Set up SAML authentication for Splunk Secure Gateway
Secure your Connected Experiences mobile app deployment with Security Assertion Markup Language (SAML) authentication. You can set up SAML authentication for your users if you're using a supported identity provider (IdP), Splunk platform, and log in method.
If you're using Splunk Cloud Gateway, see Set up SAML authentication for Splunk Cloud Gateway.
For user log in steps, see Log in if your organization uses an SSO provider in the Use Splunk Secure Gateway manual.
Requirements
You must use a supported Splunk platform, enable token authentication, and use a supported IdP.
Supported Splunk platform versions and log in methods
Splunk Secure Gateway supports SAML authentication with Splunk Cloud platform. To use SAML authentication with Splunk Enterprise, you must also use Mobile Device Management. See (For Splunk Enterprise instances) Use SAML authentication with Mobile Device Management (MDM).
To view other user login methods, see Log in to a Splunk platform instance in a Connected Experiences app.
Enable token authentication
To use SAML authentication, you must enable token authentication. Enable token authentication in Settings > Tokens > Enable token authentication in Splunk Web.
Supported IdPs
Splunk Secure Gateway works with any identity provider (IdP) that supports Attribute Query Request (AQR). The following have been tested and verified as compatible:
- Ping Identity
- IBM
- CA Single Sign-on
- Shibboleth
Splunk Secure Gateway also supports Okta and Azure if you set up scripted authentication.
Use an IdP that supports AQR
Check whether your IdP supports AQR. Splunk Secure Gateway doesn't require scripted authentication with IdPs that support AQR.
To use one of these IdPs, enter the IdP's AQR information in Settings > Authentication Methods > SAML Settings > SAML configuration in Splunk Web.
These IdPs don't require any additional configuration other than entering the AQR information in Splunk Web. If you're using Okta or Azure, set up scripted authentication.
Use Okta or Azure
To use Okta or Azure, you must configure Splunk Cloud to use SAML for authentication tokens. See Configure Splunk Cloud to use SAML for authentication tokens in the Splunk Cloud Admin Manual to learn how.
Use an IdP that isn't immediately supported
Set up scripted authentication if you're using an IdP that isn't supported out of the box. First, write a script for SAML authentication. Then, set up scripted authentication for SAML in Splunk Web.
See Create the authentication script for more information about setting up scripted authentication.
Prerequisites
- Have the admin role.
- Obtain an API key value from your IdP.
- Obtain your base URL for your IdP from your IdP.
Write a script for SAML authentication
You can view sample Okta and Azure scripts in $SPLUNK_HOME/share/splunk/authScriptSamples
. In the script, define your IdP's base URL and an API key name.
Save the script as a Python file to $SPLUNK_HOME/etc/auth/scripts
.
The following is an example script for how to set up SAML authentication with Okta:
from commonAuth import * import requests import json BASE_URL = '<your base URL for your IdP>' def getUserInfo(args): # Here, we are extracting the okta API key from authentication.conf under scriptSecureArguments API_KEY = args['<API key name>'] API_KEY_HEADER = 'SSWS ' + API_KEY OKTA_HEADERS = {'Accept':'application/json', 'Content-Type':'application/json', 'Authorization':API_KEY_HEADER} usernameStr = args['username'] nameUrl = BASE_URL + '/api/v1/users/' + usernameStr groupsUrl = nameUrl + '/groups' nameResponse = requests.request('GET', nameUrl, headers=OKTA_HEADERS) groupsResponse = requests.request('GET', groupsUrl, headers=OKTA_HEADERS) roleString = '' realNameString = '' fullString = '' if groupsResponse.status_code != 200 or nameResponse.status_code != 200: print(FAILED) return nameAttributes = json.loads(nameResponse.text) realNameString += nameAttributes['profile']['firstName'] + ' ' + nameAttributes['profile']['lastName'] groupAttributes = json.loads(groupsResponse.text) for i in range(0, len(groupAttributes)): roleString += groupAttributes[i]['profile']['name'] if i != len(groupAttributes) - 1: roleString += ':' fullString += SUCCESS + ' ' + '--userInfo=' + usernameStr + ';' + realNameString + ';' + roleString print(fullString) if __name__ == "__main__": callName = sys.argv[1] dictIn = readInputs() if callName == "getUserInfo": getUserInfo(dictIn)
Set up scripted authentication with SAML in Splunk Web
After creating your script, set up scripted authentication with SAML in Splunk Web.
- In Splunk Web, navigate to Settings > Authentication Methods.
- Click SAML Settings.
- Click SAML Configuration.
- Click Authentication Extensions.
- In the Script Path field, enter the name of your authentication script.
- Set script timeout and Get User Info time-to-live. Recommended value is 3600s.
- In the Script Functions field, enter
getUserInfo
. - In the Script Secure Arguments section enter the following information:
- Enter the API key name from your authentication script in the Key field.
- Enter the API key from your IdP in the Value field.
- Click Save.
(For Splunk Enterprise instances) Use SAML authentication with Mobile Device Management (MDM)
MDM is required to use SAML authentication if you're using Splunk Enterprise.
Requirements
Your Splunk Enterprise instance must meet the following requirements:
- You must be using SSL protocol on Splunk Web and use a trusted certificate.
- Your Splunk Enterprise instance must be accessible from the mobile browser of the device logging in.
If your Splunk platform instance isn't accessible from the mobile browser of mobile devices that are logging in, you can use a different login method. See Log in to a Splunk platform instance from a Connected Experiences app.
Prerequisites
To use SAML authentication with Mobile Device Management (MDM), first set up SAML authentication and then configure MDM. To configure MDM, see Set up MDM and in-app log in for iOS devices or Set up MDM and in-app log in for Android devices.
Steps
Complete the following steps to use SAML authentication with MDM:
- Set up SAML authentication. See Set up SAML authentication for Splunk Secure Gateway.
- In the Mobile Device Management page of Splunk Secure Gateway, click Get Existing Instance ID File. Do this all your instances that you're using with the Connected Experiences apps. You don't need to generate a new instance ID file.
- Upload the file to your MDM provider.
For user log in steps, see Log in if your organization uses both SAML authentication and an MDM provider in the Use Splunk Secure Gateway manual.
Provide a QR code for SAML authentication log in with a hostname | How devices authenticate to your Splunk platform with SAML authentication |
This documentation applies to the following versions of Splunk® Secure Gateway: 2.4.0, 2.0.2, 2.5.6 Cloud Only, 2.5.7, 2.6.3 Cloud only
Feedback submitted, thanks!