How devices authenticate to your Splunk platform with SAML authentication

Security Assertion Markup Language (SAML) authentication uses JSON Web Token (JWT) to securely authenticate mobile devices to your Splunk platform. To learn more about how JWT works and how to set up JWT, see Set up authentication with tokens.

The following diagrams illustrate how mobile client devices authenticate to the Splunk Platform through a supported identity provider (IdP). Splunk Cloud Gateway performs validation and encryption. Spacebridge, a secure intermediary component, routes the credentials bundle back to the client device.

To learn about supported IdPs and how to set up SAML authentication for your Connected Experiences mobile app deployment, see Set up SAML authentication for Splunk Cloud Gateway.

SAML authentication with provided authentication code

This is how a mobile client device authenticates to the Splunk platform with an IdP and the authentication code provided in a Connected Experiences mobile app.

1. When a user launches the Splunk platform web view, they're redirected to their IdP to log in with their user credentials.
2. The IdP issues a short-lived session token and the user has access to the Splunk platform.
3. The user enters the authentication code provided in the Connected Experiences mobile app into Splunk Cloud Gateway.
4. Splunk Cloud Gateway routes the authentication code to Spacebridge.
5. Spacebridge receives and validates the authentication code.
6. The user confirms that the conformation code on their device matches the one in Splunk Cloud Gateway.
7. Splunk Cloud Gateway validates the user credentials and short-lived session token.
8. Splunk Cloud Gateway requests a long-lived JWT from the Splunk platform.
9. The Splunk platform issues a JWT to Splunk Cloud Gateway.
10. Splunk Cloud Gateway encrypts the JWT, JWT expiry date, username, encryption keys, and Cloud Gateway ID.
11. Spacebridge routes the JWT, JWT expiry date, username, encryption keys, and Cloud Gateway ID back to the client device.

SAML authentication with MDM

This is how a mobile client device authenticates to the Splunk platform with an IdP and Mobile Device Management (MDM) provider. When an admin sets up MDM, they generate an instance ID file that supports SAML authentication. To learn more about MDM, see About Mobile Device Management (MDM) and In-app registration.

1. When a user launches a Connected Experiences app that supports SAML authentication, they select the SAML authentication login option.
2. The client device generates and signs a public key with the MDM private key from the instance ID file.
3. The client device requests access to Splunk Cloud Gateway and opens a web view.
4. The user is redirected to their IdP to log in with their user credentials.
5. The IdP issues a short-lived session token to Splunk Cloud Gateway.
6. Splunk Cloud Gateway validates the signature from the MDM private key.
7. Splunk Cloud Gateway validates the user credentials and short-lived session token.
8. Splunk Cloud Gateway requests a long-lived JWT from the Splunk platform.
9. The Splunk platform issues a JWT to Splunk Cloud Gateway.
10. Splunk Cloud Gateway encrypts the JWT with its own encryption key and the client device public key.
11. Splunk Cloud Gateway makes a request for the registration page with the JWT as its query parameter.
12. The client device recognizes the request for the registration page, retrieves the JWT, and closes the web view.
13. Spacebridge establishes a websocket connection between the client device and Splunk Cloud Gateway.
14. The client device returns the JWT through websocket connection to Splunk Cloud Gateway.