Splunk® Enterprise

Securing Splunk Enterprise

Splunk Enterprise version 8.2 is no longer supported as of September 30, 2023. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Configure Splunk Cloud Platform to use SAML for authentication tokens

Currently, the Splunk platform supports using authentication tokens in Splunk Cloud Platform with the Microsoft Azure and Okta Security Assertion Markup Language (SAML) identity providers (IdPs), as well as other providers that support attribute query requests (AQR), which lets Splunk Cloud Platform retrieve information about users on the IdP. When you configure Splunk Cloud Platform to use SAML as an authentication scheme, you let Splunk Cloud Platform query these IdPs to confirm that tokens you create in Splunk Cloud Platform for authentication are valid.

Splunk Cloud Platform also supports authentication tokens when it uses either the native or Lightweight Directory Access Protocol (LDAP) authentication schemes. To learn more about authentication tokens, how they work, and how you enable or disable them individually or globally, see Set up authentication with tokens.

Prerequisites for using Splunk Cloud Platform with authentication tokens

  • You must use one of the following SAML IdPs. There is no support for other IdPs at this time:
    • Microsoft Azure
    • Okta
    • Any other IdP that supports AQR.
  • You must hold credentials that let you configure authentication schemes in Splunk Cloud Platform
  • You must configure Splunk Cloud Platform to use SAML as an authentication scheme, if you have not already
  • You must configure SAML authentication extensions for the IdPs to retrieve user information

Configure Splunk Cloud Platform to use SAML as an authentication scheme

Before Splunk Cloud Platform can use Microsoft Azure or Okta to authenticate tokens, you must configure your Splunk Cloud Platform instance to use SAML for authentication.

If you have already configured your Splunk Cloud Platform instance to use SAML, you do not have to perform this procedure again.

  1. Log into Splunk Cloud Platform as an administrator level user.
  2. From the system bar, click Settings > Authentication Methods.
  3. Under External, click SAML. A link Configure Splunk to use SAML appears.
  4. Click Configure Splunk to use SAML. The SAML configuration dialog box appears.
  5. In the General Settings section of the "SAML configuration" dialog box, supply the appropriate information to access the Microsoft Azure or Okta IdP. You must supply at least the following in the "General Settings" section:
    1. Single Sign-on (SSO) URL
    2. IdP Certificate Chains
    3. Issuer ID
    4. Entity ID
  6. In the Alias section, supply the three aliases as provided by your IdP:
    1. Role alias
    2. RealName alias
    3. Mail alias

Configure authentication extensions

When you configure authentication extensions, you specify a script for either Microsoft Azure or Okta, a timeout for the script to run, and a timeout for Splunk Cloud Platform to cache user information that it retrieves from the IdP.

When Splunk Cloud Platform queries the IdP and runs the appropriate script to get user information, the script timeout determines how long Splunk Cloud Platform waits to get user information from the IdP. You can configure it to wait anywhere from 300 to 3600 seconds, or 5 minutes to 1 hour. 300 seconds is the default.

After Splunk Cloud Platform successfully retrieves the information, it caches it, and the Get user info time-to-live determines how long Splunk Cloud Platform retrieves user information from the cache. During this period, Splunk Cloud Platform does not query the IdP for the information it has cached.

The lowest amount of time that Splunk Cloud Platform caches user information is 3600 seconds or 1 hour. You can set this timeout higher to reduce the chance of potentially overloading your IdP with authentication requests, but doing so also increases the chance that Splunk Cloud Platform might not have the most up-to-date user information, which can pose a security risk.

Configure extensions for the Microsoft Azure identity provider

Splunk Cloud Platform requires the getUserInfo authentication extension to connect to Microsoft Azure as an identity provider.

If you have a user on the IdP that is a member of more than 150 groups, then Splunk Cloud Platform also requires the login authentication extension.

  1. Log into Splunk Cloud Platform as an administrator level user.
  2. From the system bar, click Settings > Authentication Methods.
  3. Click "Configure Splunk to use SAML". The "SAML configuration" dialog box appears.
  4. In the Script path field within the Authentication Extensions section of the "SAML configuration" dialog box , type in SAML_script_azure.py.
  5. In the Script timeout field, type in 300s.
  6. In the Get User Info time-to-live field, type in 3600s.
  7. Click the Script functions field.
  8. In the pop-up window that appears, click getUserInfo.
  9. (Optional) If there is at least one user on the IdP that is a member of more than 150 groups, repeat Steps 7-8 to add the login script function.
  10. Under Script Secure Arguments, click Add Input.
  11. In the Key field, type in clientId.
  12. In the Value field, type in the Azure client ID.
  13. Repeat Steps 10-12 to add the clientSecret key and the Azure client secret value that Splunk Cloud Platform is to use for authentication..
  14. Repeat Steps 10-12 to add the tenantId key and the Azure tenant ID value.
  15. (Optional) If you want Splunk Cloud Platform to retrieve roles that are in nested groups within the Azure environment, repeat Steps 9-11 to add the groupType key and transitive as the groupType value.
  16. Click Save. Splunk Cloud Platform saves the Azure configuration and returns you to the SAML Groups page.

Configure authentication extensions for the Okta identity provider

  1. Log into Splunk Cloud Platform as an administrator level user.
  2. From the system bar, click Settings > Authentication Methods.
  3. Click "Configure Splunk to use SAML". The "SAML configuration" dialog box appears.
  4. In the Script path field within the Authentication Extensions section of the "SAML configuration" dialog box , type in SAML_script_okta.py.
  5. In the Script timeout field, type in 300s.
  6. In the Get User Info time-to-live field, type in 3600s.
  7. Click the Script functions field.
  8. In the pop-up window that appears, click getUserInfo.
  9. Under Script Secure Arguments, click Add Input.
  10. In the Key field, type in apiKey.
  11. In the Value field, type in the API key for your IdP.
  12. Click "Add input" again.
  13. In the "Key" field, type in baseUrl.
  14. in the "Value" field, type in the URL of your Okta instance.
  15. Click Save. Splunk Cloud Platform saves the Okta configuration and returns you to the SAML Groups page.
Last modified on 27 October, 2022
Set up authentication with tokens   Enable or disable token authentication

This documentation applies to the following versions of Splunk® Enterprise: 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters