| CARVIEW |
Securing Splunk Enterprise
- Install Splunk Enterprise securely
- Secure your admin account
- About TLS encryption and cipher suites
- Securing Splunk Enterprise with FIPS
- About default certificate authentication
- Secure Splunk Enterprise on your network
- Disable unnecessary Splunk Enterprise components
- Secure Splunk Enterprise service accounts
- Deploy secure passwords across multiple servers
- Harden the network port that App Key Value Store uses
- Some best practices for your servers and operating system
- Use access control to secure Splunk data
- About user authentication
- About configuring role-based user access
- About defining roles with capabilities
- Add and edit roles with Splunk Web
- Add and edit roles with authorize.conf
- Configure access to manager consoles and apps in Splunk Enterprise
- Find existing users and roles
- Delete all user accounts
- Secure access for Splunk knowledge objects
- Use network access control lists to protect your deployment
- Set up user authentication with LDAP
- Manage Splunk user roles with LDAP
- LDAP prerequisites and considerations
- Secure LDAP authentication with transport layer security (TLS) certificates
- How the Splunk platform works with multiple LDAP servers for authentication
- Configure LDAP with Splunk Web
- Map LDAP groups to Splunk roles in Splunk Web
- Configure LDAP with the configuration file
- Map LDAP groups and users to Splunk roles using configuration files
- Test your LDAP configuration on Splunk Enterprise
- Change authentication schemes from native to LDAP on Splunk Enterprise
- Remove an LDAP user safely on Splunk Enterprise
- Configure single sign-on with SAML
- Configure SSO with PingIdentity as your SAML identity provider
- Configure SSO with Okta as your identity provider
- Configure SSO with Microsoft Azure AD or AD FS as your Identity Provider
- Configure SSO with OneLogin as your identity provider
- Configure SSO with Optimal as your identity provider
- Configure SSO in Computer Associates (CA) SiteMinder
- Secure SSO with TLS certificates
- Configuring SAML in a search head cluster
- Configure Ping Identity with leaf or intermediate SSL certificate chains
- Configure SAML SSO for other IdPs
- Configure advanced settings for SSO
- Map groups on a SAML identity provider to Splunk roles
- Modify or remove role mappings
- Configure SAML SSO in the configuration files
- Troubleshoot SAML SSO
- What's the difference between authentication using...
- How to troubleshoot SSO slowness
- Use SSO and reverse proxy to skip the login page
- Splunk SSO with reverse proxy.
- SSO / LDAP - Is it possible to delegate the authen...
- I have search head clustering and SSO set up with ...
- Splunk SSO with SAML2 SimpleSAMLPHP as Idp and apa...
- SSO sometimes fails with "deeper" URLs
- Federated Search Questions- Authentication option ...
- How to enable SSO?
Troubleshoot reverse-proxy SSO
Splunk Web provides an interface that allows you to analyze the environment and the run-time data to help you debug your deployment. This page can be accessed via the proxy or the direct URL. The request headers will not be available if you do not access this page through the proxy server.
+Splunk recommends that this setting is disabled after troubleshooting is complete.
This URL is located at:
https://YourSplunkServer:8000/debug/sso
Important: This debug page is not available by default. In order to make the page available, two steps must be completed. First, the role that is accessing this end point must have the web_debug capability, which the admin role has by default. Second, in web.conf, the setting enableWebDebug=true must be configured. You should immediately disable this setting after you have finished troubleshooting.
Consider the following when using the troubleshooting page to analyze your deployment:
- Compare the IP provided as the Splunk trusted IP with that of the Host IP. The values must be the same (they should be the IP of your proxy). If they are not the same in the troubleshooting page, you must edit the
trustedIPvalue inserver.conf.
- Check the value for Incoming request IP received by splunkweb to make sure that it displays your client's IP address. If the IP does not match that of your client, you must:
- Edit
web.confto correct this. - Make sure that
tools.proxy.onis set totrue.
- Edit
- Make sure that your proxy is providing a header. Check the Authorization field under Other HTTP Headers. If there is no value present, check the
http.conffile in your proxy to make sure that the remote header attribute value is properly set. Splunk software is configured to accept the remote header value ofREMOTE_USER, which is the default for most proxies. If your proxy's remote header is different, and you wish to keep that value, you can edit the remote header value inweb.confto change the header that Splunk software will accept. See Configure SSO for more information.
- Make sure that Splunk Web is creating a cookie to send to splunkd. Check the Cookie field under Other HTTP headers to make sure that a cookie is set. If a cookie is not set, then check your
web.conffile to make sure your file is properly configured. Configure SSO for more information.
| Configure Single Sign-On with reverse proxy | Set up user authentication with external systems |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.1.9, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.0, 9.4.1, 9.4.2
Comments
Download manual
You must be logged into splunk.com in order to post comments. Log in now.
Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.
Your Comment Has Been Posted Above
Feedback submitted, thanks!