Splunk® Enterprise

Securing Splunk Enterprise

Splunk Enterprise version 8.1 will no longer be supported as of April 19, 2023. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Secure SSO with TLS certificates on Splunk Enterprise

On Splunk Enterprise, you can use certificates to secure single sign-on operations with transport layer security (TLS) certificates. Splunk Cloud Platform already secures communications end-to-end between your browser and the instance.

The following settings from the authentication.conf configuration file let Splunk Enterprise perform TLS verification between the Splunk Enterprise Instance and the Simple Object Access Protocol (SOAP) instance that provides the AttributeQuery service.

Setting name Setting Type Description
sslVersions comma-separated list A list of SSL versions that the Splunk Enterprise instance is to support.
sslCommonNameToCheck string Splunk Enterprise limits most outbound HTTPS connections to hosts that use a certificate with this common name. The sslVerifyServerCert setting must be true for this setting to have an effect.
sslAltNameToCheck comma-separated list Splunk Enterprise can verify certificates with a "Subject Alternative Name" that matches any of the alternate names in this list. The sslVerifyServerCert setting must be true for this setting to have an effect.
ecdhCurveName string The name of the Elliptic Curve - Diffie Hellmann (ECDH) curve that Splunk Enterprise is to use for negotiation for ECDH keys.
serverCert string The location of the server certificate file
sslPassword string The password for the server certificate.
caCertFile string The public key of the authority that signs the certificates.
sslVerifyServerCert Boolean Whether or not Splunk Enterprise verifies the common name and the alternate name of a certificate and considers the certificate valid if either name matches.
blacklistedAutoMappedRoles comma-separated list A list of Splunk roles that you do not want Splunk Enterprise to auto-map if they arrive in the response from the IdP.
blacklistedUsers comma-separated list A list of user names that Splunk must reject from the IDP response.
nameIdFormat string If supported by the IdP, while making SAML Authentication request this value can be used to specify the format of the Subject returned in SAML Assertion.
ssoBinding string the binding Splunk Enterprise is to use when it makes a service-provider-initiated SAML request. The binding must match the one configured on the IdP.
sloBinding string The binding Splunk Enterprise is to use when it makes a logout request or sends a logout response to complete the logout workflow. The binding must match the one configured on the IdP.
signatureAlgorithm string the signature algorithm to user for a SP-initiated SAML request. 'signedAuthnRequest' must

be true for this setting to have an effect. The algorithm applies to both the HTTP POST and redirect binding.

inboundSignatureAlgorithm semicolon-separated list A list of signature algorithms that are accepted in SAML responses. This setting affects both HTTP POST and HTTP Redirect bindings.
replicateCertificates Boolean Whether or not IdP certificate files must be replicated manually across Splunk Enterprise nodes. If certificate replication is not enabled, you must replicate certificate files manually, or verification of SAML signed assertions fails.
Last modified on 29 June, 2023
Configure SSO in Computer Associates (CA) SiteMinder   Configuring SAML in a search head cluster

This documentation applies to the following versions of Splunk® Enterprise: 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters