Splunk® Enterprise

Securing Splunk Enterprise

Splunk Enterprise version 7.2 is no longer supported as of April 30, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

About multifactor authentication with Duo Security

Multifactor authentication lets you configure a primary and secondary login for Splunk Enterprise users. Duo Security multifactor authentication secures Splunk Web logins on Splunk Enterprise instances.

Splunk Cloud Platform does not support multifactor authentication with Duo Security.

With Splunk Enterprise with Duo Security multifactor authentication, you must set up a second authentication method and then use that method for future logins. The login workflow is as follows:

  1. You log into Splunk Web page using your login credentials. This is the primary login.
  2. You then see a second login page, "Duo Authentication". This is the secondary login.
  3. The first time you log in, you follow the instructions on the Duo login page to set up your preferred method for accessing your secondary credentials:
    • Login with credentials sent through a push notification on your your smart phone (Duo Security Mobile app required).
    • Login with credentials sent through an SMS message to your cell phone.
    • Login with credentials sent through a phone call made to your cell phone.
    • Login by entering a one time code that the Duo Mobile app generates.
  4. After the initial login and configuration, every time you reach the secondary login, you receive those login credentials using your preferred method.

Duo Traditional Prompt and Universal Prompt

The Traditional Prompt is the default authentication experience for Duo Security users when they log in to Splunk Enterprise. The Universal Prompt is a more secure and advanced authentication experience than the Traditional Prompt. It supports advanced authentication features like Verified Duo Push, Risk-Based Authentication, and Passwordless login which streamline the experience for end-users and administrators. To learn about the Universal Prompt, see "About the Duo Universal Prompt" on the Duo website.

If you use the Traditional Prompt for Duo multifactor authentication, upgrade Splunk Enterprise on-premises to versions: 9.1.6, 9.1.7, 9.2.3, 9.3.1, or higher. These versions support Duo Universal Prompt. Next, migrate from the Traditional Prompt to the Universal Prompt. Due to the deprecation of the Traditional Prompt, continued use of this experience might result in authentication failures in the future. Versions: 9.2.0, 9.2.1, 9.2.2, and 9.3.0 do not support Duo Universal Prompt.

Set up Duo Security for multifactor authentication

  1. Create an account for your Splunk Enterprise configuration on the Duo website. Visit the Duo website for more information on how to create accounts in Duo.
  2. Provide Splunk Enterprise with the information from your Duo Security Account. See Configure Splunk to use Duo Security multifactor authentication for more information.
Last modified on 12 September, 2024
Remove an LDAP user safely on Splunk Enterprise   Configure Splunk Enterprise to use Duo Security multifactor authentication

This documentation applies to the following versions of Splunk® Enterprise: 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.2.0, 9.2.1, 9.2.2, 9.3.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters