About multifactor authentication with RSA Authentication Manager
Multifactor authentication allows you to configure a primary and secondary login for your Splunk Enterprise users. You can configure multifactor authentication using RSA Authentication Manager for Splunk Web, REST endpoints, and CLI. Multifactor authentication secures the Splunk Enterprise web (8000) and management (8089) ports. After multifactor authentication is configured, the user enters a passcode to log in. The passcode is a combination of the user's authentication PIN and the RSA-generated tokencode. For example, if the user's PIN is 1111 and RSA generates a tokencode of 2222, the passcode is 11112222. The tokencode may be generated from an RSA key fob or a mobile/desktop application.
You need to have configured your RSA Authentication Manager before you attempt to configure RSA authentication on your Splunk Enterprise installation.
You need to have the
change_authentication capability to configure multifactor authentication with RSA Authentication Manager.
You cannot configure multifactor authentication in the following circumstances:
- REST endpoints authenticate via
- You have a configuration where there is a distributed search without index clustering where peers are added to the
distsearch.conffile by entering the credentials of an admin user on the indexer. This is a one-time operation that is needed to push the search head's public key to the indexer.
How multifactor authentication works with other forms of authentication
Note that you cannot use any form of multifactor authentication with SSO or SAML authentication. Multifactor authentication works with the following sources of authentication:
- Native authentication
- Scripted authentication
Configure Duo multifactor authentication for Splunk Enterprise in the configuration file
Configure RSA authentication from Splunk Web
This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.3.0, 7.3.1