| CARVIEW |
Securing Splunk Enterprise
- Install Splunk Enterprise securely
- Create secure administrator credentials
- About TLS encryption and cipher suites
- Secure Splunk Enterprise with FIPS
- About default certificate authentication
- Harden the Splunk Enterprise installation directory on Windows
- Secure Splunk Enterprise on your network
- Disable unnecessary Splunk Enterprise components
- Secure Splunk Enterprise service accounts
- Deploy secure passwords across multiple servers
- Harden the network port that App Key Value Store uses
- Best practices for hardening Splunk Enterprise servers and the operating systems they use
- Use network access control lists to protect your deployment
- Use access control to secure Splunk data
- About user authentication
- About configuring role-based user access
- Define roles on the Splunk platform with capabilities
- Create and manage users with Splunk Web
- Create and manage roles with Splunk Web
- Find existing users and roles
- Secure access for Splunk knowledge objects
- Password best practices for administrators
- Configure Splunk password policies
- Configure a Splunk Enterprise password policy using the Authentication.conf configuration file
- Password best practices for users
- Unlock a user account
- Change a user password
- Manage out-of-sync passwords in a search head cluster
- Set up user authentication with LDAP
- Manage Splunk user roles with LDAP
- LDAP prerequisites and considerations
- Secure LDAP authentication with transport layer security (TLS) certificates
- How the Splunk platform works with multiple LDAP servers for authentication
- Configure LDAP with Splunk Web
- Map LDAP groups to Splunk roles in Splunk Web
- Configure single sign-on with SAML
- Configure SSO with PingIdentity as your SAML identity provider
- Configure SSO with Okta as your identity provider
- Configure SSO with Microsoft Azure AD or AD FS as your Identity Provider
- Configure SSO with OneLogin as your identity provider
- Configure SSO with Optimal as your identity provider
- Configure SSO in Computer Associates (CA) SiteMinder
- Secure SSO with TLS certificates on Splunk Enterprise
- Configure Ping Identity with leaf or intermediate SSL certificate chains
- Configure SAML SSO for other IdPs
- Configure authentication extensions to interface with your SAML identity provider
- Configure advanced settings for SSO
- Map groups on a SAML identity provider to Splunk roles
- Modify or remove role mappings
- Troubleshoot SAML SSO
- About multifactor authentication with Duo Security
- Configure Splunk Enterprise to use Duo Security multifactor authentication
- Configure Duo multifactor authentication for Splunk Enterprise in the configuration file
- About multifactor authentication with RSA Authentication Manager
- Configure RSA authentication from Splunk Web
- Configure Splunk Enterprise to use RSA Authentication Manager multifactor authentication via the REST endpoint
- Configure Splunk Enterprise to use RSA Authentication Manager multifactor authentication in the configuration file
- User experience when logging into a Splunk instance configured with RSA multifactor authentication
- About securing inter-Splunk communication
- Configure secure communications between Splunk instances with updated cipher suite and message authentication code
- Securing distributed search heads and peers
- Secure deployment servers and clients using certificate authentication
- Secure Splunk Enterprise services with pass4SymmKey
- How to set up multifactor Authentication with Duo ...
- Splunk Cloud MFA with Google Authenticator
- Does Splunk Cloud support DUO two factor authentic...
- 2FA for splunk cloud trial
- Is there a way to create user with admin rights an...
- Getting errors when configuring Duo MFA via UI or ...
- How does DUO authentication for SPLUNK work?
- Migration to Splunk cloud
- Change SSL Certificate port 8089 Breaks DUO Authen...
About multifactor authentication with Duo Security
Multifactor authentication lets you configure a primary and secondary login for Splunk Enterprise users. Duo Security multifactor authentication secures Splunk Web logins on Splunk Enterprise instances.
Splunk Cloud Platform does not support multifactor authentication with Duo Security.
With Splunk Enterprise with Duo Security multifactor authentication, you must set up a second authentication method and then use that method for future logins. The login workflow is as follows:
- You log into Splunk Web page using your login credentials. This is the primary login.
- You then see a second login page, "Duo Authentication". This is the secondary login.
- The first time you log in, you follow the instructions on the Duo login page to set up your preferred method for accessing your secondary credentials:
- Login with credentials sent through a push notification on your your smart phone (Duo Security Mobile app required).
- Login with credentials sent through an SMS message to your cell phone.
- Login with credentials sent through a phone call made to your cell phone.
- Login by entering a one time code that the Duo Mobile app generates.
- After the initial login and configuration, every time you reach the secondary login, you receive those login credentials using your preferred method.
Duo Traditional Prompt and Universal Prompt
The Traditional Prompt is the default authentication experience for Duo Security users when they log in to Splunk Enterprise. The Universal Prompt is a more secure and advanced authentication experience than the Traditional Prompt. It supports advanced authentication features like Verified Duo Push, Risk-Based Authentication, and Passwordless login which streamline the experience for end-users and administrators. To learn about the Universal Prompt, see "About the Duo Universal Prompt" on the Duo website.
If you use the Traditional Prompt for Duo multifactor authentication, upgrade Splunk Enterprise on-premises to versions: 9.1.6, 9.1.7, 9.2.3, 9.3.1, or higher. These versions support Duo Universal Prompt. Next, migrate from the Traditional Prompt to the Universal Prompt. Due to the deprecation of the Traditional Prompt, continued use of this experience might result in authentication failures in the future. Versions: 9.2.0, 9.2.1, 9.2.2, and 9.3.0 do not support Duo Universal Prompt.
Set up Duo Security for multifactor authentication
- Create an account for your Splunk Enterprise configuration on the Duo website. Visit the Duo website for more information on how to create accounts in Duo.
- Provide Splunk Enterprise with the information from your Duo Security Account. See Configure Splunk to use Duo Security multifactor authentication for more information.
| Configure SAML SSO using configuration files on Splunk Enterprise | Configure Splunk Enterprise to use Duo Security multifactor authentication |
This documentation applies to the following versions of Splunk® Enterprise: 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.2.0, 9.2.1, 9.2.2, 9.3.0
Comments
Download manual
About multifactor authentication with Duo Security
You must be logged into splunk.com in order to post comments. Log in now.
Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.
Your Comment Has Been Posted Above
Feedback submitted, thanks!