Splunk® SOAR (Cloud)

Administer Splunk SOAR (Cloud)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:

Configure single sign-on authentication for

supports using Single sign-on (SSO) to authenticate users.

Single sign-on (SSO) systems allows users to be authenticated once, then use multiple, distinct services or applications without having to reauthenticate for each application or service. Single sign-on systems rely on an identity provider to authenticate the user, then provide an authentication token which applications, such as , use to log the user in. For an overview of single sign-on, see the Single sign-on article on Wikipedia.

You can configure SSO for with Security Assertion Markup Language 2.0 (SAML2 ).

Configure SSO authentication using SAML2

To configure SSO authentication using SAML2 as the identity provider, perform the following tasks:

  1. From the Home Menu, select Administration.
  2. Select Users > Authentication.
  3. Click SAML2.
  4. Click the toggle in the SAML2 field to enable SAML2 configuration.
  5. Complete the fields to configure SSO authentication using SAML2:
    Field Description
    Active Use this checkbox in conjunction with Add Another at the bottom of the page. You can have multiple SAML2 servers and the Active checkbox determines which ones are used by for authentication. The toggle button in the SAML2 field enables SAML2 authentication for all servers which are marked Active.


    If there are multiple SAML2 servers, searches each server in a random order to find a match for the username. If the same username exists on multiple servers, the first one matched is used. If this match happens to be for a different user and not the user who is attempting to login, then authentication fails.

    Require TLS/SSL encryption Determines whether encrypted connections are required. Enable TLS/SSL encryption to check the server certificate against the certificate store.
    Provider Name The name of the SSO provider. Specify a unique name to easily identify this provider.
    Single sign-on URL The URL that users are directed to for logging in.
    Issuer ID The unique identifier provided by the identity provider.
    Metadata URL The URL hosted by your identity provider containing information about the provider configuration. If you specify a valid Metadata URL, do can leave the Metadata XML field blank.
    Metadata XML XML code containing information about the provider configuration. If you specify valid XML in this field, you can leave the Metadata URL field blank.
    Phantom Base URL The URL used to redirect users back to . This URL must be reachable by users trying to log in.
    Advanced Settings Click Advanced to configure the following advanced settings:
    • Select Response Signed to require a signed response from the identity provider.
    • Select Request Signed to require a signed request from the identity provider.
    • Select Assertion Signed to require a signed assertion containing the user attributes from the identity provider.
    • Type an EntityID/Audience to configure an entity ID for the service provider. This is used when defining the audience restriction on the identity provider. A value for this field must be included.
    • Type a Group Key to identity identify the group membership data within the attributes passed back from the identity provider. Also specify a Group Delimiter if groups are passed back as a single element with a delimiter, instead of separate attribute values.
    • Configure Groups. See Configure group mappings for SAML 2.0 SSO authentication for more information about group mapping.
    • Configure External Attributes. See Configure external attribute mappings for SAML 2.0 SSO authentication for more information about external attributes mapping. If user name mapping is not provided in the assertion, will default to using the value specified in NameID field.
  6. Click Save Changes.

Splunk SOAR (Cloud)'s SAML2 authentication integration does not support HTTP redirect binding.

Configure group mappings for SAML 2.0 SSO authentication

Configure a group mapping to map group in your SAML 2.0 bindings to a role. Doing so enables you to automatically use your existing SAML 2.0 identity provider groups to determine who can log into and which actions each user is able to perform after they log in.

Click Add Mappings to create a new mapping. You can configure multiple mappings.

Each user must be mapped to at least one group to enable that user to login to without manually creating the user account in .

Role mapping is done at login time, meaning that if the administrator changes a role mapping that would affect a logged-in user, then that user will retain the old role(s) until they log out and log back in again.

Configure external attribute mapping for SAML 2.0 SSO authentication

In some cases you may need to specifically call out external attributes which should be mapped to the user attributes. Click Add Mapping to select a user attribute to map, then use the text field to enter the name of the attribute found in your SAML 2.0 identity provider's user's profile.

Last modified on 06 November, 2024
Configure password requirements and timeout intervals to secure your accounts   TwoFactor

This documentation applies to the following versions of Splunk® SOAR (Cloud): current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters