Splunk® Enterprise

Securing Splunk Enterprise

Download manual as PDF

Download topic as PDF

Configure Splunk Enterprise to use Duo Security multifactor authentication

NOTE: If you have previously configured Splunk Enterprise to use Duo authentication via https://duo.com/docs/splunk, you must use the task described in this topic to reconfigure multifactor login with Duo Security.

Overview

  • Use the Duo Security website to create a Duo Security account for Splunk Enterprise. See https://duo.com for more information.
  • Configure Splunk Enterprise to use Duo by providing the following information:
    • Your integration key (i.e. DIXXXXXXXXXXXXXXXXXX)
    • Your secret key
    • Your API hostname (i.e. api-XXXXXXXX.duosecurity.com)
  • When the user logs into Splunk Enterprise and follows the instructions on the Duo login page, they are given secondary login credentials.

Configure

1. In the Menu, select Settings > Users and Authentication > Access roles.

2. Click Authentication Method.

3. Under Multifactor Authentication, select Duo Security.

4. Click the Configure Duo Security link.

5. Provide the Integration Key from your Duo configuration. You can find this key on your Duo Security configuration page or at Configuration > Details.

6. Provide the Secret Key from your Duo Security configuration or detail. You can find this key on your Duo Security configuration page or at Configuration > Details.

7. Provide the API Hostname from your Duo configuration. You can find this key on your Duo Security configuration page or at Configuration > Details.

8. Tell Splunk Enterprise how to authenticate users when Duo Security is unavailable:

  • Let users login Users who have successfully logged into the Splunk Web (i.e., primary authentication) can access Splunk Enterprise even if Duo authentication (i.e., secondary authentication) fails.
  • Do not let users login Users who have successfully logged into the Splunk Web (i.e., primary authentication) cannot access Splunk Enterprise if Duo authentication (i.e., secondary authentication) fails.

9. Provide a time limit, in seconds, for how long authentication is attempted before the connection times out.

10. Save your changes. You do not need to reload authentication for multifactor authentication to take effect.

Once a user logs in, the Duo login page appears, the user is instructed to choose a method to access their secondary login credentials.

How multifactor authentication works with other forms of authentication

Note that you cannot use any form of multi-factor authentication with SSO or SAML authentication. Multi-factor authentication works with the following sources of authentication:

  • Native authentication
  • LDAP
  • Scripted authentication
PREVIOUS
About multifactor authentication with Duo Security
  NEXT
Configure Duo multifactor authentication for Splunk Enterprise in the configuration file

This documentation applies to the following versions of Splunk® Enterprise: 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.2.0


Comments

Duo Security supports multi-factor authentication with SAML v2 authentication now. (On-prem at least documentation doesn't specify about cloud.)

"Duo Access Gateway (DAG), our on-premises SSO product, layers Duo's strong authentication and flexible policy engine on top of Splunk logins using the Security Assertion Markup Language (SAML) 2.0 authentication standard. "
https://duo.com/docs/splunk-sso#duo-access-gateway

Ddearmond splunk, Splunker
May 26, 2017

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters