Set up a SAML Integration to Splunk Cloud Services in Microsoft Entra ID
Splunk Cloud Services (SCS) can communicate with Microsoft Entra ID for authentication and authorization using the Security Assertion Markup Language (SAML) protocol. To establish this communication, you must connect SCS to Microsoft Entra ID by using the Entra ID configuration web page in Microsoft Entra ID and the Splunk Cloud Console configuration web page in SCS.
You must configure a SAML application in Entra ID that SCS can then use to perform authentication and authorization. After you create the SAML application and configure SCS to recognize the application, SCS connects securely to it using the certificate that Microsoft provides. SCS then uses the application to validate user access to SCS and its resources.
The SAML integration happens in four procedures in both the SCS and Entra ID configuration pages:
- In SCS, retrieve the Assertion Consumer Services (ACS) URL and Audience URI.
- In Microsoft Entra ID, create a SAML application for integration with SCS.
- In Microsoft Entra ID, retrieve the Identity Provider Single Sign-On URL and public certificate for configuring the SCS-to-Entra ID SAML application connection.
- In SCS, configure the connection from SCS to the SAML application in Entra ID.
You might want to open several browser windows, with at least one window open to both configuration pages in SCS and Microsoft Entra ID, to more easily facilitate the integration process.
Retrieve the Assertion Consumer Service (ACS) URL and Audience URI from Splunk Cloud Console in preparation for configuring the SAML application in Microsoft Entra ID
Before SCS can communicate with Entra ID for authentication and authorization, you must register a SAML application in Entra ID through which Splunk Cloud Services (SCS) will interface.
To create the application, you must provide information to Entra ID that you can only get from SCS: the Assertion Consumer Service URL and Audience URI. The SAML Settings screen in Splunk Cloud Console provides this information.
When you register the app in Entra ID, you will provide this information. After you set up the app, Entra ID then provides you information that you need to complete the SCS-to-Entra ID connection in Splunk Cloud Console.
- Sign into Splunk Cloud Console as a user with administrator privileges.
- Click Settings.
- Click SAML Configuration.
- Review the fields in the 1. IdP SAML Configuration section.
- The ACS URL (Single Sign-on) field is the Reply URL (Assertion Consumer Service URL) that you will provide in the Basic SAML Configuration pop-up of the Entra ID application Basic SAML Configuration properties page in Entra ID.
- The Audience URI (SP Entity ID) field is the Identifier (Entity ID) that you will provide in the Basic SAML Configuration pop-up of the Entra ID application.
- Copy each value. You can click the button with overlaid squares to the right of each field to copy the value to your computer clipboard, then subsequently paste the values. You can paste the values into a text file, or directly into the appropriate fields in the Entra ID configuration page as part of the next procedure.
Create a SAML application in Microsoft Entra ID for Integration with Splunk Cloud Services
Before SCS can use Entra ID as an identity provider for authentication and authorization, you must create an app in Entra ID Active Directory to which SCS can communicate. After you create the app in Entra ID, SCS connects to the app to retrieve user information and grants access to SCS services based on information it receives from the app.
These instructions make the following assumptions:
- You have already configured users for your Entra tenant.
- You have already configured Entra ID as a SAML 2.0 provider.
For the most up-to-date instructions on how to configure Entra ID as a SAML 2.0 provider and register a new SAML application there, see ID-ad Configure a SAML 2.0 provider for portals with Entra ID.
Confirm that you have administrative access to the Microsoft Entra tenant for which you want to create the SAML application. If you don't have this access, pages that this procedure describes might not appear or be available to you.
- Sign in to Entra ID as a user with administrator privileges.
- Under Manage Entra ID Active Directory, click View.
- Confirm that you are in the Entra tenant in which you want to create the app.
- Under Manage, click Enterprise applications.
- On the Enterprise Applications page, click New Application.
- On the Browse Entra ID Gallery page, click Create your own application.
- In the Create Your Own Application pop-up that appears, in the What's the name of your app? field, enter the name that you want to give the app.
- For the What are you looking to do with your application? radio buttons, select Integrate any other application you don't find in the gallery (Non-gallery).
- Click Create. Entra ID creates the application and loads the application properties page.
- On this page, under Manage, click Single Sign-on.
- Under Select a single sign-on method, click SAML. The "SAML-based Sign-on" page appears.
- On the Set up Single Sign-on with SAML section, in the 1. Basic SAML Configuration box, click Edit.
- In the Basic SAML Configuration pop-up that appears:
- In the Identifier (Entity ID) field, type or paste in the value that you got from the Audience URI (SP Entity ID) field in the Splunk Cloud Console SAML settings page.
- After you type or paste in this value, a checkbox labeled Default appears on the line for which you entered the value. Check this box so that it is on.
- In the Reply URL (Assertion Consumer Service URL) field, type or paste in the value you got from the ACS URL (Single Sign-on) field in the Splunk Cloud Console SAML settings page.
- After you type or paste in this value, a checkbox labeled Default appears on the line for which you entered the value. Check this box so that it is on.
- Leave all other fields in this page empty.
- Click Save.
- Click the X to close the pop-up.
- In the 2. User Attributes and Claims box, click Edit.
- In the User Attributes and Claims page that appears:
- Review the Required Claims and Additional Claims. Microsoft creates claims for the following attributes, which you can supply to the Splunk Cloud Console in the "Configure the connection from SCS to the SAML application in Entra ID using Splunk Cloud Console" procedure, as described later in this topic:
Claim Name Value http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress user.mail http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname user.givenname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname user.surname - Click the X to close the page.
- Review the Required Claims and Additional Claims. Microsoft creates claims for the following attributes, which you can supply to the Splunk Cloud Console in the "Configure the connection from SCS to the SAML application in Entra ID using Splunk Cloud Console" procedure, as described later in this topic:
Retrieve the Identity Provider Single Sign-On URL and public certificate for configuring the SCS-to-Entra ID SAML application connection
When you created the SAML application in Entra ID to which SCS will interface, you were asked to paste in the Assertion Consumer Service (ACS) URL and Audience URI from SCS to complete the SAML application setup process. This information helped Entra ID generate Identity Provider Single Sign-on URL and a public certificate for SCS to use to communicate with Entra ID through the SAML application.
Now that you have set up the SAML application in Entra ID, you must retrieve the Identity Provider Single Sign-on URL and the public certificate from there. You will use this information to complete integration of SCS with your IdP from within Splunk Cloud Console.
- From the Enterprise Applications page in Entra ID, select the application you created. The application properties page for that application loads.
- Under Manage, click Single Sign-on.
- In the 3. SAML Signing Certificate box, click the Download link next to the Certificate (Base64) label. Your browser downloads the file. You will use this file in the next procedure.
- In the 4. Set up <your application> box, review the Login URL and Entra ID Identifier fields within the box.
- The Login URL is the Single Sign-on Service URL that you will provide in the following procedure to complete SCS integration with the Entra ID SAML application in Splunk Cloud Console.
- Either write down the Login URL and Entra ID Identifier values, or copy and paste the values to a text file. You will need these values in the following procedure.
Configure the connection from SCS to the SAML application in Entra ID using Splunk Cloud Console
After you configure the SAML application in Entra ID and retrieve the Identity Provider Single Sign-on URL and public certificate from there, you can then configure Splunk Cloud Services to use the Entra ID SAML application for authentication and authorization.
When you fill in at least one, but not all, of the required fields in the SAML Configuration dialog box, a Save button appears. This button lets you save your configuration progress, but does not enable the configuration. You can enable the configuration only after you supply all the required information.
- Log into Splunk Cloud Console.
- Click Settings.
- Click SAML Configuration.
- Leave all fields in the 1. IdP SAML Configuration section as they are.
- In 2. Splunk SAML configuration, type or paste in the Login URL that you got in the previous procedure into the Single Sign-on Service field.
- Type or paste in the Entra ID Identifier value into the Single Sign-on Service field.
- In the Public Certificate field, paste in the public certificate that you downloaded from the Entra ID SAML application setup screen.
- In the Map SAML Attributes section, in the Email Address field, type in the Claim Name for the
user.mail
value from the Required Claims and Additional Claims table in the SAML application setup procedure, as described earlier in this topic. For example,http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
- In the First Name field, type in the Claim Name for the
user.givenname
value from the Required Claims and Additional Claims table. - In the Last Name field, type in the Claim Name for the
user.surname
value from the Required Claims and Additional Claims table. - After you have filled in all of the fields on the screen, the Enable configuration button appears. Click this button to validate and activate the SAML configuration.
Enable JIT provisioning
You can enable just-in-time (JIT) provisioning so that you don't need to manually send an invite to users to join your tenant. You do not have to enable JIT provisioning to invite users to your tenant, but you must integrate an identity provider before JIT provisioning can work.
- To learn about JIT provisioning, see Just-in-time provisioning to join users to your tenant automatically.
- For instructions on enabling JIT provisioning, see Enable JIT provisioning.
This documentation applies to the following versions of Splunk® Cloud Services: current
Feedback submitted, thanks!