Splunk® Secure Gateway

Administer Splunk Secure Gateway

Splunk Secure Gateway is included in Spunk Enterprise version 8.1.0 and higher. Splunk Secure Gateway lets you configure your Connected Experiences mobile app deployment and register devices to a Splunk instance. See About Splunk Secure Gateway to learn more.
This documentation does not apply to the most recent version of Splunk® Secure Gateway. For documentation on the most recent version, go to the latest release.

Set up SAML authentication for Splunk Secure Gateway

Secure your Connected Experiences mobile app deployment with Security Assertion Markup Language (SAML) authentication. You can set up SAML authentication for your users if you're using a supported identity provider (IdP), Splunk platform, and log in method.

If you're using Splunk Cloud Gateway, see Set up SAML authentication for Splunk Cloud Gateway.

For user log in steps, see Log in if your organization uses an SSO provider in the Use Splunk Secure Gateway manual.

Requirements

You must use a supported Splunk platform, enable token authentication, and use a supported IdP.

Supported Splunk platform versions and log in methods

Splunk Secure Gateway supports SAML authentication with Splunk Cloud platform. To use SAML authentication with Splunk Enterprise, you must also use Mobile Device Management. See (For Splunk Enterprise instances) Use SAML authentication with Mobile Device Management (MDM).

To view other user login methods, see Log in to a Splunk platform instance in a Connected Experiences app.

Enable token authentication

To use SAML authentication, you must enable token authentication. Enable token authentication in Settings > Tokens > Enable token authentication in Splunk Web.

Supported IdPs

Splunk Secure Gateway works with any identity provider (IdP) that supports Attribute Query Request (AQR). The following have been tested and verified as compatible:

  • Ping Identity
  • IBM
  • CA Single Sign-on
  • Shibboleth

Splunk Secure Gateway also supports Okta and Azure if you set up scripted authentication.

Use an IdP that supports AQR

Check whether your IdP supports AQR. Splunk Secure Gateway doesn't require scripted authentication with IdPs that support AQR.

To use one of these IdPs, enter the IdP's AQR information in Settings > Authentication Methods > SAML Settings > SAML configuration in Splunk Web.

These IdPs don't require any additional configuration other than entering the AQR information in Splunk Web. If you're using Okta or Azure, set up scripted authentication.

Use Okta or Azure

To use Okta or Azure, you must configure Splunk Cloud to use SAML for authentication tokens. See Configure Splunk Cloud to use SAML for authentication tokens in the Splunk Cloud Admin Manual to learn how.

Use an IdP that isn't immediately supported

Set up scripted authentication if you're using an IdP that isn't supported out of the box. First, write a script for SAML authentication. Then, set up scripted authentication for SAML in Splunk Web.

See Create the authentication script for more information about setting up scripted authentication.

Prerequisites

  • Have the admin role.
  • Obtain an API key value from your IdP.
  • Obtain your base URL for your IdP from your IdP.

Write a script for SAML authentication

You can view sample Okta and Azure scripts in $SPLUNK_HOME/share/splunk/authScriptSamples. In the script, define your IdP's base URL and an API key name.

Save the script as a Python file to $SPLUNK_HOME/etc/auth/scripts.

The following is an example script for how to set up SAML authentication with Okta: 

from commonAuth import *
import requests
import json

BASE_URL = '<your base URL for your IdP>'
​
def getUserInfo(args):
        # Here, we are extracting the okta API key from authentication.conf under scriptSecureArguments
        API_KEY = args['<API key name>']
        API_KEY_HEADER = 'SSWS ' + API_KEY
        OKTA_HEADERS = {'Accept':'application/json', 'Content-Type':'application/json', 'Authorization':API_KEY_HEADER}
​
        usernameStr = args['username']
        nameUrl = BASE_URL + '/api/v1/users/' + usernameStr
        groupsUrl = nameUrl + '/groups'
​
        nameResponse = requests.request('GET', nameUrl, headers=OKTA_HEADERS)
        groupsResponse = requests.request('GET', groupsUrl, headers=OKTA_HEADERS)
​
        roleString = ''
        realNameString = ''
        fullString = ''
        if groupsResponse.status_code != 200 or nameResponse.status_code != 200:
                print(FAILED)
                return
        nameAttributes = json.loads(nameResponse.text)
        realNameString += nameAttributes['profile']['firstName'] + ' ' + nameAttributes['profile']['lastName']
        groupAttributes = json.loads(groupsResponse.text)
        for i in range(0, len(groupAttributes)):
                roleString += groupAttributes[i]['profile']['name']
                if i != len(groupAttributes) - 1:
                        roleString += ':'
        fullString += SUCCESS + ' ' + '--userInfo=' + usernameStr + ';' + realNameString + ';' + roleString
        print(fullString)
​
if __name__ == "__main__":
        callName = sys.argv[1]
        dictIn = readInputs()
​
        if callName == "getUserInfo":
                getUserInfo(dictIn)

Set up scripted authentication with SAML in Splunk Web

After creating your script, set up scripted authentication with SAML in Splunk Web.

  1. In Splunk Web, navigate to Settings > Authentication Methods.
  2. Click SAML Settings.
  3. Click SAML Configuration.
  4. Click Authentication Extensions.
  5. In the Script Path field, enter the name of your authentication script.
  6. Set script timeout and Get User Info time-to-live. Recommended value is 3600s.
  7. In the Script Functions field, enter getUserInfo.
  8. In the Script Secure Arguments section enter the following information:
    1. Enter the API key name from your authentication script in the Key field.
    2. Enter the API key from your IdP in the Value field.
  9. Click Save.

(For Splunk Enterprise instances) Use SAML authentication with Mobile Device Management (MDM)

MDM is required to use SAML authentication if you're using Splunk Enterprise.

Requirements

Your Splunk Enterprise instance must meet the following requirements:

  • You must be using SSL protocol on Splunk Web and use a trusted certificate.
  • Your Splunk Enterprise instance must be accessible from the mobile browser of the device logging in.

If your Splunk platform instance isn't accessible from the mobile browser of mobile devices that are logging in, you can use a different login method. See Log in to a Splunk platform instance from a Connected Experiences app.

Prerequisites

To use SAML authentication with Mobile Device Management (MDM), first set up SAML authentication and then configure MDM. To configure MDM, see Set up MDM and in-app log in for iOS devices or Set up MDM and in-app log in for Android devices.

Steps

Complete the following steps to use SAML authentication with MDM:

  1. Set up SAML authentication. See Set up SAML authentication for Splunk Secure Gateway.
  2. In the Mobile Device Management page of Splunk Secure Gateway, click Get Existing Instance ID File. Do this all your instances that you're using with the Connected Experiences apps. You don't need to generate a new instance ID file.
  3. Upload the file to your MDM provider.

For user log in steps, see Log in if your organization uses both SAML authentication and an MDM provider in the Use Splunk Secure Gateway manual.

Last modified on 24 August, 2022
Provide a QR code for SAML authentication log in with a hostname   How devices authenticate to your Splunk platform with SAML authentication

This documentation applies to the following versions of Splunk® Secure Gateway: 2.4.0, 2.0.2, 2.5.6 Cloud Only, 2.5.7, 2.6.3 Cloud only

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters