
SAML SSO best practices
- Always enable SSL for Splunk Web.
- Enable authentication request signing to make sure that all SAML responses, for example AQR, assertions, and logout responses, are signed.
- Set an
Issuer ID
inAuthentication.conf
. - Use Post binding for SAML responses sent by the IdP to the Splunk platform.
- For your SAML responses, use a certificate chain instead of self-signed certificates.
- Use Post and Redirect binding for SAML responses sent to the Splunk platform by the IdP. With redirect binding, the Splunk platform verifies the SAML response against the leaf certificate on disk. The Splunk platform does not perform CRL validation during response verification.
- Make sure that none of your certificates are expired or revoked.
- Set excluded users to ensure that accounts and users are unable to log in or remain logged in.
blacklistedUsers = <Comma-separated list of user names from the response that should be excluded by the Splunk platform.>
- Set list of untrusted users that are in control of IdP group names. For example, you can limit access by specifying that Splunk roles such as admin and power are added to auto-mapped rules section.
blacklistedUsers = <Comma-separated list of user names from the IDP response that should be excluded by the Splunk platform.>
- The Splunk platform supports auto-mapped roles by default. If Splunk roles are returned in an assertion, the Splunk platform uses them. To turn off auto-mapping for roles, add the list of roles to the
blacklistedAutoMappedRoles
setting inauthentication.conf
.blacklistedAutoMappedRoles = <Comma separated list of Splunk roles from the IDP Response that should be prevented from being auto-mapped by the Splunk platform.>
- Do not assign the
Admin
role todefaultRolesIfMissing
setting. The Admin role is temporarily used to send group information in the SAML assertion until the IdP is configured.
Last modified on 08 June, 2020
PREVIOUS Configure SAML SSO using configuration files |
NEXT Troubleshoot SAML SSO |
This documentation applies to the following versions of Splunk® Enterprise: 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.1.0, 8.1.1, 8.1.2
Feedback submitted, thanks!