| CARVIEW |
Securing Splunk Enterprise
- Install Splunk Enterprise securely
- Create secure administrator credentials
- About TLS encryption and cipher suites
- Securing Splunk Enterprise with FIPS
- About default certificate authentication
- Harden the Splunk Enterprise installation directory on Windows
- Secure Splunk Enterprise on your network
- Disable unnecessary Splunk Enterprise components
- Secure Splunk Enterprise service accounts
- Deploy secure passwords across multiple servers
- Harden the network port that App Key Value Store uses
- Some best practices for your servers and operating system
- Password best practices for administrators
- Configure Splunk password policies
- Configure a Splunk Enterprise password policy using the Authentication.conf configuration file
- Password best practices for users
- Unlock a user account
- Change a user password
- Manage out-of-sync passwords in a search head cluster
- Use access control to secure Splunk data
- About user authentication
- About configuring role-based user access
- Define roles on the Splunk platform with capabilities
- Add and edit users
- Create and manage roles with Splunk Web
- Add and edit roles with authorize.conf
- Configure access to manager consoles and apps in Splunk Enterprise
- Find existing users and roles
- Delete all user accounts on Splunk Enterprise
- Secure access for Splunk knowledge objects
- Use network access control lists to protect your deployment
- Set up user authentication with LDAP
- Manage Splunk user roles with LDAP
- LDAP prerequisites and considerations
- Secure LDAP authentication with transport layer security (TLS) certificates
- How the Splunk platform works with multiple LDAP servers for authentication
- Configure LDAP with Splunk Web
- Map LDAP groups to Splunk roles in Splunk Web
- Configure LDAP using configuration files
- Map LDAP groups and users to Splunk roles using configuration files
- Test your LDAP configuration on Splunk Enterprise
- Change authentication schemes from native to LDAP on Splunk Enterprise
- Remove an LDAP user safely on Splunk Enterprise
- About multifactor authentication with Duo Security
- Configure Splunk Enterprise to use Duo Security multifactor authentication
- Configure Duo multifactor authentication for Splunk Enterprise in the configuration file
- About multifactor authentication with RSA Authentication Manager
- Configure RSA authentication from Splunk Web
- Configure Splunk Enterprise to use RSA Authentication Manager multifactor authentication via the REST endpoint
- Configure Splunk Enterprise to use RSA Authentication Manager multifactor authentication in the configuration file
- User experience when logging into a Splunk instance configured with RSA multifactor authentication
- Configure single sign-on with SAML
- Configure SSO with PingIdentity as your SAML identity provider
- Configure SSO with Okta as your identity provider
- Configure SSO with Microsoft Azure AD or AD FS as your Identity Provider
- Configure SSO with OneLogin as your identity provider
- Configure SSO with Optimal as your identity provider
- Configure SSO in Computer Associates (CA) SiteMinder
- Secure SSO with TLS certificates
- Configuring SAML in a search head cluster
- Configure Ping Identity with leaf or intermediate SSL certificate chains
- Configure SAML SSO for other IdPs
- Configure authentication extensions for SAML tokens
- Configure advanced settings for SSO
- Map groups on a SAML identity provider to Splunk roles
- Modify or remove role mappings
- Configure SAML SSO in the configuration files
- Best practices for using SAML as an authentication scheme for single-sign on
- Troubleshoot SAML SSO
- About securing inter-Splunk communication
- Configure secure communications between Splunk instances with updated cipher suite and message authentication code
- Securing distributed search heads and peers
- Secure deployment servers and clients using certificate authentication
- Secure Splunk Enterprise services with pass4SymmKey
- Authorization Token Not Work
- splunk tcp token - how to manage and mixed setup p...
- Unable to authenticate to search heads: "Global ke...
- Splunk Otel smartagent/snmp
- How do I add the "edit_tokens_settings" capability...
- Limiting data from Carbon Black Response - looking...
- Can i restrict permissions for the text box ,drill...
- How to remove search button below the panel and se...
- Not able to see EUM Browser Data for configured Ap...
- EUM stops logging virtual pages when we upgraded t...
Enable or disable token authentication
You can enable token authentication at any time if your Splunk platform account has the appropriate permissions. Token authentication is off by default on the Splunk platform.
You can also disable token authentication at any time if you have enabled it and have the appropriate permissions. If token authentication is disabled, token users cannot authenticate into the instance, even if you have previously defined valid tokens.
Tokens retain their individual validity status regardless of whether token authentication is on or off, and when you re-enable token authentication after disabling it, holders of valid tokens can use them again.
Prerequisites for enabling or disabling token authentication
Before you can enable token authentication, you must satisfy the following requirements:
- The Splunk platform instance where you want to enable token authentication must not operate in legacy mode, where Splunk Web operates as a separate process. If the Splunk platform is in legacy mode, token authentication does not run. See Start and Stop Splunk Enterprise in the Admin Manual for information on legacy mode.
- The account that you use to log into the Splunk platform must hold a role that has the
edit_tokens_settingsSplunk platform capability before you can turn token authentication on or off.
Enable token authentication for a Splunk platform instance
On Splunk Enterprise instances, you can enable token authentication by using Splunk Web, editing configuration files, or making a call to a Representational State Transfer (REST) endpoint.
At this time, you cannot use the Splunk CLI to enable or disable token authentication.
Enable token authentication using Splunk Web
When token authentication is off, the following message displays on the "Tokens" page in Splunk Web:
Token authentication is currently disabled To enable token authentication, click Enable Token Authentication.
Perform this procedure on the instance where you want to enable token authentication.
- Log in to the Splunk platform instance as an administrator user, or a user that can manage tokens settings.
You cannot use a token to log in to Splunk Web. You must provide a valid user name and password.
- After you log in successfully, in the system bar, select Settings > Tokens.
- Click Enable Token Authentication. The Splunk platform instance enables token authentication immediately, and there is no need to restart the instance.
Enable token authentication using configuration files
Perform this procedure on the Splunk Enterprise instance where you want to enable token authentication.
- Open a shell prompt or PowerShell window.
- Change to the
$SPLUNK_HOME/etc/system/localdirectory. - Use a text editor to open the
authorize.conffile for editing. - In the
authorize.conffile, add the following lines of text:
[tokens_auth] disabled = false
- Save the
authorize.conffile and close it. - Restart the Splunk platform.
Set a default relative token expiration time using configuration files
Optionally, to set a default relative time expiration for any tokens on the Splunk Enterprise instance, use this procedure. Expiration times that you specify in the token creation dialog override the default setting. You cannot perform this operation in Splunk Web, and you cannot set an expiration time in the past.
- Open a shell prompt or PowerShell window.
- Change to the
$SPLUNK_HOME/etc/system/localdirectory. - Use a text editor to open the
authorize.conffile for editing. - In the
tokens_authstanza, add the following line of text, substituting<relative time>with a string that represents an amount of time from the time that you create a token:
expiration=<relative time>
For example, if you want to specify a default expiration time of 5 days for a token after you create it, set
<relative time>to+5d.
- Save the file and close it.
- Restart the Splunk platform.
See Time modifiers in the Search Reference manual for more information on time modifier syntax.
Enable token authentication using REST
The curl command does not come standard on Windows PowerShell. Instead, you can use the Invoke_RestMethod PowerShell cmdlet on PowerShell versions 3.0 and higher.
- Open a shell prompt.
- Run the following command
curl -k -u <splunk_username>:<password> -X POST https://<servername>:<port>/services/admin/token-auth/tokens_auth -d disabled=false
Splunk Enterprise enables token authentication immediately, and there is no need to restart the instance.
Disable token authentication on a Splunk platform instance
On Splunk Enterprise instances, you can disable token authentication by using Splunk Web, editing configuration files, or making a call to a REST endpoint.
Disable token authentication using Splunk Web
Perform this procedure on the instance where you want to disable token authentication.
- Log in to the Splunk platform instance as a user that can edit token settings.
You cannot use a token to log in to Splunk Web. You must provide a valid user name and password.
- After you log in, in the system bar, select Settings > Tokens.
- Click Disable Token Authentication. The instance disables token authentication immediately, and there is no need to restart the instance.
Disable token authentication using configuration files
Perform this procedure on the Splunk Enterprise instance where you want to disable token authentication.
- Open a shell prompt or PowerShell window.
- Change to the
$SPLUNK_HOME/etc/system/localdirectory. - Use a text editor to open the
authorize.conffile. - In the
authorize.conffile, edit the following lines of text:
[tokens_auth] disabled = true
- Save the
authorize.conffile and close it. - Restart Splunk Enterprise.
Disable token authentication using REST
The curl command does not come standard on Windows PowerShell. Instead, you can use the Invoke_RestMethod PowerShell cmdlet.
- Open a shell prompt.
- Run the following command
curl -k -u <splunk_username>:<password> -X POST https://<servername>:<port>/services/admin/token-auth/tokens_auth -d disabled=true
The instance disables token authentication immediately, and there is no need to restart the instance.
Create, use, manage, and delete tokens
After you enable token authentication, you can do the following with authentication tokens:
- Create tokens. See Create authentication tokens.
- Manage or delete tokens. See Manage or delete authentication tokens.
- Use tokens to authenticate. See Use authentication tokens.
If you disable token authentication, any tokens that are on the instance become inaccessible immediately, and you must enable token authentication again to restore access to tokens that are valid.
| Set up authentication with tokens | Create authentication tokens |
This documentation applies to the following versions of Splunk® Enterprise: 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10
Comments
Download manual
You must be logged into splunk.com in order to post comments. Log in now.
Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.
Your Comment Has Been Posted Above
Feedback submitted, thanks!