Splunk® Secure Gateway

Administer Splunk Secure Gateway

Acrobat logo Download manual as PDF


Splunk Secure Gateway is a default enabled application that's included in Splunk Cloud version 8.1.2103 and Splunk Enterprise version 8.1.0 and higher. An admin must agree to the opt-in notice before using Splunk Secure Gateway. See Get started with Splunk Secure Gateway to get started.
Acrobat logo Download topic as PDF

Set up SAML authentication for Splunk Secure Gateway

Secure your Connected Experiences mobile app deployment with Security Assertion Markup Language (SAML) authentication. You can set up SAML authentication for your users if you're using a supported identity provider (IdP), Splunk platform, and log in method.

If you're using Splunk Cloud Gateway, see Set up SAML authentication for Splunk Cloud Gateway.

For user log in steps, see Log in if your organization uses an SSO provider in the Use Splunk Secure Gateway manual.

Requirements

Enable token authentication, use a supported IdP, Splunk platform version, and log in method.

Enable token authentication

To use SAML authentication, you must enable token authentication. Enable token authentication in Settings > Tokens > Enable token authentication in Splunk Web.

Supported IdPs

Splunk Secure Gateway works with any identity provider (IdP) that supports Attribute Query Request (AQR). The following have been tested and verified as compatible:

  • Ping Identity
  • IBM
  • CA Single Sign-on
  • Shibboleth

Splunk Secure Gateway also supports Okta and Azure if you set up scripted authentication.

Supported Splunk platform versions and log in methods

Splunk Secure Gateway supports SAML authentication with Splunk Enterprise version 8.1.0 or higher using the authentication code or in-app log in with MDM methods.

To view other user login methods, see Log in to a Splunk platform instance in a Connected Experiences app.

Use an IdP that supports AQR

Check whether your IdP supports AQR. Splunk Cloud Gateway doesn't require scripted authentication with IdPs that support AQR.

To use one of these IdPs, enter the IdP's AQR information in Settings > Authentication Methods > SAML Settings > SAML configuration in Splunk Web.

These IdPs don't require any additional configuration other than entering the AQR information in Splunk Web. If you're using Okta or Azure, set up scripted authentication.

Use Okta or Azure

To use Okta or Azure, you must configure Splunk Cloud to use SAML for authentication tokens. See Configure Splunk Cloud to use SAML for authentication tokens in the Splunk Cloud Admin Manual to learn how.

Use an IdP that isn't immediately supported

Set up scripted authentication if you're using an IdP that isn't supported out of the box. First, write a script for SAML authentication. Then, set up scripted authentication for SAML in Splunk Web.

See Create the authentication script for more information about setting up scripted authentication.

Prerequisites

  • Have the admin role.
  • Obtain an API key value from your IdP.
  • Obtain your base URL for your IdP from your IdP.

Write a script for SAML authentication

You can view sample Okta and Azure scripts in $SPLUNK_HOME/share/splunk/authScriptSamples. In the script, define your IdP's base URL and an API key name.

Save the script as a Python file to $SPLUNK_HOME/etc/auth/scripts.

The following is an example script for how to set up SAML authentication with Okta:

from commonAuth import *
import requests
import json

BASE_URL = '<your base URL for your IdP>'
​
def getUserInfo(args):
        # Here, we are extracting the okta API key from authentication.conf under scriptSecureArguments
        API_KEY = args['<API key name>']
        API_KEY_HEADER = 'SSWS ' + API_KEY
        OKTA_HEADERS = {'Accept':'application/json', 'Content-Type':'application/json', 'Authorization':API_KEY_HEADER}
​
        usernameStr = args['username']
        nameUrl = BASE_URL + '/api/v1/users/' + usernameStr
        groupsUrl = nameUrl + '/groups'
​
        nameResponse = requests.request('GET', nameUrl, headers=OKTA_HEADERS)
        groupsResponse = requests.request('GET', groupsUrl, headers=OKTA_HEADERS)
​
        roleString = ''
        realNameString = ''
        fullString = ''
        if groupsResponse.status_code != 200 or nameResponse.status_code != 200:
                print(FAILED)
                return
        nameAttributes = json.loads(nameResponse.text)
        realNameString += nameAttributes['profile']['firstName'] + ' ' + nameAttributes['profile']['lastName']
        groupAttributes = json.loads(groupsResponse.text)
        for i in range(0, len(groupAttributes)):
                roleString += groupAttributes[i]['profile']['name']
                if i != len(groupAttributes) - 1:
                        roleString += ':'
        fullString += SUCCESS + ' ' + '--userInfo=' + usernameStr + ';' + realNameString + ';' + roleString
        print(fullString)
​
if __name__ == "__main__":
        callName = sys.argv[1]
        dictIn = readInputs()
​
        if callName == "getUserInfo":
                getUserInfo(dictIn)

Set up scripted authentication with SAML in Splunk Web

After creating your script, set up scripted authentication with SAML in Splunk Web.

  1. In Splunk Web, navigate to Settings > Authentication Methods.
  2. Click SAML Settings.
  3. Click SAML Configuration.
  4. Click Authentication Extensions.
  5. In the Script Path field, enter the name of your authentication script.
  6. Set script timeout and Get User Info time-to-live. Recommended value is 3600s.
  7. In the Script Functions field, enter getUserInfo.
  8. In the Script Secure Arguments section enter the following information:
    1. Enter the API key name from your authentication script in the Key field.
    2. Enter the API key from your IdP in the Value field.
  9. Click Save.

(Optional) Use SAML authentication with Mobile Device Management (MDM)

MDM is required to use SAML authentication if you're using Splunk Enterprise. To use SAML authentication with Mobile Device Management (MDM), first set up SAML authentication and then configure MDM. To configure MDM, see Set up MDM and in-app log in for iOS devices or Set up MDM and in-app log in for Android devices.

To use SAML with an MDM provider, you must be using SSL protocol on Splunk Web and use a trusted certificate.

If you're already using MDM and would like to use SAML authentication, complete the following steps:

  1. Set up SAML authentication. See Set up SAML authentication for Splunk Secure Gateway.
  2. In the Configure tab of Splunk Cloud Gateway, click Get Existing Instance ID File. Do this all your instances that you're using with the Connected Experiences apps. You don't need to generate a new instance ID file.
  3. Upload the file to your MDM provider.

For user log in steps, see Log in if your organization uses both SAML authentication and an MDM provider in the Use Splunk Cloud Gateway manual.

Last modified on 30 August, 2021
PREVIOUS
Provide a QR code for SAML authentication log in with a hostname
  NEXT
How devices authenticate to your Splunk platform with SAML authentication

This documentation applies to the following versions of Splunk® Secure Gateway: 2.4.0, 2.0.2, 2.5.6, 2.6.3, 2.7.3


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters