| CARVIEW |
Securing Splunk Enterprise
- Secure and protect your Splunk Enterprise deployment network
- Install Splunk Enterprise securely
- Create secure administrator credentials
- About TLS encryption and cipher suites
- Harden the Splunk Enterprise installation directory on Windows
- Secure Splunk Enterprise on your network
- Disable unnecessary Splunk Enterprise components
- Secure Splunk Enterprise service accounts
- Deploy secure passwords across multiple servers
- Harden the network port that App Key Value Store uses
- Use network access control lists to protect your deployment
- Use access control to secure Splunk data
- About user authentication
- About configuring role-based user access
- Define roles on the Splunk platform with capabilities
- Create and manage users with Splunk Web
- Create and manage roles with Splunk Web
- Find existing users and roles
- Secure access for Splunk knowledge objects
- Password best practices for administrators
- Configure Splunk password policies
- Configure a Splunk Enterprise password policy using the Authentication.conf configuration file
- Password best practices for users
- Unlock a user account
- Change a user password
- Manage out-of-sync passwords in a search head cluster
- Set up user authentication with LDAP
- Manage Splunk user roles with LDAP
- LDAP prerequisites and considerations
- Secure LDAP authentication with transport layer security (TLS) certificates
- How the Splunk platform works with multiple LDAP servers for authentication
- Configure LDAP with Splunk Web
- Map LDAP groups to Splunk roles in Splunk Web
- Configure single sign-on with SAML
- Configure SSO with PingIdentity as your SAML identity provider
- Configure SSO with Okta as your identity provider
- Configure SSO with Microsoft Azure AD or AD FS as your Identity Provider
- Configure SSO with OneLogin as your identity provider
- Configure SSO with Optimal as your identity provider
- Configure SSO in Computer Associates (CA) SiteMinder
- Secure SSO with TLS certificates on Splunk Enterprise
- Configure Ping Identity with leaf or intermediate SSL certificate chains
- Configure SAML SSO for other IdPs
- Configure authentication extensions to interface with your SAML identity provider
- Configure advanced settings for SSO
- Map groups on a SAML identity provider to Splunk roles
- Modify or remove role mappings
- Refresh expiring SAML identity provider certificates
- Troubleshoot SAML SSO
- About multifactor authentication with Duo Security
- Configure Splunk Enterprise to use Duo Security multifactor authentication
- Configure Duo multifactor authentication for Splunk Enterprise in the configuration file
- Migrate from the Duo Traditional Prompt to the Duo Universal Prompt
- About multifactor authentication with RSA Authentication Manager
- Configure RSA authentication from Splunk Web
- Configure Splunk Enterprise to use RSA Authentication Manager multifactor authentication via the REST endpoint
- Configure Splunk Enterprise to use RSA Authentication Manager multifactor authentication in the configuration file
- User experience when logging into a Splunk instance configured with RSA multifactor authentication
- Introduction to securing the Splunk platform with TLS
- Steps for securing your Splunk Enterprise deployment with TLS
- How to obtain certificates from a third-party for inter-Splunk communication
- Obtain certificates signed by a third-party for Splunk Web
- How to create and sign your own TLS certificates
- How to prepare TLS certificates for use with the Splunk platform
- Configure Splunk indexing and forwarding to use TLS certificates
- Configure TLS certificates for inter-Splunk communication
- Configure Splunk Web to use TLS certificates
- Test and troubleshoot TLS connections
- Renew existing TLS certificates
- Configure TLS certificate host name validation for secured connections between Splunk software components
- Configure TLS protocol version support for secure connections between Splunk platform instances
- Configure and install certificates in Splunk Enterprise for Splunk Log Observer Connect
- Configure secure communications between Splunk instances with updated cipher suite and message authentication code
- Securing distributed search heads and peers
- Secure deployment servers and clients using certificate authentication
- Configure communication and bundle download authentication for deployment servers and clients
- Secure Splunk Enterprise services with pass4SymmKey
- Protect PII, PHI, and other sensitive data with field filters
- Plan for field filters in your organization
- Turn on Splunk platform field filters
- Create field filters using Splunk Web
- Optimize field filter performance using Splunk Web
- Exempt certain roles from field filters using Splunk Web
- Create field filters using configuration files
- Optimize field filter performance using configuration files
- Use field filters in searches
- Turn off Splunk platform field filters
- Can I get an overview of how Splunk permissions wo...
- Download Splunk Conf 2016 Session materials
- User Disable
- Trouble with Azure AD SSO to F5 SP- Issue with 150...
- Splunk SAML authentication - Data Confidentiality ...
- I am trying to use auth0 as an IDp for Splunk and ...
- Splunk 6.3 & SSO, SAML and Ping Federate
- (Native) Splunk APP on WIndows Azure AD - Can't ma...
- javaagent do not show any business transaction
- Error Message on indexer console
Map groups on a SAML identity provider to Splunk roles
After you configure a Splunk platform deployment to use a Security Assertion Markup Language (SAML) identity provider (IdP) for authentication, you can then authorize groups on that IdP to log into the Splunk platform instance by mapping those groups to Splunk roles. You can map multiple groups on the IdP to a single Splunk role.
This is the only way to give users on your IdP access to the Splunk platform deployment. You cannot give individual users on the IdP access to the Splunk platform deployment unless you create a group on the IdP for the user, or add the user to an existing group.
Prerequisites for mapping SAML groups to Splunk roles
Confirm that you have completed the following steps before you attempt to map groups on your IdP to roles on your Splunk platform deployment:
- The identity provider you have is SAML version 2.0 compliant
- You have configured your IdP to supply the necessary attributes in an assertion that it sends
- You have configured your Splunk platform deployment to use the IdP as an authentication scheme.
For more specifics on these prerequisites, see Configure single sign-on with SAML.
Considerations for mapping SAML groups to Splunk roles
Depending on the SAML IdP that you use for authentication, you might need to make following considerations to ensure that authentication through SAML works properly.
Considerations for mapping groups to Splunk roles with Microsoft Azure as the identity provider
When you map SAML groups to Splunk roles, you must map the roles to the group ID, or universally unique identifier (UUID), and not the group name, since groups can share the same name. When you map roles to the group ID, this ensures that you map the correct group to your role.
The Splunk platform automtically maps SAML groups to Splunk roles with the same name
In an effort to ease administration for Splunk administrators who connect their Splunk platform instances to SAML IdPs, the Splunk platform automatically maps groups that it encounters on the SAML IdP to Splunk roles that have the same name. For example, if your IdP has an 'user' group, when you connect the Splunk platform instance to your SAML IdP, it automatically maps the 'user' group to the Splunk 'user' role, and all users in the IdP user group get access to the permissions of the Splunk 'user' role.
You can turn off the automapping functionality using either Splunk Web or configuration files on Splunk Enterprise. For the instructions using configuration files in Splunk Enterprise, see Configure automapping of SAML IdP groups to Splunk roles.
Toggle automapping of SAML groups to Splunk roles in Splunk Web
Use the following procedure to turn on or turn off automapping of groups on a SAML IdP to Splunk roles.
- In the system bar, click Settings > Authentication Methods.
- Under External, confirm that the SAML checkbox is selected.
- Click Configure Splunk to use SAML.
- In the SAML Configuration dialog box, under General settings:
- To turn on automatic role mapping of SAML groups to Splunk roles, select the Enable Auto Mapped Roles check box.
- To turn off automatic role mapping of SAML groups to Splunk roles, unselect the Enable Auto Mapped Roles check box.
- Select Save. The change takes effect immediately.
Map groups on a SAML identity provider to Splunk roles
- In the system bar, click Settings > Authentication Methods.
- Under External, confirm that the SAML checkbox is selected.
- Click Configure Splunk to use SAML.
- Click Cancel to close the SAML Configuration dialog box and show the SAML groups page.
- Click New Group, or click Edit if you want to modify an existing SAML group.
- If you are creating a new group, in the Group Name field, enter the name of the group. Typically, this is the name of a group on the IdP.
- In the Splunk Roles section, choose the Splunk roles to which you want this group to map by clicking one or more of the roles in the Available item(s) column.
- Click Save. Splunk Web saves the group and returns you to the SAML Groups page.
After you configure SAML SSO and map groups to Splunk roles, you can distribute the login URL to users on your identity provider.
| Configure advanced settings for SSO | Modify or remove role mappings |
This documentation applies to the following versions of Splunk® Enterprise: 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.0, 9.4.1, 9.4.2
Comments
Download manual
Map groups on a SAML identity provider to Splunk roles
You must be logged into splunk.com in order to post comments. Log in now.
Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.
Your Comment Has Been Posted Above
Feedback submitted, thanks!