Secure SSO with TLS certificates
Configure the following SSL settings to enable Splunk Enterprise to perform TLS verification between Splunk Instance and the SOAP instance providing AttributeQuery
service.
Unless noted, values not set default to the setting specified in server.conf
.
[<saml-authSettings-key>] sslVersions = <Comma-separated list of SSL versions to support> sslCommonNameToCheck = <commonName> When populated, and sslVerifyServerCert is "true", splunkd limits most outbound HTTPS connections to hosts which use a cert with this common name. sslAltNameToCheck = <alternateName1>, <alternateName2>, ...If set, and sslVerifyServerCert' is "true", splunkd can verify certificates with "Subject Alternate Name" that matches any of the is alternate names in this list. ecdhCurveName = <ECDH curve to use for ECDH key negotiation> serverCert = <Server certificate file> Default certificates, "sever.pem" are auto-generated by splunkd upon starting Splunk, you may replace the default cert with your own PEM format file. sslPassword = <Server certificate password> caCertFile = <Public key of the signing authority> The default value is cacert.pem caPath = <Path where all these certs are stored>. Default value is $SPLUNK_HOME/etc/auth sslVerifyServerCert = [ true | false ] If true, distributed search makes a search request to another server in the search cluster. blacklistedAutoMappedRoles = <comma separated list of roles> Optionally provide a comma-separated list of Splunk roles that you do not want Splunk to auto-map if received in the IDP Response. blacklistedUsers = <comma separated list of user names> Optionally provide a comma-separated list of user names that Splunk must reject from the IDP response. nameIdFormat = <string> Optionally, and If supported by IDP, specify the format of the Subject returned in the SAML Assertion. ssoBinding = <HTTPPost | HTTPRedirect> Optionally specify the binding to use when making a SP-initiated SAML request. The binding must match the one configured on the IDP. sloBinding = < <HTTPPost | HTTPRedirect> > Optionally specify the binding to use when making a logout request or sending a logout response to complete the logout workflow. The binding must match the one configured on the IDP. signatureAlgorithm = <RSA-SHA1 | RSA-SHA256> Optionally specify the signature algorithm to user for a SP-initiated SAML request. 'signedAuthnRequest' must be set to true for this setting to take effect. The algorithm applies to both the http post and redirect binding. inboundSignatureAlgorithm = <RSA-SHA1;RSA-SHA256,...> Optionally provide a semicolon-separated list of signature algorithms that are accepted in SAML responses. This setting affects both HTTP POST and HTTP Redirect binding. replicateCertificates = <boolean> Optionally specify the IdP certificate files to replicate across search head cluster setup. Search head clustering must also be enabled. If certificate replication is not enabled, IdP certificate files must be replicated manually across SHC or verification of SAML signed assertions fails.
Configure SSO in Computer Associates (CA) SiteMinder | Configuring SAML in a search head cluster |
This documentation applies to the following versions of Splunk® Enterprise: 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10
Feedback submitted, thanks!