Splunk® Enterprise

Securing Splunk Enterprise

Splunk Enterprise version 8.2 is no longer supported as of September 30, 2023. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Configure Splunk Enterprise to use Duo Security multifactor authentication

NOTE: If you have previously configured Splunk Enterprise to use Duo authentication via https://duo.com/docs/splunk, you must use the task described in this topic to reconfigure multifactor login with Duo Security.

Overview

  • Use the Duo Security website to create a Duo Security account for Splunk Enterprise. See https://duo.com for more information.
  • Configure Splunk Enterprise to use Duo by providing the following information:
    • Your integration key (i.e. DIXXXXXXXXXXXXXXXXXX)
    • Your secret key
    • Your API hostname (i.e. api-XXXXXXXX.duosecurity.com)
  • When the user logs into Splunk Enterprise and follows the instructions on the Duo login page, they are given secondary login credentials.

Configure

1. In the Menu, select Settings > Users and Authentication > Access roles.

2. Click Authentication Method.

3. Under Multifactor Authentication, select Duo Security.

4. Click the Configure Duo Security link.

5. Provide the Integration Key from your Duo configuration. You can find this key on your Duo Security configuration page or at Configuration > Details.

6. Provide the Secret Key from your Duo Security configuration or detail. You can find this key on your Duo Security configuration page or at Configuration > Details.

7. Provide the API Hostname from your Duo configuration. You can find this key on your Duo Security configuration page or at Configuration > Details.

8. Tell Splunk Enterprise how to authenticate users when Duo Security is unavailable:

  • Let users login Users who have successfully logged into the Splunk Web (i.e., primary authentication) can access Splunk Enterprise even if Duo authentication (i.e., secondary authentication) fails.
  • Do not let users login Users who have successfully logged into the Splunk Web (i.e., primary authentication) cannot access Splunk Enterprise if Duo authentication (i.e., secondary authentication) fails.

9. Provide a time limit, in seconds, for how long authentication is attempted before the connection times out.

10. Save your changes. You do not need to reload authentication for multifactor authentication to take effect.

Once a user logs in, the Duo login page appears, the user is instructed to choose a method to access their secondary login credentials.

How multifactor authentication works with other forms of authentication

Note that you cannot use any form of multi-factor authentication with SSO or SAML authentication. Multi-factor authentication works with the following sources of authentication:

  • Native authentication
  • LDAP
  • Scripted authentication
Last modified on 26 August, 2024
About multifactor authentication with Duo Security   Configure Duo multifactor authentication for Splunk Enterprise in the configuration file

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.2.0, 9.2.1, 9.2.2, 9.3.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters