Splunk® Phantom (Legacy)

Administer Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Configure single sign-on authentication for Splunk Phantom

Splunk Phantom supports using Single sign-on (SSO) to authenticate Splunk Phantom users.

Single sign-on (SSO) systems allows users to be authenticated once, then use multiple, distinct services or applications without having to reauthenticate for each application or service. Single sign-on systems rely on an identity provider, such as LDAP, to authenticate the user, then provide an authentication token which applications, such as Splunk Phantom, then use to log the user in. For an overview of single sign-on, see the Single sign-on article on Wikipedia.

Splunk Phantom supports any combination of local users and SSO users for your deployment, any combination of SSO providers, and multiple instances of any provider type.

You can configure SSO in Splunk Phantom with the following identity providers:

  • LDAP
  • OpenID
  • SAML2

Configure SSO authentication using LDAP

To configure SSO authentication using LDAP as the identity provider, do the following steps:

  1. From the Main Menu, select Administration.
  2. Select Users Management.
  3. Select Authentication.
  4. LDAP is selected by default. Toggle the switch in the LDAP field to ON to enable LDAP configuration.
  5. Complete the fields to configure SSO authentication using LDAP:
    Field Description
    Active Use this checkbox in conjunction with Add Another at the bottom of the page. You can have multiple LDAP servers and the Active checkbox determines which ones are used by Splunk Phantom for authentication. The toggle button in the LDAP field enables LDAP authentication for all servers which are marked Active.


    If there are multiple LDAP servers, Splunk Phantom searches each server in a random order to find a match for the username. If the same username exists on multiple servers, the first one matched is used. If this match happens to be for a different user and not the user who is attempting to login, then authentication fails.

    Require TLS/SSL encryption Determines whether secure LDAP connections are required. Enable TLS/SSL encryption to check the server certificate against the Splunk Phantom certificate store. See Manage Splunk Phantom's certificate store.
    Provider Name The name of the SSO provider. Specify a unique name to easily identify this provider.
    Server The DNS name or IP address for your AD/LDAP Server, without http:// or https://. If you plan to use SSL, you must supply a DNS name that matches the certificate.
    Domain The domain name of your organization such as corp.yourorganization.com, used to generate DNS. This field is used as part of the LDAP query.
    Bind Username The username for authenticating to the LDAP server. It will ideally be a service account specifically set up for this purpose, not one belonging to a human user.) This will allow you to grant the account the minimal permissions necessary, set account expiration off, and other protective measures to track how the account is used. If the account is set to expire or requires a password change, do these tasks manually and also update the Splunk Phantom system settings to reflect the same. The account will need to be able to query LDAP users and their properties.
    Password The password for the username to authenticate to the LDAP server.
    Test User The username of an active user who would typically log in to Splunk Phantom. Use this to verify that user search is working correctly.
    Test Group The name of a group of which the Test User is a member. Use this to confirm that the group mapping will work. Leave this field blank if you are not using group mapping.
    Manage password using Thycotic Secret Server Manage user credentials using Thycotic Secret Server. If this is checked, you must also provide the Folder, Key, and Thycotic FieldName values. See Manage your organization's credentials with a password vault.
  6. Click Test Authentication to test that Splunk Phantom can communicate with and query the LDAP server. Your LDAP settings will automatically be saved if the result is success. Or you can click Save Changes to save the settings without testing them.

Some LDAP provider specific things to watch for:

  • On Microsoft Active Directory LDAP servers, the user authentication uses the email-like form of the username, like ldap-client@splunk.com. The username is appended with the domain name.
  • You may need to enter Advanced settings non-Microsoft LDAP servers. Consult the manual for the LDAP software your organization uses.

If you need additional assistance, contact Phantom Support. See Where to get help.

LDAP provider names must be unique. Using multiple LDAP providers with the same name is not supported.

Configure group mappings for LDAP SSO authentication

Configure a group mapping to map an LDAP group such as Incident Response to a Splunk Phantom role such as Automation Engineer. Doing so enables you to automatically use your LDAP groups to determine who can log into Splunk Phantom and which actions each user is able to perform after they log in. Click Add Mappings to create a new mapping. You can configure multiple mappings.

Each LDAP user must be mapped to at least one group to enable that user to login to Splunk Phantom without manually creating the user account in Splunk Phantom.

Role mapping is done at login time, meaning that if the Splunk Phantom administrator changes a role mapping that would affect a logged-in user, then that user will retain the old role(s) until they log out and log back in again.

Configure external attribute mapping for LDAP SSO authentication

In some cases you may need to specifically call out external attributes which should be mapped to Splunk Phantom user attributes. Click Add Mapping to select a Splunk Phantom user attribute to map, then use the text field to enter the name of the attribute found in your LDAP user's profile.

Configure SSO authentication using SAML2

To configure SSO authentication using SAML2 as the identity provider, perform the following tasks:

  1. From the Main Menu, select Administration.
  2. Select Users > Authentication.
  3. Click SAML2.
  4. Click the toggle in the SAML2 field to enable SAML2 configuration.
  5. Complete the fields to configure SSO authentication using SAML2:
    Field Description
    Active Use this checkbox in conjunction with Add Another at the bottom of the page. You can have multiple SAML2 servers and the Active checkbox determines which ones are used by Splunk Phantom for authentication. The toggle button in the SAML2 field enables SAML2 authentication for all servers which are marked Active.


    If there are multiple SAML2 servers, Splunk Phantom searches each server in a random order to find a match for the username. If the same username exists on multiple servers, the first one matched is used. If this match happens to be for a different user and not the user who is attempting to login, then authentication fails.

    Require TLS/SSL encryption Determines whether encrypted connections are required. Enable TLS/SSL encryption to check the server certificate against the Splunk Phantom certificate store. See Manage Splunk Phantom's certificate store.
    Provider Name The name of the SSO provider. Specify a unique name to easily identify this provider.
    Single sign-on URL The URL that users are directed to for logging in.
    Issuer ID The unique identifier provided by the identity provider.
    Metadata URL The URL hosted by your identity provider containing information about the provider configuration. If you specify a valid Metadata URL, do can leave the Metadata XML field blank.
    Metadata XML XML code containing information about the provider configuration. If you specify valid XML in this field, you can leave the Metadata URL field blank.
    Phantom Base URL The URL used to redirect users back to Splunk Phantom. This URL must be reachable by users trying to log in.
    Advanced Settings Click Advanced to configure the following advanced settings:
    • Select Response Signed to require a signed response from the identity provider.
    • Select Request Signed to require a signed request from the identity provider.
    • Select Assertion Signed to require a signed assertion containing the user attributes from the identity provider.
    • Type an EntityID/Audience to configure an entity ID for the service provider. This is used when defining the audience restriction on the identity provider. A value for this field must be included.
    • Type a Group Key to identity identify the group membership data within the attributes passed back from the identity provider. Also specify a Group Delimiter if groups are passed back as a single element with a delimiter, instead of separate attribute values.
    • Configure Groups. See Configure group mappings for LDAP SSO authentication for more information about group mapping.
    • Configure External Attributes. See Configure external attribute mappings for LDAP SSO authentication for more information about external attributes mapping. If user name mapping is not provided in the assertion, Splunk Phantom will default to using the value specified in NameID field.
  6. Click Save Changes.

Configure SSO authentication using OpenID

To configure SSO authentication using OpenID as the identity provider, perform the following tasks:

  1. From the Main Menu, select Administration.
  2. Select Users > Authentication.
  3. Click OpenID.
  4. Click the toggle in the OpenID field to enable OpenID configuration.
  5. Complete the fields to configure SSO authentication using OpenID:
    Field Description
    Active Use this checkbox in conjunction with Add Another at the bottom of the page. You can have multiple OpenID servers and the Active checkbox determines which ones are used by Splunk Phantom for authentication. The toggle button in the OpenID field enables OpenID authentication for all servers which are marked Active.


    If there are multiple OpenID servers, Splunk Phantom searches each server in a random order to find a match for the username. If the same username exists on multiple servers, the first one matched is used. If this match happens to be for a different user and not the user who is attempting to login, then authentication fails.

    Require TLS/SSL encryption Determines whether encrypted connections are required. Enable TLS/SSL encryption to check the server certificate against the Splunk Phantom certificate store. See Manage Splunk Phantom's certificate store.
    Provider Name The name of the SSO provider. Specify a unique name to easily identify this provider.
    Issuer The base endpoint provided by OpenID. Configuration is based on the discovery document located at <endpoint>/.well-known/openid-configuration.
    Client ID Provided by OpenID.
    Client Secret Provided by OpenID.
    Phantom Base URL The URL used to redirect users back to Splunk Phantom. This URL must be reachable by users trying to login.
    Advanced Settings Click Advanced to configure the following advanced settings:
    • Enter Scopes to include custom scopes or to limit the scopes requested by Splunk Phantom. The openid scope is required.
    • Set the Token Auth Method to client_secret_post or private_key_jwt, depending on the configuration of your identity provider.
    • Specify a Resource Identifier if a specific resource other than the default userinfo endpoint is required to obtain user data.
    • Enter a Group Key to identity identify the group membership data within the attributes passed back from the identity provider. Also specify a Group Delimiter if groups are passed back as a single element with a delimiter, instead of separate attribute values.
    • Configure Groups. See Configure group mappings for LDAP SSO authentication for more information about group mapping.
    • Configure External Attributes. See Configure external attribute mappings for LDAP SSO authentication for more information about external attributes mapping.
  6. Click Save Changes.
Last modified on 19 January, 2021
Configure password requirements and timeout intervals to secure your Splunk Phantom accounts   Secure Splunk Phantom using two factor authentication

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters