| CARVIEW |
Securing Splunk Enterprise
- Install Splunk Enterprise securely
- Create secure administrator credentials
- About TLS encryption and cipher suites
- Secure Splunk Enterprise with FIPS
- About default certificate authentication
- Harden the Splunk Enterprise installation directory on Windows
- Secure Splunk Enterprise on your network
- Disable unnecessary Splunk Enterprise components
- Secure Splunk Enterprise service accounts
- Deploy secure passwords across multiple servers
- Harden the network port that App Key Value Store uses
- Best practices for hardening Splunk Enterprise servers and the operating systems they use
- Use network access control lists to protect your deployment
- Use access control to secure Splunk data
- About user authentication
- About configuring role-based user access
- Define roles on the Splunk platform with capabilities
- Create and manage users with Splunk Web
- Create and manage roles with Splunk Web
- Find existing users and roles
- Secure access for Splunk knowledge objects
- Password best practices for administrators
- Configure Splunk password policies
- Configure a Splunk Enterprise password policy using the Authentication.conf configuration file
- Password best practices for users
- Unlock a user account
- Change a user password
- Manage out-of-sync passwords in a search head cluster
- Set up user authentication with LDAP
- Manage Splunk user roles with LDAP
- LDAP prerequisites and considerations
- Secure LDAP authentication with transport layer security (TLS) certificates
- How the Splunk platform works with multiple LDAP servers for authentication
- Configure LDAP with Splunk Web
- Map LDAP groups to Splunk roles in Splunk Web
- Configure single sign-on with SAML
- Configure SSO with PingIdentity as your SAML identity provider
- Configure SSO with Okta as your identity provider
- Configure SSO with Microsoft Azure AD or AD FS as your Identity Provider
- Configure SSO with OneLogin as your identity provider
- Configure SSO with Optimal as your identity provider
- Configure SSO in Computer Associates (CA) SiteMinder
- Secure SSO with TLS certificates on Splunk Enterprise
- Configure Ping Identity with leaf or intermediate SSL certificate chains
- Configure SAML SSO for other IdPs
- Configure authentication extensions to interface with your SAML identity provider
- Configure advanced settings for SSO
- Map groups on a SAML identity provider to Splunk roles
- Modify or remove role mappings
- Troubleshoot SAML SSO
- About multifactor authentication with Duo Security
- Configure Splunk Enterprise to use Duo Security multifactor authentication
- Configure Duo multifactor authentication for Splunk Enterprise in the configuration file
- About multifactor authentication with RSA Authentication Manager
- Configure RSA authentication from Splunk Web
- Configure Splunk Enterprise to use RSA Authentication Manager multifactor authentication via the REST endpoint
- Configure Splunk Enterprise to use RSA Authentication Manager multifactor authentication in the configuration file
- User experience when logging into a Splunk instance configured with RSA multifactor authentication
- About securing inter-Splunk communication
- Configure secure communications between Splunk instances with updated cipher suite and message authentication code
- Securing distributed search heads and peers
- Secure deployment servers and clients using certificate authentication
- Secure Splunk Enterprise services with pass4SymmKey
- Why am I unable to open my Splunk Cloud rest-api U...
- Saml response does not contain group information (...
- Download Splunk Conf 2016 Session materials
- Regarding the API key for configuring the authenti...
- How to use Splunk Secure Gateway in Splunk Cloud?
- Error Message on indexer console
Configure Splunk Cloud Platform to use SAML for authentication tokens
Currently, the Splunk platform supports using authentication tokens in Splunk Cloud Platform with the Microsoft Azure and Okta Security Assertion Markup Language (SAML) identity providers (IdPs), as well as other providers that support attribute query requests (AQR), which lets Splunk Cloud Platform retrieve information about users on the IdP. When you configure Splunk Cloud Platform to use SAML as an authentication scheme, you let Splunk Cloud Platform query these IdPs to confirm that tokens you create in Splunk Cloud Platform for authentication are valid.
Splunk Cloud Platform also supports authentication tokens when it uses either the native or Lightweight Directory Access Protocol (LDAP) authentication schemes. To learn more about authentication tokens, how they work, and how you enable or disable them individually or globally, see Set up authentication with tokens.
Prerequisites for using Splunk Cloud Platform with authentication tokens
- You must use one of the following SAML IdPs. There is no support for other IdPs at this time:
- Microsoft Azure
- Okta
- Any other IdP that supports AQR.
- You must hold credentials that let you configure authentication schemes in Splunk Cloud Platform
- You must configure Splunk Cloud Platform to use SAML as an authentication scheme, if you have not already
- You must configure SAML authentication extensions for the IdPs to retrieve user information
Configure Splunk Cloud Platform to use SAML as an authentication scheme
Before Splunk Cloud Platform can use Microsoft Azure or Okta to authenticate tokens, you must configure your Splunk Cloud Platform instance to use SAML for authentication.
If you have already configured your Splunk Cloud Platform instance to use SAML, you do not have to perform this procedure again.
- Log into Splunk Cloud Platform as an administrator level user.
- From the system bar, click Settings > Authentication Methods.
- Under External, click SAML. A link Configure Splunk to use SAML appears.
- Click Configure Splunk to use SAML. The SAML configuration dialog box appears.
- In the General Settings section of the "SAML configuration" dialog box, supply the appropriate information to access the Microsoft Azure or Okta IdP. You must supply at least the following in the "General Settings" section:
- Single Sign-on (SSO) URL
- IdP Certificate Chains
- Issuer ID
- Entity ID
- In the Alias section, supply the three aliases as provided by your IdP:
- Role alias
- RealName alias
- Mail alias
Configure authentication extensions
When you configure authentication extensions, you specify a script for either Microsoft Azure or Okta, a timeout for the script to run, and a timeout for Splunk Cloud Platform to cache user information that it retrieves from the IdP.
When Splunk Cloud Platform queries the IdP and runs the appropriate script to get user information, the script timeout determines how long Splunk Cloud Platform waits to get user information from the IdP. You can configure it to wait anywhere from 300 to 3600 seconds, or 5 minutes to 1 hour. 300 seconds is the default.
After Splunk Cloud Platform successfully retrieves the information, it caches it, and the Get user info time-to-live determines how long Splunk Cloud Platform retrieves user information from the cache. During this period, Splunk Cloud Platform does not query the IdP for the information it has cached.
The lowest amount of time that Splunk Cloud Platform caches user information is 3600 seconds or 1 hour. You can set this timeout higher to reduce the chance of potentially overloading your IdP with authentication requests, but doing so also increases the chance that Splunk Cloud Platform might not have the most up-to-date user information, which can pose a security risk.
Configure extensions for the Microsoft Azure identity provider
Splunk Cloud Platform requires the getUserInfo authentication extension to connect to Microsoft Azure as an identity provider.
If you have a user on the IdP that is a member of more than 150 groups, then Splunk Cloud Platform also requires the login authentication extension.
- Log into Splunk Cloud Platform as an administrator level user.
- From the system bar, click Settings > Authentication Methods.
- Click "Configure Splunk to use SAML". The "SAML configuration" dialog box appears.
- In the Script path field within the Authentication Extensions section of the "SAML configuration" dialog box , type in
SAML_script_azure.py. - In the Script timeout field, type in
300s. - In the Get User Info time-to-live field, type in
3600s. - Click the Script functions field.
- In the pop-up window that appears, click
getUserInfo. - (Optional) If there is at least one user on the IdP that is a member of more than 150 groups, repeat Steps 7-8 to add the
loginscript function. - Under Script Secure Arguments, click Add Input.
- In the Key field, type in
clientId. - In the Value field, type in the Azure client ID.
- Repeat Steps 10-12 to add the
clientSecretkey and the Azure client secret value that Splunk Cloud Platform is to use for authentication.. - Repeat Steps 10-12 to add the
tenantIdkey and the Azure tenant ID value. - (Optional) If you want Splunk Cloud Platform to retrieve roles that are in nested groups within the Azure environment, repeat Steps 9-11 to add the
groupTypekey andtransitiveas thegroupTypevalue. - Click Save. Splunk Cloud Platform saves the Azure configuration and returns you to the SAML Groups page.
Configure authentication extensions for the Okta identity provider
- Log into Splunk Cloud Platform as an administrator level user.
- From the system bar, click Settings > Authentication Methods.
- Click "Configure Splunk to use SAML". The "SAML configuration" dialog box appears.
- In the Script path field within the Authentication Extensions section of the "SAML configuration" dialog box , type in
SAML_script_okta.py. - In the Script timeout field, type in
300s. - In the Get User Info time-to-live field, type in
3600s. - Click the Script functions field.
- In the pop-up window that appears, click
getUserInfo. - Under Script Secure Arguments, click Add Input.
- In the Key field, type in
apiKey. - In the Value field, type in the API key for your IdP.
- Click "Add input" again.
- In the "Key" field, type in
baseUrl. - in the "Value" field, type in the URL of your Okta instance.
- Click Save. Splunk Cloud Platform saves the Okta configuration and returns you to the SAML Groups page.
| Set up authentication with tokens | Enable or disable token authentication |
This documentation applies to the following versions of Splunk® Enterprise: 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.1.9, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.0, 9.4.1, 9.4.2
Comments
Download manual
Configure Splunk Cloud Platform to use SAML for authentication tokens
You must be logged into splunk.com in order to post comments. Log in now.
Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.
Your Comment Has Been Posted Above
Feedback submitted, thanks!