup access if SSO configuration breaks.
Configure Groups
In your IDP, configure user groups that match Cribl.Cloud Role/Permissions. Using Okta as an example, you’d map Okta groups (right side) to Cribl.Cloud Roles (left side) as follows.
You can use either the open or the closed format in your IDP (right side). You can also add prefixes or suffixes, as outlined below in Group Configuration Options.
| Cribl.Cloud Role/Permission | IDP Group Name |
|---|---|
| Owner | Cribl Organization Owner /or/ CriblOrganizationOwner |
| Admin | Cribl Organization Admin /or/ CriblOrganizationAdmin |
| User | Cribl Organization User /or/ CriblOrganizationUser |
| Editor | (Deprecated, will be mapped to Admin) Cribl Organization Editor /or/ CriblOrganizationEditor |
| Read Only | (Deprecated, will be mapped to User) Cribl Organization Read Only /or/ CriblOrganizationReadOnly |
Product-Level Mappings
Starting with Cribl’s 4.2 release, you can map external IDP groups to specific Roles/Permissions on your Organization’s Cribl Stream, Edge, and Search products. You can map these separately per product.
For details about the Cribl.Cloud target Permissions, see our Members and Permissions topic. (That page also covers on-prem counterparts to the Cribl.Cloud Organization-level Permissions listed above.) To see the corresponding names to assign to your external IDP groups, see your Cribl.Cloud Organization’s Account > Organization > SSO tab.
Default Product Permissions
When you map external users to your Cribl Organization, their initial product-level Permissions follow a different inheritance pattern than Members configured within Cribl. This is to avoid downgrading product-level Permissions that Organization-level Users might already have.
The defaults for mapped users are:
- Organization
OwnerorAdmininheritsAdminPermission on all products. - Organization
UserinheritsUserPermission on all products. - Organization
Editor(deprecated) inheritededitorlegacy Roles on all products. - Organization
Read Only(deprecated) inheritedRead OnlyPermission on Stream and Edge, andUserPermission on Search.
Group Configuration Best Practices
- A Cribl.Cloud Organization’s Owner Role can be shared and transferred among multiple users. This facilitates gradual ownership transfers, corporate reorganizations, and other scenarios.
- Those users should be in both the Owner and Admin groups in your IDP.
(This enables them to acquire all needed permissions across Cribl’s two corresponding Roles.) - Aside from dual-assigning the Owners, you should assign every other user only one group in your IDP. (Cribl’s Admin and Editor Roles include all the permissions of the Roles below them.)
Group Configuration Options
You can freely add prefixes or suffixes to Group Names that follow the above examples’ formats. Cribl will ignore these additions when mapping IDP groups to Cribl Roles. Examples:
SOME-LABEL-12345-CriblOrganizationOwnerCriblOrganizationEditor-420
Here’s an example of how groups configuration (at an early stage) might look in Okta’s UI:
