Splunk® Cloud Services

Splunk Cloud Console

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Set up a SAML Integration to Splunk Cloud Services in Microsoft Azure Active Directory

Splunk Cloud Services (SCS) can communicate with Microsoft Azure Active Directory (AD) for authentication and authorization using the Security Assertion Markup Language (SAML) protocol. To establish this communication, you must connect SCS to Microsoft Azure by using the Azure AD configuration web page in Microsoft Azure and the Splunk Cloud Console configuration web page in SCS.

You must configure a SAML application in Azure that SCS can then use to perform authentication and authorization. After you create the SAML application and configure SCS to recognize the application, SCS connects securely to it using the certificate that Microsoft provides. SCS then uses the application to validate user access to SCS and its resources.

The SAML integration happens in four procedures in both the SCS and Azure configuration pages:

  1. Retrieve the Assertion Consumer Services (ACS) URL and Audience URI from SCS
  2. Create a SAML application in Microsoft Azure for integration with SCS
  3. Retrieve the Identity Provider Single Sign-On URL and public certificate for configuring the SCS-to-Azure SAML application connection
  4. Configure the connection from SCS to the SAML application in Azure using Splunk Cloud Console

You might want to open multiple browser windows with at least one window open to both configuration pages in SCS and Azure to more easily facilitate the integration process.

Retrieve the Assertion Consumer Service (ACS) URL and Audience URI from Splunk Cloud Console in preparation for configuring the SAML application in Microsoft Azure

Before SCS can communicate with Azure for authentication and authorization, you must register a SAML application in Azure for which Splunk Cloud Services (SCS) will interface. To create the application, you must provide information to Azure that you can only get from SCS - the Assertion Consumer Service URL and Audience URI.

This information is available in the SAML Settings screen in Splunk Cloud Console. You will enter this information when you register the app in Azure. After you set up the app, Azure provides you information that you require to complete the SCS-Azure connection in Splunk Cloud Console.

  1. Sign into Splunk Cloud Console as a user with administrator privileges.
  2. Click Settings.
  3. Click SAML Configuration.
  4. Review the fields in the 1. IdP SAML Configuration section.
    • The ACS URL (Single Sign-on) is the Reply URL (Assertion Consumer Service URL) that you will provide in the Basic SAML Configuration pop-up of the Azure application Basic SAML Configuration properties page in Azure.
  5. Copy or write down this value. You will supply the value to Azure in the next procedure.

Create a SAML application in Microsoft Azure for Integration with Splunk Cloud Services

Before SCS can use Azure as an identity provider for authentication and authorization, you must add an app in Azure Active Directory to which SCS can communicate. After you add the app in Azure, SCS connects to the app to retrieve user information and grants access to SCS services based on information it receives from the app.

These instructions make the following assumptions:

  • You have already configured users for your Azure AD tenant.
  • You have already configured Azure as a SAML 2.0 provider.

For instructions on how to configure Azure as a SAML 2.0 provider and register a new SAML application there, see Configure a SAML 2.0 provider for portals with Azure AD.

Confirm that you have administrative access to the Microsoft Azure AD tenant for which you want to create the SAML application. If you don't have this access, pages that this procedure describes might not appear or be available to you.

  1. Sign in to Azure as a user with administrator privileges.
  2. Under Manage Azure Active Directory, click View.
  3. Confirm that you are in the Azure tenant in which you want to create the app.
  4. Under Manage, click Enterprise applications.
  5. On the Enterprise Applications page, click New Application.
  6. On the Browse Azure AD Gallery page, click Create your own application.
  7. In the Create Your Own Application pop-up that appears, in the What's the name of your app? field, enter the name that you want to give the app.
  8. For the What are you looking to do with your application? radio buttons, select Integrate any other application you don't find in the gallery (Non-gallery).
  9. Click Create. Azure creates the application and loads the application properties page.
  10. On this page, under Manage, click Single Sign-on.
  11. Under Select a single sign-on method, click SAML. The "SAML-based Sign-on" page appears.
  12. On the Set up Single Sign-on with SAML section, in the 1. Basic SAML Configuration box, click Edit.
  13. In the Basic SAML Configuration pop-up that appears:
    1. In the Identifier (Entity ID) field, type or paste in the value you got from the Audience URI (SP Entity ID) field in the Splunk Cloud Console SAML settings page.
    2. After you type or paste in this value, a Default checkbox appears on the line for which you entered the value. Check this box so that it is on.
    3. In the Reply URL (Assertion Consumer Service URL) field, type or paste in the value you got from the ACS URL (Single Sign-on) field in the Splunk Cloud Console SAML settings page.
    4. After you type or paste in this value, a Default checkbox appears on the line for which you entered the value. Check this box so that it is on.
    5. Leave all other fields in this page empty.
    6. Click Save.
    7. Click the X to close the pop-up.
  14. In the 2. User Attributes and Claims box, click Edit.
  15. In the User Attributes and Claims page that appears:
    1. Review the Required Claims and Additional Claims. Microsoft creates claims for the following attributes, which you can supply to the Splunk Cloud Console in the "Configure the connection from SCS to the SAML application in Azure using Splunk Cloud Console" procedure, as described later in this topic:
      Claim Name Value
      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress user.mail
      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname user.givenname
      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname user.surname
    2. Click the X to close the page.

Retrieve the Identity Provider Single Sign-On URL and public certificate for configuring the SCS-to-Azure SAML application connection

When you created the SAML application in Azure to which SCS will interface, you were asked to paste in the Assertion Consumer Service (ACS) URL and Audience URI from SCS to complete the SAML application setup process. This information helped Azure generate Identity Provider Single Sign-on URL and a public certificate for SCS to use to communicate with Azure through the SAML application.

Now that you have set up the application in Azure, you must retrieve the Identity Provider Single Sign-on URL and the public certificate from there. You will use this information to complete integration of SCS with your IdP from within Splunk Cloud Console.

  1. From the Enterprise Applications page in Azure, select the application you created. The application properties page for that application loads.
  2. Under Manage, click Single Sign-on.
  3. In the 3. SAML Signing Certificate box, click the Download link next to the Certificate (Base64) label. Your browser downloads the file. You will use this file in the next procedure.
  4. In the 4. Set up <your application> box, review the Login URL and Azure AD Identifier fields within the box.
    • The Login URL is the Single Sign-on Service URL that you will provide in the following procedure to complete SCS integration with the Azure SAML application in Splunk Cloud Console.
  5. Either write down the Login URL and Azure AD Identifier values, or copy and paste the values to a text file. You will need these values in the following procedure.

Configure the connection from SCS to the SAML application in Azure using Splunk Cloud Console

After you configure the SAML application in Azure and retrieve the Identity Provider Single Sign-on URL and public certificate from there, you can then configure Splunk Cloud Services to use the Azure SAML application for authentication and authorization.

When you fill in at least one, but not all, of the required fields in the SAML Configuration dialog box, a Save button appears. This button lets you save your configuration progress, but does not enable the configuration. You can enable the configuration only after you supply all the required information.

  1. Log into Splunk Cloud Console.
  2. Click Settings.
  3. Click SAML Configuration.
  4. Leave all fields in the 1. IdP SAML Configuration section as they are.
  5. In 2. Splunk SAML configuration, type or paste in the Login URL that you got in the previous procedure into the Single Sign-on Service field.
  6. Type or paste in the Azure AD Identifier value into the Single Sign-on Service field.
  7. In the Public Certificate field, paste in the public certificate that you downloaded from the Azure SAML application setup screen.
  8. In the Map SAML Attributes section, in the Email Address field, type in the Claim Name for the user.mail value from the Required Claims and Additional Claims table in the SAML application setup procedure, as described earlier in this topic. For example, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
  9. In the First Name field, type in the Claim Name for the user.givenname value from the Required Claims and Additional Claims table.
  10. In the Last Name field, type in the Claim Name for the user.surname value from the Required Claims and Additional Claims table.
  11. After you have filled in all of the fields on the screen, the Enable configuration button appears. Click this button to validate and activate the SAML configuration.

Enable JIT provisioning

You can enable just-in-time provisioning so that you don't need to manually send an invite to users to join your tenant. You do not have to enable JIT provisioning to invite users to your tenant, but you must integrate an identity provider before JIT provisioning can work.

Last modified on 23 September, 2021
PREVIOUS
Set up a SAML Integration to Splunk Cloud Services in Okta
 

This documentation applies to the following versions of Splunk® Cloud Services: current


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters