Create OIDC App Integration

​

To create your app integration:

1. In Okta, navigate to the Applications section and select Create App Integration.

2. Configure the app integration with the options below:

   • Sign-in method: OIDC - OpenID Connect
   • Application type: Web Application

3. Proceed with Next.

General Settings

​

4. Configure the app integration’s General Settings with the options below:

Assignments

​

5. In the Assignments pane, configure the access granted to Okta users:

   • To grant access to Cribl Stream to all Okta users, select Allow everyone in your organization to access.

   • To grant access to Cribl Stream to specific Okta groups, select Limit access to selected groups. Then, in the field below, add the groups you want to include.

     After you finish creating the app, if you need to add or remove groups, do that in the Applications > Assignments tab.

6. Save your application.

In the Client Credentials panel, note down Client ID and Client Secret. You will need them in the next step.

Submit Your App Info to Cribl

​

Next, provide Cribl with essential details about your application to implement the SSO setup on the Cribl side.

1. In Cribl Stream, select Settings in the top nav, then in Access Management choose Authentication.

2. From the Type dropdown, choose OpenID Connect.

3. In the Provider name dropdown, select Okta.

4. In the Audience (Relying Party ID) field, enter your Cribl Stream UI base URL.

   If you have a Distributed deployment with a fallback Leader configured, modify the Audience (Relying Party ID) field to point to the load balancer instead of the Leader Node.

5. In the Client ID and Client secret fields, enter the respective values that you copied from the Okta Client Credentials in the previous step.

6. If your Cribl Stream is in Enterprise Distributed mode:

   In the Scope field, add the scope groups to the default space-separated list of scopes, so that it reads: openid profile email groups.

Get Okta App URLs

​

Next, get the authentication, token, userinfo, and logout URLs for your Okta app.

You can get them in JSON format from the /.well-known/openid-configuration endpoint: https://<tenant>.okta.com/.well-known/openid-configuration (<tenant> is your Okta tenant name). For example: https://dev-12345678.okta.com/.well-known/openid-configuration.

You can use a tool like jq to automatically extract the URLs from the endpoint’s response with the following curl command:

curl -s https://<tenant>.okta.com/.well-known/openid-configuration | jq '. | {"auth": (.authorization_endpoint), "token":(.token_endpoint), "userinfo":(.userinfo_endpoint), "logout": (.end_session_endpoint)}'

Copy

Once you have the values, enter them in the respective fields in your Cribl Stream SSO configuration:

Configure Response to Okta /userinfo Endpoint

​

An Okta tenant’s user groups can be mastered either inside Okta, outside Okta, or both.

When Cribl Stream queries the /userinfo endpoint, Okta returns the appropriate groups membership of the user.

See the Okta documentation on dynamic allow lists and using Okta together with Active Directory.

To configure this behavior, you need to set Groups claim type correctly, depending on where user groups are mastered.

1. In Okta, go to your app and open the Sign On tab.
2. In the OpenID Connect ID Token panel, select Edit

5. Click Save.

Configure ID Token to Include Groups Claim

​

For Okta to recognize your groups, you must configure the ID token to include your groups claim:

1. In Okta, open the Security > API page.
2. In the Authorization Servers tab, click the edit (pencil) button for the desired Authorization Server.
3. In the resulting page, select the Claims tab.
4. If your groups claim already exists, click the edit (pencil) button. Otherwise, click Add Claim.
5. In the Include in token type drop-downs, choose ID Token and Always, respectively.

6. Configure the remaining settings in the way that suits your groups claim.
7. Click Save (or Create if you’re adding the claim for the first time).

Map Okta Groups to Cribl Stream Roles

​

Mapping groups to Roles is possible only for Cribl Stream deployments that are in Distributed mode, with an Enterprise license. With a Standard license, all your external users will be imported to Cribl Stream in the admin role.

If you are running Cribl Stream in Single-instance mode, you cannot map Okta groups to Cribl Stream Roles, although you can still set up SSO with Okta.

As you think through how best to map your Okta groups to Cribl Stream Roles, keep these principles in mind:

• An Okta group can map to more than one Cribl Stream Role.
• A Cribl Stream Role can map to more than one Okta group.
• If a user has multiple Roles, Cribl Stream applies the union of the most permissive levels of access.
• Cribl Stream automatically assigns the default Role to any user who has no mapped Roles.

For details on mapping your external identity provider’s configured groups to corresponding Cribl Stream user access Roles, see External Groups and Roles.

You can assign a Cribl Stream Role to each Okta group name, and you can specify a default Role for users who are not in any groups.

1. In Cribl Stream, select Settings, go to Access Management and then select Authentication.

2. Scroll down to the ROLE MAPPING section.

   Cribl recommends that you set the default Role to user, meaning that this Role will be assigned to users who are not in any groups.

3. Add mappings as needed.

   The Okta group names in the left column are case-sensitive, and must match the values returned by Okta (those you saw earlier when configuring Okta and OIDC).

Verify that SSO with Okta Is Working

​

1. Log out of Cribl Stream, and verify that Okta is now an option on the login page.
2. Select Log in with Okta.
3. You should be redirected to Okta to authenticate yourself.
4. The OpenID connect flow should complete the authentication process.

Getting Temporary Access Credentials for AWS S3 Buckets

​

You can use your SSO/OIDC IDP to issue temporary access credentials so your on-prem Worker Node can access AWS S3 buckets.

Set the AWS_WEB_IDENTITY_TOKEN_FILE environment variable. This variable defines a path to a file that contains the OAuth/OIDC provided by the SSO IDP. You’ll also need to define AWS_ROLE_ARN and AWS_ROLE_SESSION_NAME.

You can use curl/Postman to make the required API calls.

Ensure Fallback Access

​

To ensure fallback access for local users if SSO authentication fails, enable local authentication.

1. Go to Global Settings.
2. Under Access Management select Authentication.
3. Toggle Allow login as Local User to Yes to allow users to log in using Cribl local authentication. This enables an extra button called Log in as Local User on the login page.

To prevent lockout, Cribl strongly recommends enabling Allow login as Local User until you’re certain that external auth is working as intended. If you do get locked out, see Manual Password Replacement.