Configure SAML SSO in the configuration files
This topic explains how to set up SSO for SAML v2 using configuration files:
web.confin Splunk Enterprise
- Configure your identity provider
- Secure your SAML configuration
Configure the following stanza in
[authentication] authSettings = saml_settings authType = SAML [roleMap_SAML] admin = Super Admin; power = Power Admin; user = <list roles> Admin;Employee; [saml_settings] entityId = <entityid> idpAttributeQueryUrl = <optional path to the Attribute query> https://your path/idp/attrsvc.ssaml2 idpCertPath = <path to the idp cert in Splunk> /home/user/splunk/saml-install/etc/auth/ping_idp.crt.> idpSSOUrl = <path to the sso url> https://your path/idp/SSO.saml2. idpSLOUrl = <Logout url. If not specified, this will be treated as a typical sso and the logout button will be disabled. https://your path/idp/SLO.saml2 # redirectPort=443 attributeQueryTTL = 3600 signAuthnRequest = true signedAssertion = true attributeQueryRequestSigned = <Set to true if using optional idpAttributeQuerySSL> attributeQueryResponseSigned = <Set to true if using optional idpAttributeQuerySSL> attributeQuerySoapPassword = <your password> attributeQuerySoapUsername = <your username>
Set up redirect binding for authentication request
Set the following stanzas with the (optional) attributes:
[saml] entityId = saml-test idpCertPath = idpCert.pem idpSLOUrl = https://example.onelogin.com/trust/saml2/http-redirect/slo/489976 idpSSOUrl = https://example.onelogin.com/trust/saml2/http-post/sso/489976 signAuthnRequest = true signedAssertion = false sloBinding = HTTPRedirect ssoBinding = HTTPRedirect [authentication] authSettings = saml authType = SAML [rolemap_SAML] admin = splunk_test [userToRoleMap_SAML] rgopalan = admin
configure single sign-on with Azure AD or ADFS
To configure single sign-on with Azure AD or ADFS, add the following additional attributes:
nameIDFormat = (optional) Specify the format of the subject that is returned in the SAML response. AzureAD returns a string to identify the subject and this attribute lets you optionally specify a different format (we recommend email address). This can be useful for auditing and saved searches. To specify email address as the format, use:
role = Populate this field if you use Azure AD for SSO or ADFS. This value tells Splunk Enterprise the attribute that supplies role information in the SAML response returned. For Azure AD, use:
mail = This value maps the alias to the user email addresses in the SAML response returned. For Azure AD, use:
realName = This tells Splunk Enterprise where to map the real name in the SAML response returned. For Azure AD use:
web.conf and optionally add a failure redirect address
Add the following values to your settings stanza in
[settings] appServerPorts = 7065 <make sure this attribute is enabled> ssoAuthFailureRedirect = http://10.140.31.19:7000/ui/en-us/account/sso_error <this is your custom user redirect for failed logins>
Configure session timeouts in Ping Identity
As a best practice, the session timeout in Splunk and on the IdP should be the same so that the sessions are invalidated simultaneously on Splunk and the IdP.
This means that if you configure
SessionNotOnOrafter (https://ping.force.com/Support/PingIdentityArticle?id=kA3400000008RdNCAU) you must configure the same timeouts in Splunk as follows:
- The attribute
- The attribure
If the value in
ui_inactivity_timeout is less than the session timeout configured on the IdP, the session in splunkd will expire but the user will be seamlessly logged back into the Splunk Software since the session is still valid on the IdP.
If the session timeout on the IdP is less than the one configured in Splunk, the user will be prompted for credentials when
ui_inactivity_timeout expires and user must re-authenticate with the IdP.
Configure your identity provider to support Splunk software metadata
Now you must configure your IdP to import Splunk software metadata. To import Splunk software metadata on your IdP, make sure that the
AuthnRequest signing and
AttributeQuery request signing setting is compatible on Splunk software and the IdP:
1. Export the IdP certificate onto a file in your Splunk software instance.
2. Make sure that
authentication.conf points to this certificate in the SAML configuration stanzas.
3. Import the Splunk software server certificate (
server.pem) into the IdP for signature verification.
Note that you can export Splunk software metadata using the
/saml/spmetadata endpoint on Splunk Web. You can also access the
SAML-sp-metadata endpoint on
Secure your SAML configuration
SAML attributequery service supports all of the standard SSL settings for Splunk Enterprise to perform TLS verification between Splunk Instance and SOAP instance providing AttributeQuery service.
In general, the following settings will work only for an IdP that supports attribute queries. However, the
sslPassword attributes will work for any IdPs.
authentication.conf to configure certificate authentication:
sslVersions = <recommended settings tls1.1 and tls1.2> sslCommonNameToCheck = <commonName> If this value is set, and 'sslVerifyServerCert' is set to true, splunkd will limit most outbound HTTPS connections to hosts which use a cert with this common name. If not set, Splunk uses the setting specified in server.conf. sslAltNameToCheck = <alternateName1>, <alternateName2> If this value is set, and 'sslVerifyServerCert' is set to true, splunkd will also be willing to verify certificates which have a so-called "Subject Alternate Name" that matches any of the alternate names in this list. If not set, Splunk uses the setting specified in server.conf. ecdhCurveName = <string> ECDH curve to use for ECDH key negotiation. If not set, Splunk uses the setting specified in server.conf. severCert = <server certificate file>. Certificates are auto-generated by splunkd upon starting Splunk but you can replace the default cert with your own PEM format file. Default is server.pem. If not set, Splunk uses the setting specified in server.conf. This setting is valid for all IdPs. sslPassword = <server certificate password> This setting is valid for all IdPs. caCertFile = <fPublic key of the signing authority, default is cacert.pem> If not set, Splunk uses the setting specified in server.conf. caPath = <path where all these certs are stored, the default is $SPLUNK_HOME/etc/auth> sslVerifyServerCert = [ true | false ] Used by distributed search: when making a search request to another server in the search cluster. If not set, Splunk uses the setting specified in server.conf.
Modify or remove role mappings
Troubleshoot SAML SSO
This documentation applies to the following versions of Splunk® Enterprise: 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12