Splunk® Enterprise

Securing Splunk Enterprise

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

About Single Sign-On

Splunk SSO allows you to use a web proxy to handle Splunk authentication, meaning that once the user has logged into their proxy, they can seamlessly access Splunk Web (and presumably any other applications configured to your proxy).

The Splunk Enterprise SSO implementation supports logging into Splunk Enterprise via Splunk Web only. Since SSO relies on cookies to save authentication information, SSO cannot be used for CLI authentication to Splunk Enterprise. Invoking https://localhost:8089 (or the assigned management port) still requires independent authentication.

To utilize SSO, you need the following:

  • A Proxy Server (Splunk Enterprise supports IIS or Apache).
  • An LDAP Server or other external authentication system.
  • A working Splunk Enterprise configuration.

For more information about how to configure these items and set up SSO, see Configure Single Sign-On

How it works

When Splunk Web SSO is properly configured, Splunk administrators and users invoke Splunk Web via a proxy URL that is deployed with Splunk Web. The proxy authenticates the incoming request against your authentication system. Upon successful authentication the proxy sets a request header with the authenticated identity’s attribute and sends this information to Splunk Enterprise.

Splunk Enterprise accepts the incoming HTTP request from the proxy, and if Splunk Enterprise recognizes the user contained in the header, the user bypasses the login page and is automatically authorized.

For successful single-sign on, all requests from the proxy to Splunk Web must include this authenticated header. If the header is not included in a request, then the user is returned to the login page or an error page, depending on your configuration. Splunk continues using this authenticated header until the identity closes the browser session.

How Splunk processes the proxy request

When the proxy server makes a request to Splunk Web, Splunk Web looks to the trustedIP value in web.conf to verify that the proxy's IP is on the trusted IP list.

If the IP is not trusted, the request is rejected and the sign-on attempt fails. If the IP address is trusted, then Splunk Web queries for the identity in the request header and sends splunkd an authorization request containing that header information.

Upon receiving the authorization request from Splunk Web, splunkd verifies whether the incoming IP address of the client (e.g. usually Splunk Web) matches the value of the trustedIP property of the server.conf file.

If the IP addresses are not in the trustedIP list the request is rejected and the sign-on attempt fails. The user is either returned to a login page or shown an error page, depending upon your SSOmode configuration in web.conf. For more on this attribute and other configuration information, see Configure Splunk Single Sign-On.

If the IP is trusted, then splunkd uses the information contained in the request header and conducts the authorization process.

High-level overview of of single sign on

How Splunk authorizes the user

Splunk first checks to see if the given identity and role matches any of the users in your Splunk native user configuration. If Splunk fails to find a match there, it looks to see if there are any LDAP matches. (For information about how Splunk authenticates users, see Set up user authentication with LDAP in this manual.)

If no match is found and the user contained in the header cannot be authorized, then the browser redirects to an error page.

If a match is found, Splunk authorizes the user and checks to see if an existing session is present. If a session already exists, Splunk uses that session identifier and creates the necessary cookies to allow the user access to Splunk Web. If a session does not exist, then Splunk creates a new session as well as the necessary cookies for Splunk Web authorization.

Once the cookies are created, Splunk Web resumes its normal flow. Any subsequent access to Splunk via the proxy URL does not require re-authorization as long as the request header contains the trusted identity and until the user closes the browser session.

Best practice for removing an LDAP user
Configure Single Sign-On

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15


To quote the article: "Splunk first checks to see if the given identity and role matches any of the ...".

Question: Where does that "given ... role" come from?

April 8, 2015

Is support for SAML SSO in the roadmap?

October 9, 2014

It has been a year and a half since the original poster's question about SAML and SSO -- anything new to report on this? Is SAML and SSO supported now in v6.1.3?

September 25, 2014

Hi there,<br /><br />Thanks for your question, at this time Splunk does not support SAML for SSO. You might find the following blog entry interesting if you are still planning to work with it anyway: <br /><br />http://blogs.splunk.com/2013/03/28/splunkweb-sso-samlv2/

Jworthington splunk
September 17, 2013

Any word on when Splunk will support SAML or other SSO standards?

February 27, 2013

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters