| CARVIEW |
Select Language
HTTP/2 200
date: Wed, 23 Jul 2025 22:36:45 GMT
content-type: text/html; charset=UTF-8
server: Apache
set-cookie: Apache=c13602a6.63aa057e8802f; path=/; expires=Thu, 19-Jul-40 22:36:44 GMT; domain=.splunk.com
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-content-type-options: nosniff
set-cookie: PHPSESSID=f89791f70cbc97c74bdf915057cced4e; path=/
expires: Thu, 01 Jan 1970 00:00:00 GMT
cache-control: private, must-revalidate, max-age=0
pragma: no-cache
set-cookie: ponydocs_session=f89791f70cbc97c74bdf915057cced4e; path=/; secure; HttpOnly
content-language: en
x-ua-compatible: IE=Edge
vary: Accept-Encoding,Cookie
x-xss-protection: 1; mode=block
referrer-policy: strict-origin-when-cross-origin
Secure SSO with TLS certificates - Splunk Documentation
We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website.
Learn more (including how to update your settings) here »
Splunk® Enterprise
Securing Splunk Enterprise
- Install Splunk Enterprise securely
- Secure your admin account
- About TLS encryption and cipher suites
- Securing Splunk Enterprise with FIPS
- About default certificate authentication
- Secure Splunk Enterprise on your network
- Disable unnecessary Splunk Enterprise components
- Secure Splunk Enterprise service accounts
- Deploy secure passwords across multiple servers
- Harden the network port that App Key Value Store uses
- Some best practices for your servers and operating system
- Use access control to secure Splunk data
- About user authentication
- About configuring role-based user access
- About defining roles with capabilities
- Add and edit roles with Splunk Web
- Add and edit roles with authorize.conf
- Configure access to manager consoles and apps in Splunk Enterprise
- Find existing users and roles
- Delete all user accounts
- Secure access for Splunk knowledge objects
- Use network access control lists to protect your deployment
- Set up user authentication with LDAP
- Manage Splunk user roles with LDAP
- LDAP prerequisites and considerations
- Secure LDAP authentication with transport layer security (TLS) certificates
- How the Splunk platform works with multiple LDAP servers for authentication
- Configure LDAP with Splunk Web
- Map LDAP groups to Splunk roles in Splunk Web
- Configure LDAP with the configuration file
- Map LDAP groups and users to Splunk roles using configuration files
- Test your LDAP configuration on Splunk Enterprise
- Change authentication schemes from native to LDAP on Splunk Enterprise
- Remove an LDAP user safely on Splunk Enterprise
- Configure single sign-on with SAML
- Configure SSO with PingIdentity as your SAML identity provider
- Configure SSO with Okta as your identity provider
- Configure SSO with Microsoft Azure AD or AD FS as your Identity Provider
- Configure SSO with OneLogin as your identity provider
- Configure SSO with Optimal as your identity provider
- Configure SSO in Computer Associates (CA) SiteMinder
- Secure SSO with TLS certificates
- Configuring SAML in a search head cluster
- Configure Ping Identity with leaf or intermediate SSL certificate chains
- Configure SAML SSO for other IdPs
- Configure advanced settings for SSO
- Map groups on a SAML identity provider to Splunk roles
- Modify or remove role mappings
- Configure SAML SSO in the configuration files
- Troubleshoot SAML SSO
Preview features described in this document are provided by Splunk to you "as is" without any warranties, maintenance and support, or service-level commitments. Splunk makes this preview feature available in its sole discretion and may discontinue it at any time. These documents are not yet publicly available and we ask that you keep such information confidential.
This documentation does not apply to the most recent version of Splunk® Enterprise.
For documentation on the most recent version, go to the latest release.
Secure SSO with TLS certificates
Configure the following SSL settings to enable Splunk Enterprise to perform TLS verification between Splunk Instance and the SOAP instance providing AttributeQuery service.
Unless noted, values not set default to the setting specified in server.conf.
[<saml-authSettings-key>] sslVersions = <Comma-separated list of SSL versions to support> sslCommonNameToCheck = <commonName> When populated, and sslVerifyServerCert is "true", splunkd limits most outbound HTTPS connections to hosts which use a cert with this common name. sslAltNameToCheck = <alternateName1>, <alternateName2>, ...If set, and sslVerifyServerCert' is "true", splunkd can verify certificates with "Subject Alternate Name" that matches any of the is alternate names in this list. ecdhCurveName = <ECDH curve to use for ECDH key negotiation> serverCert = <Server certificate file> Default certificates, "sever.pem" are auto-generated by splunkd upon starting Splunk, you may replace the default cert with your own PEM format file. sslPassword = <Server certificate password> caCertFile = <Public key of the signing authority> The default value is cacert.pem caPath = <Path where all these certs are stored>. Default value is $SPLUNK_HOME/etc/auth sslVerifyServerCert = [ true | false ] If true, distributed search makes a search request to another server in the search cluster. blacklistedAutoMappedRoles = <comma separated list of roles> Optionally provide a comma-separated list of Splunk roles that you do not want Splunk to auto-map if received in the IDP Response. blacklistedUsers = <comma separated list of user names> Optionally provide a comma-separated list of user names that Splunk must reject from the IDP response. nameIdFormat = <string> Optionally, and If supported by IDP, specify the format of the Subject returned in the SAML Assertion. ssoBinding = <HTTPPost | HTTPRedirect> Optionally specify the binding to use when making a SP-initiated SAML request. The binding must match the one configured on the IDP. sloBinding = < <HTTPPost | HTTPRedirect> > Optionally specify the binding to use when making a logout request or sending a logout response to complete the logout workflow. The binding must match the one configured on the IDP. signatureAlgorithm = <RSA-SHA1 | RSA-SHA256> Optionally specify the signature algorithm to user for a SP-initiated SAML request. 'signedAuthnRequest' must be set to true for this setting to take effect. The algorithm applies to both the http post and redirect binding. replicateCertificates = <boolean> Optionally specify the IdP certificate files to replicate across search head cluster setup. Search head clustering must also be enabled. If certificate replication is not enabled, IdP certificate files must be replicated manually across SHC or verification of SAML signed assertions fails.
Last modified on 20 February, 2018
| Configure SSO in Computer Associates (CA) SiteMinder | Configuring SAML in a search head cluster |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13
Comments
Download manual
You must be logged into splunk.com in order to post comments. Log in now.
Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.
Your Comment Has Been Posted Above
Closing this box indicates that you accept our Cookie Policy.
Feedback submitted, thanks!