Splunk® Secure Gateway

Administer Splunk Secure Gateway

Acrobat logo Download manual as PDF


Splunk Secure Gateway is a default enabled application that's included in Splunk Cloud version 8.1.2103 and Splunk Enterprise version 8.1.0 and higher. An admin must agree to the opt-in notice before using Splunk Secure Gateway. See Get started with Splunk Secure Gateway to get started.
Acrobat logo Download topic as PDF

How devices authenticate to your Splunk platform with SAML authentication

When performing Security Assertion Markup Language (SAML) authentication, Splunk Secure Gateway uses JSON Web Token (JWT) to securely authenticate mobile devices to your Splunk platform. To learn more about how JWT works and how to set up JWT, see Set up authentication with tokens in the Splunk Cloud Securing the Splunk Platform manual.

The following diagrams illustrate how mobile client devices authenticate to the Splunk platform through a supported identity provider (IdP). Splunk Secure Gateway performs validation and encryption. Spacebridge, a secure intermediary component, routes the credentials bundle back to the client device.

To learn about supported IdPs and how to set up SAML authentication for your Connected Experiences mobile app, see Set up SAML authentication for Splunk Secure Gateway.

SAML authentication with authentication code

This following diagram shows how a mobile client device authenticates to the Splunk platform using the authentication code provided in a Connected Experiences mobile app.

This diagram shows how a mobile device authenticates to the Splunk Platform using an IdP and the authentication code provided in a Connected Experiences mobile app.

  1. The user launches their Splunk platform instance in a web browser.
  2. Splunk Secure Gateway redirects to the IdP for login.
  3. The user logs in using the IdP.
  4. The IdP issues a short-lived session token.
  5. The user navigates to Splunk Secure Gateway.
  6. The user launches the mobile app on the client device.
  7. The client device sends the authentication and confirmation code to Spacebridge.
  8. The client device displays the auth code in the mobile app.
  9. The user enters the authentication code from the mobile app into Splunk Secure Gateway.
  10. Splunk Secure Gateway routes the authentication and confirmation code to Spacebridge.
  11. Spacebridge verifies the authentication code.
  12. The user checks if the confirmation code matches the one on the client device.
  13. Splunk Secure Gateway validates user credentials and the short-lived token.
  14. Splunk Secure Gateway requests a long-lived JWT from the Splunk platform.
    If the JWT expires, Splunk Secure Gateway disconnects the user. The client device automatically refreshes the JWT when the user attempts to log in again.
  15. The Splunk platform instance issues a JWT to Splunk Secure Gateway.
  16. Splunk Secure Gateway encrypts the JWT, JWT expiry date, username, encryption keys, and Secure Gateway ID.
  17. Spacebridge routes the JWT, JWT expiry date, username, encryption keys, and Secure Gateway ID back to the client device.

SAML authentication with hostname

This following diagram shows how a mobile client device authenticates to the Splunk platform using a hostname provided by a Splunk Cloud Platform admin.

To learn how an admin can provide a hostname in the form of a QR code to mobile app users, see Provide a QR code for SAML authentication log in with a hostname.

This diagram shows how a mobile device authenticates to the Splunk Platform using SAML authentication and a hostname provided by a Splunk Cloud Platform admin.

  1. The user launches the mobile app on the client device.
  2. The user enters the hostname provided by their admin in the mobile app.
  3. The client device sends an auth code and encryption keys to Spacebridge.
  4. The client device loads the SAML login page in a web browser with the authentication code passed in the URL.
  5. Splunk Secure Gateway redirects the user to the IdP for log in.
  6. The user logs in using the IdP.
  7. The IdP issues a short-lived session token and the user has access to the Splunk platform.
  8. The user is logged in and redirected back to Splunk Secure Gateway.
  9. Splunk Secure Gateway routes the authentication code to Spacebridge.
  10. Spacebridge receives and validates the authentication code.
  11. Splunk Secure gateway validates the user credentials and short-lived token.
  12. Splunk Secure Gateway requests a long-lived JWT from the Splunk platform.
    If the JWT expires, Splunk Secure Gateway disconnects the user. The client device automatically refreshes the JWT when the user attempts to log in again.
  13. The Splunk platform issues a JWT to Splunk Secure Gateway.
  14. Splunk Secure Gateway encrypts the JWT, JWT expiry date, username, encryption keys, and Secure Gateway ID.
  15. Spacebridge routes the JWT, JWT expiry date, username, encryption keys, and Secure Gateway ID back to the client device.

SAML authentication with MDM

The following diagram shows how a mobile client device authenticates to the Splunk platform with an IdP and Mobile Device Management (MDM) provider. When an admin sets up MDM, they generate an instance ID file that supports SAML authentication. To learn more about MDM, see About Mobile Device Management (MDM) and in-app registration.

Your Splunk platform instance must be accessible from the mobile browser of the device logging in to use SAML authentication with MDM. If your Splunk platform instance isn't accessible from the mobile browser of mobile devices that are logging in, you can use a different login method. See Log in to a Splunk platform instance in a Connected Experiences app.

This diagram shows how a mobile device authenticates to the Slunk Platform using an IdP, MDM provider, and the authentication code provided in a Connected Experiences mobile app.

  1. When a user launches a Connected Experiences app that supports SAML authentication, they select the SAML authentication login option.
  2. The client device generates and signs a public key with the MDM private key from the instance ID file.
  3. The client device loads a SAML login page in a webview.
  4. Splunk Secure Gateway redirects the user to their IdP to log in with their user credentials.
  5. The IdP issues a short-lived session token to Splunk Secure Gateway.
  6. The user is logged into the Splunk platform and redirected back to Splunk Secure Gateway.
  7. Splunk Secure Gateway validates the signature from the MDM private key.
  8. Splunk Secure Gateway validates the user credentials and short-lived session token.
  9. Splunk Secure Gateway requests a long-lived 30 day JWT from the Splunk platform.
    If the JWT expires, Splunk Secure Gateway disconnects the user. The client device automatically refreshes the JWT when the user attempts to register again.
  10. The Splunk platform issues a JWT to Splunk Secure Gateway.
  11. Splunk Secure Gateway encrypts the JWT with its own encryption key and the client device public key.
  12. Splunk Secure Gateway makes a request for the registration page with the JWT as its query parameter.
  13. The client device recognizes the request for the registration page, retrieves the JWT, and closes the web view.
  14. Spacebridge establishes a WebSocket connection between the client device and Splunk Secure Gateway.
  15. The client device returns the JWT through a WebSocket connection to Splunk Secure Gateway.
Last modified on 24 April, 2023
PREVIOUS
Set up SAML authentication for Splunk Mobile, Splunk AR, and other Connected Experiences apps
  NEXT
Troubleshoot SAML Authentication with the Connected Experiences apps

This documentation applies to the following versions of Splunk® Secure Gateway: 2.4.0, 2.0.2, 2.5.6 Cloud Only, 2.5.7, 2.6.3 Cloud only, 2.7.3 Cloud only, 2.7.4, 2.8.4 Cloud only, 2.9.1 Cloud only, 2.9.3 Cloud only, 2.9.4 Cloud only, 3.0.9, 3.1.2 Cloud only, 3.2.0 Cloud only, 3.3.0 Cloud only, 3.4.251, 3.5.15 Cloud only


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters