Splunk supports the use of an identity provider (IdP) of your choosing to perform single sign-on (SSO) authentication and authorization functions for access to Splunk Cloud Services (SCS) resources. Splunk provides this support through the Security Assertion Markup Language (SAML) version 2.0 protocol.
Because each identity provider has its own way of accepting inbound communication for authentication and authorizing of users, SCS cannot communicate with identity providers natively. SCS can use the SAML protocol to communicate with IdPs that also use SAML.
You can connect SCS to your IdP using the Splunk Cloud Console and the configuration website for the IdP you use. Each IdP has a certain procedure to enable an application through which SCS connects to perform authentication and authorization.
While this site provides some instruction around configuring your IdP to enable a SAML application, the documentation for your IdP is always the best place to get the latest IdP configuration information.
Just-in-time provisioning to join users to your tenant automatically
As part of integrating SCS to an IdP, you can enable what is known as just-in-time (JIT) provisioning for your tenant. JIT provisioning lets you automatically bring users from your Identity Provider into your tenant when they first log in. When JIT provisioning is active, Splunk Cloud Services assigns users to the groups that you specify in the JIT Provisioning section of the IdP integration page. You won't have to manually invite them to the tenant for them to access it.
As JIT is a method of provisioning access rather than an invitation, users won't receive an email when you enable JIT provisioning. They instead will receive access based on the groups you assign to them in the JIT provisioning section.
You do not have to turn on JIT provisioning to invite users to your tenant, but you do have to configure an IdP to SCS for JIT provisioning to work. See "Enable JIT provisioning" in this topic for instructions.
Configure an integration between SCS and your identity provider
Splunk provides identity provider integration procedures with SCS for the following IdPs for authentication and authorization.
While the instructions are specific to these IdPs, you can perform similar steps for any IdP that supports the SAML version 2.0 protocol.
Enable JIT provisioning
During integration, or after you integrate your IdP with Splunk Cloud Services, you can enable JIT provisioning so that users who log into Splunk Cloud Services the first time get access to your tenant immediately..
You must have already configured an IdP for this feature to work. The feature adds the user to the groups that you specify in the JIT provisioning section of the SAML Configuration page.
- Log into Splunk Cloud Services as an administrator of your tenant, if you have not already.
- In the Splunk Cloud Console system bar, click the button with three dots, then click Settings.
- Click the SAML Configuration tab.
- Complete the IdP configuration in the 2. Splunk SAML Configuration section, if you have not already.
- In the 3. JIT Provisioning section, click the button next to Disabled. The text changes to Enabled and the Available groups and Assigned groups list boxes appear.
- (Optional) You can filter out groups by typing text into the Filter Groups field in the "Available groups" list box to show groups whose names contain the text you enter.
- In the Available groups list box, choose the groups from the list that you want users to be members of in your tenant immediately after they log in. The groups you choose move to the Selected groups list box.
- If you have already entered your IdP configuration in the 2. Splunk SAML Configuration section, click the Enable configuration button. Otherwise, click Save to save the JIT provisioning information and any other IdP configuration information you might have entered so far.
Manage users and permissions
Set up a SAML Integration to Splunk Cloud Services in Okta
This documentation applies to the following versions of Splunk® Cloud Services: current