Splunk® Enterprise

Securing Splunk Enterprise

Download manual as PDF

Download topic as PDF

SAML SSO best practices

  1. Always enable SSL for Splunk Web.
  2. Enable authentication request signing to make sure that all SAML responses, for example AQR, assertions, and logout responses, are signed.
  3. Set an Issuer ID in Authentication.conf.
  4. Use Post binding for SAML responses sent by the IdP to the Splunk platform.
  5. For your SAML responses, use a certificate chain instead of self-signed certificates.
  6. Use Post and Redirect binding for SAML responses sent to the Splunk platform by the IdP. With redirect binding, the Splunk platform verifies the SAML response against the leaf certificate on disk. The Splunk platform does not perform CRL validation during response verification.
  7. Make sure that none of your certificates are expired or revoked.
  8. Set blacklisted users to ensure that accounts and users are unable to log in or remain logged in.
    blacklistedUsers = <Comma-separated list of user names from the response that should be blacklisted by the Splunk platform.>
    
  9. Set blacklist of untrusted users that are in control of IdP group names. For example, you can limit access by specifying that Splunk roles such as admin and power are added to auto-mapped rules section.
    blacklistedUsers = <Comma-separated list of user names from the IDP response that should be blacklisted by the Splunk platform.>
    
  10. The Splunk platform supports auto-mapped roles by default. If Splunk roles are returned in an assertion, the Splunk platform uses them. To turn off auto-mapping for roles, add the list of roles to the blacklistedAutoMappedRoles setting in authentication.conf.
    blacklistedAutoMappedRoles = <Comma separated list of Splunk roles from the IDP Response that should be prevented from being auto-mapped by the Splunk platform.>
    
  11. Do not assign the Admin role to defaultRolesIfMissing setting. The Admin role is temporarily used to send group information in the SAML assertion until the IdP is configured.
PREVIOUS
Configure SAML SSO in the configuration files
  NEXT
Troubleshoot SAML SSO

This documentation applies to the following versions of Splunk® Enterprise: 7.3.0, 7.3.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters