Splunk® Enterprise

Securing Splunk Enterprise

Acrobat logo Download manual as PDF


Splunk Enterprise version 7.2 is no longer supported as of April 30, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Secure SSO with TLS certificates

Configure the following SSL settings to enable Splunk Enterprise to perform TLS verification between Splunk Instance and the SOAP instance providing AttributeQuery service.

Unless noted, values not set default to the setting specified in server.conf.

[<saml-authSettings-key>]

sslVersions = <Comma-separated list of SSL versions to support>

sslCommonNameToCheck = <commonName> When populated, and 
sslVerifyServerCert is "true", splunkd limits most outbound HTTPS 
connections to hosts which use a cert with this common name. 

sslAltNameToCheck = <alternateName1>, <alternateName2>, ...If set, and 
sslVerifyServerCert' is "true", splunkd can verify certificates with 
"Subject Alternate Name" that matches any of the is alternate names in 
this list.

ecdhCurveName = <ECDH curve to use for ECDH key negotiation> 

serverCert = <Server certificate file> Default certificates, "sever.pem" are 
auto-generated by splunkd upon starting Splunk, you may replace the 
default cert with your own PEM format file.

sslPassword = <Server certificate password>

caCertFile = <Public key of the signing authority> The default value is cacert.pem 

caPath = <Path where all these certs are stored>. Default value is 
$SPLUNK_HOME/etc/auth

sslVerifyServerCert = [ true | false ] If true, distributed search makes a search 
request to another server in the search cluster. 

blacklistedAutoMappedRoles = <comma separated list of roles> Optionally provide a 
comma-separated list of Splunk roles that you do not want Splunk to auto-map if
received in the IDP Response.

blacklistedUsers = <comma separated list of user names> Optionally provide a
comma-separated list of user names that Splunk must reject from the IDP response.

nameIdFormat = <string> Optionally, and If supported by IDP,  specify the format of
the Subject returned in the SAML Assertion. 

ssoBinding = <HTTPPost | HTTPRedirect> Optionally specify the binding to use
when making a SP-initiated SAML request. The binding must match the one
configured on the IDP.

sloBinding = < <HTTPPost | HTTPRedirect> > Optionally specify the binding to
use when making a logout request or sending a logout response to complete 
the logout workflow. The binding must match the one configured on the IDP.

signatureAlgorithm = <RSA-SHA1 | RSA-SHA256> Optionally specify the signature
algorithm to user for a SP-initiated SAML request. 'signedAuthnRequest' must 
be set to true for this setting to take effect. The algorithm applies to both the  
http post and redirect binding.

inboundSignatureAlgorithm = <RSA-SHA1;RSA-SHA256,...> Optionally provide a 
semicolon-separated list of signature algorithms that are accepted in SAML 
responses. This setting affects both HTTP POST and HTTP Redirect binding.

replicateCertificates = <boolean> Optionally specify the IdP certificate files to 
replicate across search head cluster setup. Search head clustering must also 
be enabled. If certificate replication is not enabled, IdP certificate files must be 
replicated manually across SHC or verification of SAML signed assertions fails.

Last modified on 09 June, 2020
PREVIOUS
Configure SSO in Computer Associates (CA) SiteMinder
  NEXT
Configuring SAML in a search head cluster

This documentation applies to the following versions of Splunk® Enterprise: 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters