Configure Splunk Enterprise to use Duo Security multifactor authentication
NOTE: If you have previously configured Splunk Enterprise to use Duo authentication via https://duo.com/docs/splunk, you must use the task described in this topic to reconfigure multifactor login with Duo Security.
- Use the Duo Security website to create a Duo Security account for Splunk Enterprise. See https://duo.com for more information.
- Configure Splunk Enterprise to use Duo by providing the following information:
- Your integration key (i.e. DIXXXXXXXXXXXXXXXXXX)
- Your secret key
- Your API hostname (i.e. api-XXXXXXXX.duosecurity.com)
- When the user logs into Splunk Enterprise and follows the instructions on the Duo login page, they are given secondary login credentials.
1. In the Menu, select Settings > Users and Authentication > Access roles.
2. Click Authentication Method.
3. Under Multifactor Authentication, select Duo Security.
4. Click the Configure Duo Security link.
5. Provide the Integration Key from your Duo configuration. You can find this key on your Duo Security configuration page or at Configuration > Details.
6. Provide the Secret Key from your Duo Security configuration or detail. You can find this key on your Duo Security configuration page or at Configuration > Details.
7. Provide the API Hostname from your Duo configuration. You can find this key on your Duo Security configuration page or at Configuration > Details.
8. Tell Splunk Enterprise how to authenticate users when Duo Security is unavailable:
- Let users login Users who have successfully logged into the Splunk Web (i.e., primary authentication) can access Splunk Enterprise even if Duo authentication (i.e., secondary authentication) fails.
- Do not let users login Users who have successfully logged into the Splunk Web (i.e., primary authentication) cannot access Splunk Enterprise if Duo authentication (i.e., secondary authentication) fails.
9. Provide a time limit, in seconds, for how long authentication is attempted before the connection times out.
10. Save your changes. You do not need to reload authentication for multifactor authentication to take effect.
Once a user logs in, the Duo login page appears, the user is instructed to choose a method to access their secondary login credentials.
How multifactor authentication works with other forms of authentication
Note that you cannot use any form of multi-factor authentication with SSO or SAML authentication. Multi-factor authentication works with the following sources of authentication:
- Native authentication
- Scripted authentication
About multifactor authentication with Duo Security
Configure Duo multifactor authentication for Splunk Enterprise in the configuration file
This documentation applies to the following versions of Splunk® Enterprise: 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.2.0, 7.2.1