Best practices for using SAML as an authentication scheme for single-sign on
Following are some best practices to ensure that you have the most secure experience when you configure the Splunk platform to use Security Assertion Markup Language as an authentication scheme.
Many of these best practices work for both Splunk Cloud Platform and Splunk Enterprise. As a Splunk Cloud Platform user, you must open a support ticket to make changes to your instance with configuration files.
- Always enable SSL for Splunk Web. This ensures that all communications between your browser, your Splunk platform instance, and your identity provider (IdP) are secure.
- Enable authentication request signing to ensure that all SAML responses, for example Attribute Query Requests (AQR), assertions, and logout responses, are encrypted.
- For SAML responses from your IdP, use an SSL certificate chain, rather than a group of self-signed certificates.
- Configure your identity provider (IdP) to use HTTP POST or redirect binding for SAML responses that the IdP sends to the Splunk platform. With redirect binding active, the Splunk platform verifies the SAML response against the end-entity, or leaf, certificate that you installed on the instance. The Splunk platform does not perform certificate revocation list (CRL) validation during response verification.
- Make sure that all of your certificates are valid, and have not expired or been revoked.
- Configure user exclude lists to ensure that accounts in the exclude list cannot log in or remain logged in. You can do this with the authentication.conf configuration file.
blacklistedUsers = <comma-separated list of user names from the response that the Splunk platform is to exclude>
- Set a list of non-trusted users that are in control of IdP group names. For example, you can limit access by specifying that Splunk roles such as
powerare added to the auto-mapped rules section. You do this with the authentication.conf configuration file.
blacklistedUsers = <Comma-separated list of user names from the IDP response that the Splunk platform is to exclude>
- The Splunk platform supports auto-mapped roles by default. If the IdP returns Splunk roles in an assertion, the Splunk platform uses them. To turn off auto-mapping for roles, add the list of roles to the
blacklistedAutoMappedRolessetting in authentication.conf.
blacklistedAutoMappedRoles = <Comma separated list of Splunk roles from the IDP Response that should be prevented from being auto-mapped by the Splunk platform.>
- Do not assign the
adminrole to the
defaultRolesIfMissingsetting in the authorize.conf configuration file. The Splunk platform temporarily uses the
adminrole to send group information in the SAML assertion until the IdP is configured.
Configuring SAML in a search head cluster
Configure SAML SSO using configuration files on Splunk Enterprise
This documentation applies to the following versions of Splunk® Enterprise: 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 9.0.0