Best practices for using SAML as an authentication scheme for single-sign on
Following are some best practices to maintain a high level of security when you configure the Splunk platform to use Security Assertion Markup Language as an authentication scheme.
Many of these best practices work for both Splunk Cloud Platform and Splunk Enterprise. As a Splunk Cloud Platform user, you must open a support ticket to make changes to your instance with configuration files.
- Always enable TLS for Splunk Web. This ensures that all communications between your browser, your Splunk platform instance, and your identity provider (IdP) are secure.
- Enable authentication request signing to ensure that all SAML responses, for example Attribute Query Requests (AQR), assertions, and logout responses, are encrypted.
- For SAML responses from your IdP, use an SSL certificate chain, rather than a group of self-signed certificates.
- Configure your identity provider (IdP) to use the HTTP POST or redirect SAML bindings for SAML responses that the IdP sends to the Splunk platform. When you use HTTP redirect SAML bindings, the Splunk platform verifies the SAML response against the end-entity, or leaf, certificate that you installed on the instance. The Splunk platform does not perform certificate revocation list (CRL) validation during response verification.
- Make sure that any TLS certificates that you use are valid, and have not expired or been revoked.
- Configure user exclude lists to ensure that accounts in the exclude list cannot log in or remain logged in. You can do this with the authentication.conf configuration file.
excludedUsers = <comma-separated list> A list of user names from the SAML response that the Splunk platform is to exclude
- Set a list of non-trusted users that are in control of IdP group names. For example, you can limit access by specifying that Splunk roles such as the
admin
andpower
roles are added to the auto-mapped rules section. You do this with the authentication.conf configuration file.excludedUsers = <comma-separated list> A list of user names from the IdP response that the Splunk platform is to exclude
- The Splunk platform supports auto-mapped roles by default. If the IdP returns Splunk roles in an assertion, the Splunk platform uses them. To turn off auto-mapping for roles, add the list of roles to the
excludedAutoMappedRoles
setting in the authentication.conf file.excludedAutoMappedRoles = <comma separated list> A list of Splunk roles from the IdP response that should be prevented from being auto-mapped by the Splunk platform.
- Do not assign the
admin
role to thedefaultRolesIfMissing
setting in the authentication.conf configuration file. The Splunk platform temporarily uses theadmin
role to send group information in the SAML assertion until the IdP is configured.
Configure SAML SSO in the configuration files | Troubleshoot SAML SSO |
This documentation applies to the following versions of Splunk® Enterprise: 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0
Feedback submitted, thanks!