Splunk® Secure Gateway

Administer Splunk Secure Gateway

Acrobat logo Download manual as PDF

Splunk Secure Gateway is a default enabled application that's included in Splunk Cloud version 8.1.2103 and Splunk Enterprise version 8.1.0 and higher. An admin must agree to the opt-in notice before using Splunk Secure Gateway. See Get started with Splunk Secure Gateway to get started.
Acrobat logo Download topic as PDF

Set up SAML authentication for Splunk Secure Gateway

Secure your Connected Experiences mobile app deployment with Security Assertion Markup Language (SAML) authentication. You can set up SAML authentication for your users if you're using a supported identity provider (IdP), Splunk platform, and log in method.

If you're using Splunk Cloud Gateway, see Set up SAML authentication for Splunk Cloud Gateway.

For user log in steps, see Log in if your organization uses an SSO provider in the Use Splunk Secure Gateway manual.


Enable token authentication, use a supported IdP, Splunk platform version, and log in method.

Enable token authentication

To use SAML authentication, you must enable token authentication. Enable token authentication in Settings > Tokens > Enable token authentication in Splunk Web.

Supported IdPs

Splunk Secure Gateway works with any identity provider (IdP) that supports Attribute Query Request (AQR). The following have been tested and verified as compatible:

  • Ping Identity
  • IBM
  • CA Single Sign-on
  • Shibboleth

Splunk Secure Gateway also supports Okta and Azure if you set up scripted authentication.

Supported Splunk platform versions and log in methods

Splunk Secure Gateway supports SAML authentication with Splunk Enterprise version 8.1.0 or higher using the authentication code or in-app log in with MDM methods.

To view other user login methods, see Log in to a Splunk platform instance in a Connected Experiences app.

Use an IdP that supports AQR

Check whether your IdP supports AQR. Splunk Secure Gateway doesn't require scripted authentication with IdPs that support AQR.

To use one of these IdPs, enter the IdP's AQR information in Settings > Authentication Methods > SAML Settings > SAML configuration in Splunk Web.

These IdPs don't require any additional configuration other than entering the AQR information in Splunk Web. If you're using Okta or Azure, set up scripted authentication.

Use Okta or Azure

To use Okta or Azure, you must configure Splunk Cloud to use SAML for authentication tokens. See Configure Splunk Cloud to use SAML for authentication tokens in the Splunk Cloud Admin Manual to learn how.

Use an IdP that isn't immediately supported

Set up scripted authentication if you're using an IdP that isn't supported out of the box. First, write a script for SAML authentication. Then, set up scripted authentication for SAML in Splunk Web.

See Create the authentication script for more information about setting up scripted authentication.


  • Have the admin role.
  • Obtain an API key value from your IdP.
  • Obtain your base URL for your IdP from your IdP.

Write a script for SAML authentication

You can view sample Okta and Azure scripts in $SPLUNK_HOME/share/splunk/authScriptSamples. In the script, define your IdP's base URL and an API key name.

Save the script as a Python file to $SPLUNK_HOME/etc/auth/scripts.

The following is an example script for how to set up SAML authentication with Okta:

from commonAuth import *
import requests
import json

BASE_URL = '<your base URL for your IdP>'
def getUserInfo(args):
        # Here, we are extracting the okta API key from authentication.conf under scriptSecureArguments
        API_KEY = args['<API key name>']
        OKTA_HEADERS = {'Accept':'application/json', 'Content-Type':'application/json', 'Authorization':API_KEY_HEADER}
        usernameStr = args['username']
        nameUrl = BASE_URL + '/api/v1/users/' + usernameStr
        groupsUrl = nameUrl + '/groups'
        nameResponse = requests.request('GET', nameUrl, headers=OKTA_HEADERS)
        groupsResponse = requests.request('GET', groupsUrl, headers=OKTA_HEADERS)
        roleString = ''
        realNameString = ''
        fullString = ''
        if groupsResponse.status_code != 200 or nameResponse.status_code != 200:
        nameAttributes = json.loads(nameResponse.text)
        realNameString += nameAttributes['profile']['firstName'] + ' ' + nameAttributes['profile']['lastName']
        groupAttributes = json.loads(groupsResponse.text)
        for i in range(0, len(groupAttributes)):
                roleString += groupAttributes[i]['profile']['name']
                if i != len(groupAttributes) - 1:
                        roleString += ':'
        fullString += SUCCESS + ' ' + '--userInfo=' + usernameStr + ';' + realNameString + ';' + roleString
if __name__ == "__main__":
        callName = sys.argv[1]
        dictIn = readInputs()
        if callName == "getUserInfo":

Set up scripted authentication with SAML in Splunk Web

After creating your script, set up scripted authentication with SAML in Splunk Web.

  1. In Splunk Web, navigate to Settings > Authentication Methods.
  2. Click SAML Settings.
  3. Click SAML Configuration.
  4. Click Authentication Extensions.
  5. In the Script Path field, enter the name of your authentication script.
  6. Set script timeout and Get User Info time-to-live. Recommended value is 3600s.
  7. In the Script Functions field, enter getUserInfo.
  8. In the Script Secure Arguments section enter the following information:
    1. Enter the API key name from your authentication script in the Key field.
    2. Enter the API key from your IdP in the Value field.
  9. Click Save.

(Optional) Use SAML authentication with Mobile Device Management (MDM)

MDM is required to use SAML authentication if you're using Splunk Enterprise.

Requirements and prerequisites

  • Use SSL protocol on Splunk Web and use a trusted certificate.
  • Make sure your Splunk platform instance is accessible from your user's mobile device browsers. If you're using Splunk Enterprise, VPN access is required. If you're using Splunk Cloud Platform, VPN is not required for SAML authentication.


Here's how to use MDM with SAML authentication:

  1. Set up SAML authentication. See Set up SAML authentication for Splunk Secure Gateway.
  2. Configure MDM. To configure MDM, see Set up MDM and in-app registration for the Connected Experiences apps.

For user log in steps, see Log in if your organization uses both SAML authentication and an MDM provider in the Use Splunk Cloud Gateway manual.

Last modified on 06 January, 2022
Provide a QR code for SAML authentication log in with a hostname
How devices authenticate to your Splunk platform with SAML authentication

This documentation applies to the following versions of Splunk® Secure Gateway: 2.8.4 Cloud only, 2.9.1 Cloud only, 2.9.3 Cloud only, 2.9.4 Cloud only

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters