Splunk® User Behavior Analytics

Administer Splunk User Behavior Analytics

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Configure authentication for Splunk platform users

Configure how Splunk platform users are authenticated when accessing Splunk UBA.

Configure load balancing for persistent sessions

Use a third-party hardware or software load balancer in front of your set of clustered search heads to access the set of search heads through a single interface, without needing to specify a particular one. Configure the load balancer so that user sessions are "sticky" or "persistent" to remain on a single search head throughout the session. See Use a load balancer with search head clustering in the Splunk Enterprise Distributed Search manual.

Configure Splunk authentication using Splunk UBA

Perform the following tasks to configure Splunk authentication using Splunk UBA:

  1. On the Splunk platform, create the same roles that exist in Splunk UBA. For first-time deployments, you must create the uba_user, uba_analyst, and uba_admin roles, along with any other custom roles created in Splunk UBA. There must be a one-to-one mapping of roles between the Splunk platform and Splunk UBA, and the role names must match. Role names are case-insensitive, so a role called uba_testRole on the Splunk platform maps to uba_testrole in Splunk UBA. To learn more about creating users and roles in the Splunk platform, see About users and roles.

    When creating a new role in the Splunk platform, you must first select the uba_user role in the Inheritance section of the page. After the new role is created, it can be assigned to any user in the Splunk platform.

    When testing authentication with the Splunk platform, the user account being used for testing must also have one of the uba_user, uba_analyst, or uba_admin roles assigned to it.

  2. In Splunk UBA, select Manage > Settings.
  3. Verify the Authentication tab is selected (by default).
    1. Select UBA Authentication to have your Splunk UBA instance authenticate users.
    2. Select Splunk Authentication to have your Splunk instance perform user authentication. You are prompted to provide additional information:
      • Host name and port of your Splunk instance. If search head clustering is configured and a load balancer is available, it is recommended to specify the load balancer host name to avoid a single point of failure. Ensure that port 8089 is accessible on the load balancer.
      • By default only the Splunk accounts with the uba_user role can log in as UBA users. If the Splunk Users option is selected, Splunk accounts with the user role can also log in as UBA users.
      • By default only the Splunk accounts with the uba_admin role can log in as UBA admins. If the Splunk Admins option is selected, Splunk accounts with the admin role can also log in as UBA admins.
      • Select both Splunk Users and Splunk Admins and click Test Connection to verify that the connection with your Splunk instance is working.
  4. Click OK to save your changes.

Configure Splunk authentication using the CLI

If you do not want to create new roles in the Splunk platform, set the allowSplunkUserRole and allowSplunkAdminRole settings to true to allow users with the Splunk platform user role or admin role, respectively, to log in to Splunk UBA from the Splunk platform.

If you configure Splunk Authentication by using Splunk UBA, this configuration overrides any setting made using the CLI.

  1. Log in to the Splunk UBA management server as the caspida user using SSH.
  2. Open the /etc/caspida/local/conf/uba-site.properties file.
  3. Edit or create the ui.splunk.authentication setting to match the following example:
    ui.splunk.authentication={"hostname": "<SplunkServer>", "port": "8089", "allowSplunkUserRole": true, "allowSplunkAdminRole": false}
    Set allowSplunkUserRole to true to allow users with the user role in the Splunk platform to view data from Splunk UBA in the Splunk platform. Replace <SplunkServer> with the Splunk search head host name. If search head clustering is configured and a load balancer is available, it is recommended to specify the load balancer host name to avoid a single point of failure. Ensure that port 8089 is accessible on the load balancer.
Last modified on 03 December, 2020
PREVIOUS
Manage user accounts and account roles in Splunk UBA
  NEXT
Configure authentication using single sign-on

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.4.1, 5.0.5, 5.0.5.1, 5.1.0, 5.1.0.1, 5.2.0, 5.2.1, 5.3.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters