Splunk® Enterprise

Securing Splunk Enterprise

Splunk Enterprise version 7.2 is no longer supported as of April 30, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Configure RSA authentication from Splunk Web

1. In the Menu, select Settings > Users and Authentication > Access roles.

2. Click Authentication Method.

3. Under Multifactor Authentication, select RSA Security.

4. Click the Configure RSA Security link.

5. Provide the RSA Auth Manager REST service URL.

6. Provide the Access key.

7. Tell Splunk Enterprise how to authenticate users when RSA Authentication Manager is unavailable:

  • Let users login Users who have successfully logged into Splunk Web (i.e., primary authentication) can access Splunk Enterprise even if RSA authentication (i.e., secondary authentication) fails.
  • Do not let users login Users who have successfully logged into Splunk Web (i.e., primary authentication) cannot access Splunk Enterprise if RSA authentication (i.e., secondary authentication) fails.

10. Provide an error/diagnostic message. This is the message you display if an error occurs when authenticating with RSA Authentication Manager.

11. Provide a time limit, in seconds, for how long to attempt authentication before the connection times out.

12. Save your changes. You do not need to reload authentication for two-factor authentication to take effect.


Before logging out of the configuration session, perform configuration verification using the /services/admin/Rsa-MFA-config-verify endpoint. This prevents you from blocking your ability to log in if you misconfigure authentication settings. If you connect to this endpoint without entering the passcode, this test can serve as ping to ensure the services are running. Or, you can test the login for a user by including the username and passcode. For example, curl -k -u admin:changed123 -X POST https://localhost:8089/services/admin/Rsa-MFA-config-verify/rsa-mfa -d username=user1 -d passcode=11112222.

Last modified on 31 August, 2018
About multifactor authentication with RSA Authentication Manager   Configure Splunk Enterprise to use RSA Authentication Manager multifactor authentication via the REST endpoint

This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters