SAML SSO best practices
- Always enable SSL for Splunk Web.
- Enable authentication request signing to make sure that all SAML responses, for example AQR, assertions, and logout responses, are signed.
- Set an
- Use Post binding for SAML responses sent by the IdP to the Splunk platform.
- For your SAML responses, use a certificate chain instead of self-signed certificates.
- Use Post and Redirect binding for SAML responses sent to the Splunk platform by the IdP. With redirect binding, the Splunk platform verifies the SAML response against the leaf certificate on disk. The Splunk platform does not perform CRL validation during response verification.
- Make sure that none of your certificates are expired or revoked.
- Set blacklisted users to ensure that accounts and users are unable to log in or remain logged in.
blacklistedUsers = <Comma-separated list of user names from the response that should be blacklisted by the Splunk platform.>
- Set blacklist of untrusted users that are in control of IdP group names. For example, you can limit access by specifying that Splunk roles such as admin and power are added to auto-mapped rules section.
blacklistedUsers = <Comma-separated list of user names from the IDP response that should be blacklisted by the Splunk platform.>
- The Splunk platform supports auto-mapped roles by default. If Splunk roles are returned in an assertion, the Splunk platform uses them. To turn off auto-mapping for roles, add the list of roles to the
blacklistedAutoMappedRoles = <Comma separated list of Splunk roles from the IDP Response that should be prevented from being auto-mapped by the Splunk platform.>
- Do not assign the
defaultRolesIfMissingsetting. The Admin role is temporarily used to send group information in the SAML assertion until the IdP is configured.
Configure SAML SSO in the configuration files
Troubleshoot SAML SSO
This documentation applies to the following versions of Splunk® Enterprise: 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 8.0.0, 8.0.1, 8.0.2