Hello, I have my Cribl setup in GitOps mode (https://docs.cribl.io/stream/gitops/). I also have it setup to auth against Azure AD (https://docs.cribl.io/stream/usecase-azure-ad/).
Further, I have defined several Azure AD groups including one that I have assigned the GitOps role to (https://docs.cribl.io/stream/gitops/#user-role). When I attempt to follow the instructions (https://docs.cribl.io/stream/gitops/) about obtaining a Bearer token and use an account that is only in Azure AD, I always get “Invalid user or password”. However, if I use an account that exists internal to Cribl, it will succeed. I want to setup GitHub workflows to automate the sync once I complete a pull request. I realize I could create an internal user in Cribl and assign the GitOps role to it and just use that. But, I think I should be able to do this with an Azure AD user too. Has anyone run into this before and found a resolution? Thanks!
Is the AD mapping from AD groups to Cribl Roles works as expected to log into Cribl with the correct Cribl Role?
To validate the mapping .. if you go to Monitoring->Logs with the filter channel=="auth" you can check log messages that might be helpful.
Additionally, I’m even having trouble getting this to work reliably via a local account. The sync API endpoint always returns forbidden when I try to use it
So it seems like fundamentally that the “login” endpoint will only attempt to use the local provider
When I just tried to get the token again, I got this:
{ "time": "2023-08-10T13:32:08.088Z", "cid": "api", "channel": "auth", "level": "warn", "message": "Failed login", "user": "email@addr.ess", "provider": "local", "details": { "message": "Invalid user or password" }}I notice that it is trying to use the “local” provider instead of the “sso” one
Reply
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.