Splunk® Enterprise

Securing Splunk Enterprise

Acrobat logo Download manual as PDF


Splunk Enterprise version 8.0 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Acrobat logo Download topic as PDF

Best practices for using SAML as an authentication scheme for single-sign on

Following are some best practices to ensure that you have the most secure experience when you configure the Splunk platform to use Security Assertion Markup Language as an authentication scheme.

Many of these best practices work for both Splunk Cloud Platform and Splunk Enterprise. As a Splunk Cloud Platform user, you must open a support ticket to make changes to your instance with configuration files.

  1. Always enable SSL for Splunk Web. This ensures that all communications between your browser, your Splunk platform instance, and your identity provider (IdP) are secure.
  2. Enable authentication request signing to ensure that all SAML responses, for example Attribute Query Requests (AQR), assertions, and logout responses, are encrypted.

  3. For SAML responses from your IdP, use an SSL certificate chain, rather than a group of self-signed certificates.
  4. Configure your identity provider (IdP) to use HTTP POST or redirect binding for SAML responses that the IdP sends to the Splunk platform. With redirect binding active, the Splunk platform verifies the SAML response against the end-entity, or leaf, certificate that you installed on the instance. The Splunk platform does not perform certificate revocation list (CRL) validation during response verification.

  5. Make sure that all of your certificates are valid, and have not expired or been revoked.
  6. Configure user exclude lists to ensure that accounts in the exclude list cannot log in or remain logged in. You can do this with the authentication.conf configuration file.
    excludedUsers = <comma-separated list of user names from the response that the Splunk platform is to exclude>
    
  7. Set a list of non-trusted users that are in control of IdP group names. For example, you can limit access by specifying that Splunk roles such as admin and power are added to the auto-mapped rules section. You do this with the authentication.conf configuration file.
    excludedUsers = <Comma-separated list of user names from the IDP response that the Splunk platform is to exclude>
    
  8. The Splunk platform supports auto-mapped roles by default. If the IdP returns Splunk roles in an assertion, the Splunk platform uses them. To turn off auto-mapping for roles, add the list of roles to the excludedAutoMappedRoles setting in authentication.conf.
    excludedAutoMappedRoles = <Comma separated list of Splunk roles from the IDP Response that should be prevented from being auto-mapped by the Splunk platform.>
    
  9. Do not assign the admin role to the defaultRolesIfMissing setting in the authorize.conf configuration file. The Splunk platform temporarily uses the admin role to send group information in the SAML assertion until the IdP is configured.
Last modified on 22 November, 2022
PREVIOUS
Configure SAML SSO in the configuration files
  NEXT
Troubleshoot SAML SSO

This documentation applies to the following versions of Splunk® Enterprise: 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.2.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters