Splunk® Enterprise

Securing the Splunk Platform

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

SAML SSO best practices

  1. Always enable SSL for Splunk Web.
  2. Enable authentication request signing to make sure that all SAML responses, for example AQR, assertions, and logout responses, are signed.
  3. Set an Issuer ID in Authentication.conf.
  4. Use Post binding for SAML responses sent by the IdP to the Splunk platform.
  5. For your SAML responses, use a certificate chain instead of self-signed certificates.
  6. Use Post and Redirect binding for SAML responses sent to the Splunk platform by the IdP. With redirect binding, the Splunk platform verifies the SAML response against the leaf certificate on disk. The Splunk platform does not perform CRL validation during response verification.
  7. Make sure that none of your certificates are expired or revoked.
  8. Set excluded users to ensure that accounts and users are unable to log in or remain logged in. 
    blacklistedUsers = <Comma-separated list of user names from the response that should be excluded by the Splunk platform.>
  9. Set list of untrusted users that are in control of IdP group names. For example, you can limit access by specifying that Splunk roles such as admin and power are added to auto-mapped rules section. 
    blacklistedUsers = <Comma-separated list of user names from the IDP response that should be excluded by the Splunk platform.>
  10. The Splunk platform supports auto-mapped roles by default. If Splunk roles are returned in an assertion, the Splunk platform uses them. To turn off auto-mapping for roles, add the list of roles to the blacklistedAutoMappedRoles setting in authentication.conf. 
    blacklistedAutoMappedRoles = <Comma separated list of Splunk roles from the IDP Response that should be prevented from being auto-mapped by the Splunk platform.>
  11. Do not assign the Admin role to defaultRolesIfMissing setting. The Admin role is temporarily used to send group information in the SAML assertion until the IdP is configured.
Last modified on 08 June, 2020
PREVIOUS
Configure SAML SSO using configuration files 		  NEXT
Troubleshoot SAML SSO

This documentation applies to the following versions of Splunk® Enterprise: 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.1.0, 8.1.1, 8.1.2

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters