Configure Splunk Enterprise to use RSA Authentication Manager multifactor authentication in the configuration file
You can configure Splunk Enterprise to use multifactor authentication from the
authentication.conf configuration file.
Configure multifactor authentication
authentication.conf, edit the
[2FA stanza name] stanza as follows:
[authentication] externalTwoFactorAuthVendor = <RSA> externalTwoFactorAuthSettings = <MFA stanza name> [<MFA stanza name>] authManagerUrl = <HTTPS-based URL of the RSA Authentication Manager REST endpoint > accessKey = <Access key needed by Splunk to communicate with RSA Authentication Manager> clientId = <Agent name created on RSA Authentication Manager> failOpen = <True|False. True allows login in case the authentication server is unavailable.> timeout = <Connection timeout in seconds for the outbound HTTPS connection> messageOnError = <Message that will be shown on the error page if authentication fails > sslVersions = <Comma-separated list of SSL versions to support for incoming connections. Supported versions are "ssl3", "tls1.0", "tls1.1", and "tls1.2". If this value is not set, Splunk uses default value of sslVersions=tls1.2 > cipherSuite = <Cipher string. Allows Splunk to use the specified cipher string for the HTTP server> ecdhCurves = <Comma separated list of ec curves. Specify ECDH curves to use for ECDH key negotiation. > sslVerifyServerCert = <True|False. True enables both the common and alternate names to be matched.> sslCommonNameToCheck = <List of common names for outbound RSA HTTPS connections> sslAltNameToCheck = <List of alternate names for outbound RSA HTTPS connections> sslRootCAPath = <Root path. The path must refer to full path of a PEM format file containing one or more root CA certificates concatenated together.>
Before logging out of configuration session, perform config verification using
'/services/admin/Rsa-MFA-config-verify' endpoint. First, enter the factor credentials and then enter the RSA passcode that appears on the RSA key fob or the mobile/desktop application which generates the token. This prevents you from blocking your ability to log in if you misconfigure authentication settings.
Configure Splunk Enterprise to use RSA Authentication Manager multifactor authentication via the REST endpoint
User experience when logging into a Splunk instance configured with RSA multifactor authentication
This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 9.0.0