| CARVIEW |
Securing Splunk Enterprise
- Install Splunk Enterprise securely
- Create secure administrator credentials
- About TLS encryption and cipher suites
- Securing Splunk Enterprise with FIPS
- About default certificate authentication
- Harden the Splunk Enterprise installation directory on Windows
- Secure Splunk Enterprise on your network
- Disable unnecessary Splunk Enterprise components
- Secure Splunk Enterprise service accounts
- Deploy secure passwords across multiple servers
- Harden the network port that App Key Value Store uses
- Some best practices for your servers and operating system
- Password best practices for administrators
- Configure Splunk password policies
- Configure a Splunk Enterprise password policy using the Authentication.conf configuration file
- Password best practices for users
- Unlock a user account
- Change a user password
- Manage out-of-sync passwords in a search head cluster
- Use access control to secure Splunk data
- About user authentication
- About configuring role-based user access
- Define roles on the Splunk platform with capabilities
- Add and edit users
- Add and edit roles with Splunk Web
- Add and edit roles with authorize.conf
- Configure access to manager consoles and apps in Splunk Enterprise
- Find existing users and roles
- Delete all user accounts on Splunk Enterprise
- Secure access for Splunk knowledge objects
- Use network access control lists to protect your deployment
- Set up user authentication with LDAP
- Manage Splunk user roles with LDAP
- LDAP prerequisites and considerations
- Secure LDAP authentication with transport layer security (TLS) certificates
- How the Splunk platform works with multiple LDAP servers for authentication
- Configure LDAP with Splunk Web
- Map LDAP groups to Splunk roles in Splunk Web
- Configure LDAP using configuration files
- Map LDAP groups and users to Splunk roles using configuration files
- Test your LDAP configuration on Splunk Enterprise
- Change authentication schemes from native to LDAP on Splunk Enterprise
- Remove an LDAP user safely on Splunk Enterprise
- About multifactor authentication with Duo Security
- Configure Splunk Enterprise to use Duo Security multifactor authentication
- Configure Duo multifactor authentication for Splunk Enterprise in the configuration file
- About multifactor authentication with RSA Authentication Manager
- Configure RSA authentication from Splunk Web
- Configure Splunk Enterprise to use RSA Authentication Manager multifactor authentication via the REST endpoint
- Configure Splunk Enterprise to use RSA Authentication Manager multifactor authentication in the configuration file
- User experience when logging into a Splunk instance configured with RSA multifactor authentication
- Configure single sign-on with SAML
- Configure SSO with PingIdentity as your SAML identity provider
- Configure SSO with Okta as your identity provider
- Configure SSO with Microsoft Azure AD or AD FS as your Identity Provider
- Configure SSO with OneLogin as your identity provider
- Configure SSO with Optimal as your identity provider
- Configure SSO in Computer Associates (CA) SiteMinder
- Secure SSO with TLS certificates
- Configuring SAML in a search head cluster
- Configure Ping Identity with leaf or intermediate SSL certificate chains
- Configure SAML SSO for other IdPs
- Configure advanced settings for SSO
- Map groups on a SAML identity provider to Splunk roles
- Modify or remove role mappings
- Configure SAML SSO in the configuration files
- Best practices for using SAML as an authentication scheme for single-sign on
- Troubleshoot SAML SSO
- About securing inter-Splunk communication
- Configure secure communications between Splunk instances with updated cipher suite and message authentication code
- Securing distributed search heads and peers
- Secure deployment servers and clients using certificate authentication
- Secure Splunk Enterprise services with pass4SymmKey
- CBS Token authentication failed. Add-on for Micros...
- Invalid token in Splunk app for SOAR, yet tokens a...
- Gettting 404 error while trying to create an acces...
- Authorization Token Not Work
- How to create authentication token and then use it...
- How do I do simple token based authentication with...
- Authenticated API call using webport redirects (30...
- Receiving HTTP 303 When Using Token-Based Authenti...
- How to set token from search and then conditionall...
- For Splunk API requests, are authentication token...
Use authentication tokens
If you have been assigned an authentication token, you can access a Splunk platform instance using Representational State Transfer (REST) calls. This method lets you access the instance and make web requests without having to authenticate with credentials.
You must possess a valid token that has been given to you from an administrator who maintains the instance. The token cannot be expired, as expired tokens are unusable. Administrators can delay when the validity of a token starts, meaning that the token cannot be used until its validity begins.
You cannot use a token on any instance other than the instance where the administrator granted you the token. For example, if you have a token for server1, and need access to server2, you must ask the administrator for server2 to give you access to a token there. There is an exception on search head clusters: if an administrator grants you token-based access to a search head cluster, that token is valid for all search head cluster nodes.
You lose access to the instance through the token if any of the following occurs:
- The token expires. You can ask the administrator to issue a new token to regain access.
- The administrator disables the token. The administrator must reenable the token before you can use it again.
- The administrator deletes the token. You can ask the administrator to issue a new token to regain access.
- The administrator disables token authentication, either temporarily or permanently.
- The administrator deletes your account.
- You lock out or disable your Active Directory account on a Splunk platform instance that uses LDAP to connect to Active Directory.
Confirm that the administrator sends you the full token when they assign it to you. You must have the full token to authenticate with it through REST. If you do not, the Splunk platform rejects those authentication requests as if you had entered incorrect credentials.
Use an authentication token to make REST calls to an instance
After you receive a valid token for the instance you want to use, you can use the token to make calls to REST endpoints on the instance. Your access is the same as what you have if you logged in with credentials.
The type of web request you make depends on the endpoint you want to access and what you want to do with the endpoint. For more information on REST endpoints and how to use them, see the REST API User Manual and the REST API Reference Manual for information on REST and using REST endpoints.
Understand the ramifications of making REST calls using tokens. Tokens are only a method of authentication, not a safeguard against making potentially dangerous changes to a Splunk platform instance. If you have questions or concerns about using tokens, contact your administrator.
Currently, tokens are available only for making REST calls to a Splunk Enterprise instance. You cannot use tokens to authenticate using the CLI or Splunk Web. You must use credentials for these authentication methods.
Use your REST web client or command line tool to make an HTTP GET, POST, or DELETE request on an endpoint. When you make the request, include the management port of the instance:
curl -X GET -H "Authorization: Bearer <token>" https://<instance host name or IP address>:<management port>/services/authentication/users/<user>
If the operation succeeds, the command prints a response in XML that contains the information that the instance generated upon accessing the endpoint.
An authentication failure appears as follows:
<?xml version="1.0" encoding="UTF-8"?>
<response>
<messages>
<msg type="WARN">call not properly authenticated</msg>
</messages>
</response>
Insufficient permissions to access the endpoint appear as follows:
<response>
<messages>
<msg type="ERROR">You (user=<user>) do not have permission to perform this operation (requires capability: <capability> [or <capability>...]).</msg>
</messages>
</response>
Examples
These examples presume that you have properly configured your SSL certificates. If you have not, then the commands will not work. As a temporary measure to test connectivity to SSL, you can use the -k argument for curl to bypass certificate review. Do not do this long term, as certificates are a key part of maintaining security in SSL.
The following example accesses the /apps/local endpoint to retrieve a list of local Splunk applications on the instance:
curl -H "Authorization: Bearer eyJraWQ..." -X GET https://10.224.100.135:34740/services/apps/local
<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
<feed xmlns="https://www.w3.org/2005/Atom" xmlns:s="https://dev.splunk.com/ns/rest" xmlns:opensearch="https://a9.com/-/spec/opensearch/1.1/">
<title>localapps</title>
<id>https://10.224.100.135:34740/services/apps/local</id>
<updated>2019-02-13T23:05:24+00:00</updated>
<generator build="7d447048a453" version="7.3.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/apps/local/_new" rel="create"/>
<link href="/services/apps/local/_reload" rel="_reload"/>
<opensearch:totalResults>18</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>alert_logevent</title>
...
</entry>
...
</feed>
The following example accesses the authorization/roles endpoint to get information about the roles that have been configured on the instance:
curl -H "Authorization: Bearer eyJraWQ..." -X GET https://idx1.splunkcorp.com:8089/services/authorization/roles <?xml version="1.0" encoding="UTF-8"?> <?xml-stylesheet type="text/xml" href="/static/atom.xsl"?> <feed xmlns="https://www.w3.org/2005/Atom" xmlns:s="https://dev.splunk.com/ns/rest" xmlns:opensearch="https://a9.com/-/spec/opensearch/1.1/"> <title>roles</title> <id>https://10.224.100.135:34740/services/authorization/roles</id> <updated>2019-02-13T23:10:41+00:00</updated> <generator build="7d447048a453" version="7.3.0"/> <author> <name>Splunk</name> </author> <link href="/services/authorization/roles/_new" rel="create"/> <opensearch:totalResults>5</opensearch:totalResults> <opensearch:itemsPerPage>30</opensearch:itemsPerPage> <opensearch:startIndex>0</opensearch:startIndex> <s:messages/> <entry> <title>admin</title> ... </entry> ... </feed>
| Manage or delete authentication tokens | Troubleshoot token authentication |
This documentation applies to the following versions of Splunk® Enterprise: 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9
Comments
Download manual
Use authentication tokens
You must be logged into splunk.com in order to post comments. Log in now.
Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.
Your Comment Has Been Posted Above
Feedback submitted, thanks!