Splunk® Cloud Services

Splunk Cloud Console

Set up a SAML Integration to Splunk Cloud Services in Okta

Splunk Cloud Services (SCS) can communicate with Okta for authentication and authorization using the Security Assertion Markup Language (SAML) protocol. To establish this communication, you must connect SCS to Okta by using the Okta configuration web page in Okta, then using the Splunk Cloud Console configuration web page in SCS.

You must configure a SAML application in Okta that SCS can then use to perform authentication and authorization. After you create the application, SCS connects securely to the application using the certificate that Okta provides and uses the application to validate user access to SCS and its resources.

The connection process occurs over the following procedures:

  1. Retrieve the Assertion Consumer Service (ACS) URL and Audience URI from Splunk Cloud Console in preparation for configuring the SAML application in Okta. This initial procedure takes place in Splunk Cloud Console and helps you provide information to Okta in the next procedure.
  2. Create a SAML application in Okta for integration with SCS. This procedure takes place in Okta. You provide information that you got in SCS to Okta in this procedure.
  3. Retrieve the Identity Provider Single Sign-On URL and public certificate for configuring the SCS-to-Okta SAML application connection. This procedure also occurs in Okta, after you have set up the SAML application, and helps you provide information to SCS in the next and last procedure.
  4. Configure the connection from SCS to the SAML application in Okta using Splunk Cloud Console. This procedure completes the connection and lets SCS and Okta communicate natively with each other through the SAML protocol.

Complete the procedures in order. You first set up the SAML app in Okta using information you get from SCS, then you complete the set up in SCS with information you get from Okta.

Retrieve the Assertion Consumer Service (ACS) URL and Audience URI from Splunk Cloud Console in preparation for configuring the SAML application in Okta

Before SCS can communicate with Okta for authentication and authorization, you must set up a SAML application in Okta through which Splunk Cloud Services (SCS) will interface. To create the application, you must provide information to Okta that you can only get from SCS - the Assertion Consumer Service URL and Audience URI.

This information is available in the SAML Settings screen in Splunk Cloud Console. You will enter this information into the SAML application setup wizard in Okta. After you set up the app, Okta provides you information that you require to complete the SCS-Okta connection in Splunk Cloud Console.

  1. Sign into Splunk Cloud Console as a user with administrator privileges.
  2. Click Settings.
  3. Click SAML Configuration.
  4. Review the fields in the 1. IdP SAML Configuration section.
    • The ACS URL (Single Sign-on) is the Single Sign-on URL that you will provide in the Configure SAML tab of the Okta SAML application setup wizard.

      This value is unique for your Splunk Cloud Services tenant.

  5. Copy or write down this value. You will supply it to Okta in the next procedure.

Create a SAML application in Okta for Integration with Splunk Cloud Services

Before SCS can use Okta as an identity provider for authentication and authorization, you must configure a SAML application in Okta to which SCS can communicate. After you configure the Okta app, SCS connects to the app to retrieve user information and grants access to SCS services based on information it receives from the app.

  1. Sign in to Okta as a user with administrator privileges.
  2. In the Admin Console, click Applications > Applications.
  3. Click Create New App.
  4. Select Web as the platform for your integration.
  5. In the Sign-in Method section, select SAML 2.0.
  6. In the General Settings tab, in the App Name field, enter a name for the application.
  7. (Optional) To upload an image that represents your application, click Browse to locate the image on your computer. After you locate the image, click Upload Logo to upload the image.
  8. In App visibility, leave the Do not display application icon to users and Do not display application icon in the Okta Mobile app options unchecked.
  9. Click Next.
  10. In the Configure SAML tab, in the Single Sign-on URL field, type or paste in the value you got from the ACS URL (Single Sign-on) field in the Splunk Cloud Console SAML settings page.
  11. In the Audience URI (SP Entity ID) field, type or paste in the value you got from the Audience URI (SP Entity ID) field in the Splunk Cloud Console SAML settings page.
  12. Leave the Default RelayState field empty.
  13. Choose the Name ID format and Application username that Okta must send to your application in the SAML response (for example, EmailAddress and Email).
  14. In the Attribute Statements (Optional) section, add the following SAML attributes.
    Attribute name (in SAML application) Value (if using the default Okta profile)
    Email user.email
    FirstName user.firstName
    LastName user.lastName

    You must supply a minimum of these attributes and values, or SCS will not interface properly with the SAML application. If you are not using the default Okta profile, you might need to specify a different value for the Email attribute name.

  15. (Optional) Click the button in Section B to preview the generated SAML assertion.
  16. Click Next.
  17. In the Feedback tab, select the I'm an Okta customer adding an internal app radio button.
  18. In the checkboxes that appear, under App type, click This is an internal app that we have created.
  19. Click Finish. Okta returns you to the information screen for the app you set up.

Retrieve the Identity Provider Single Sign-On and Entity Descriptor URLs and public certificate for configuring the SCS-to-Okta SAML application connection

When you created the SAML application in Okta through which SCS will interface, you were asked to paste in the Assertion Consumer Service (ACS) URL and Audience URI from SCS to complete the SAML application setup process in Okta. This information helped Okta generate Identity Provider Single Sign-on and Entity Descriptor URLs and a public certificate for SCS to use to communicate with Okta through the SAML application.

Now that you have set up the application in Okta, you must retrieve the Identity Provider Single Sign-on and Entity Descriptor URLs and the public certificate from there. You will use this information to complete integration of SCS with your IdP from within Splunk Cloud Console.

  1. From the Okta dashboard, click Applications > Applications.
  2. In the Applications screen, in the STATUS column, click ACTIVE. The application you created appears in the list.
  3. Click the application you created in the list.
  4. Click the Sign-on tab.
  5. Click View Setup Instructions. The "How to configure SAML 2.0 for <your application>" page appears.
  6. Review the information on this screen.
    1. The Identity Provider Single Sign-On URL is the Single Sign-on Service URL that you will provide in the procedure to integrate SCS with the SAML application in Okta.
    2. The Identity Provider Issuer is the Entity descriptor URL that you will provide in the same procedure.
    3. The X.509 Certificate is the security certificate that SCS will use when it connects securely with the SAML application that you created in Okta previously.
  7. Either write down the Identity Provider Single Sign-On URL and Identity Provider Issuer values, or copy and paste the values to a text file. You will need these values in the following procedure.
  8. Copy the X.509 Certificate to your computer clipboard. When you copy the certificate, copy the certificate text only. Do not include the header or footer (the "----- BEGIN/END certificate -----") text.

Configure the connection from SCS to the SAML application in Okta using Splunk Cloud Console

After you configure the SAML application in Okta and retrieve the Identity Provider Single Sign-on and Entity descriptor URLs and public certificate from there, you can then configure Splunk Cloud Services to use the Okta SAML application for authentication and authorization.

When you fill in at least one, but not all, of the required fields in the SAML Configuration dialog box, a Save button appears. This button lets you save your configuration progress, but does not enable the configuration. You can enable the configuration only after you supply all the required information.

  1. Log into Splunk Cloud Console.
  2. Click Settings.
  3. Click SAML Configuration.
  4. Leave all fields in the 1. IdP SAML Configuration section as they are.
  5. In "2. Splunk SAML configuration", type or paste in the Identity Provider Issuer URL that you got in the previous procedure into the Entity Descriptor field.
  6. Type or paste in the Identity Provider Single Sign-On URL into the Single Sign-on Service field.
  7. In the Public Certificate field, paste in the public certificate that you retrieved from the Okta SAML application setup screen and copied to your computer clipboard.
  8. In the Map SAML Attributes section, in the Email Address field, type in the name of the Email attribute you provided when you set up the SAML application in Okta.

    See the "Create a SAML application in Okta for Integration with Splunk Cloud Services" procedure earlier in this topic for a table of the attributes.

  9. In the First Name field, type in the name of the FirstName attribute you provided when you set up the SAML application in Okta.
  10. In the Last Name field, type in the name of the LastName attribute you provided when you set up the SAML application in Okta. After you have filled in all of the fields on the screen, the Enable configuration button appears.
  11. Click "Enable configuration" to validate and activate the SAML configuration.

Enable JIT provisioning

You can enable just-in-time provisioning so that you don't need to manually send an invite to users to join your tenant. You do not have to enable JIT provisioning to invite users to your tenant, but you must integrate an identity provider before JIT provisioning can work.

Last modified on 30 October, 2021

This documentation applies to the following versions of Splunk® Cloud Services: current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters