Splunk® Enterprise

Inherit a Splunk Enterprise Deployment

Splunk Enterprise version 9.0 will no longer be supported as of June 14, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Identify Splunk users, roles, and authentication schemes

After you have familiarized yourself with the configuration and data on your Splunk Enterprise deployment, review its security setup. This setup includes the users that are on the deployment, their permissions, and the authentication scheme that the deployment uses.

Splunk Enterprise supports several user authentication schemes:

  • Splunk internal authentication with role-based user access
  • Lightweight directory access protocol (LDAP)
  • A scripted authentication API for use with an external authentication system, such as privileged access management (PAM) or remote authentication dial-in user server (RADIUS)
  • Multifactor authentication
  • Single sign-on, through either version 2 of the security assertion markup language (SAML) protocol or a proxy server

Internal authentication and role-based user access

Role-based access control lets you manage users and restrict or share Splunk Enterprise data. Splunk Enterprise masks data to users in a manner similar to how a relational database manages access to databases.

Discover or modify existing configurations

Familiarize yourself with existing users and the roles that they hold in the deployment. Roles determine what things the users see and the actions they can perform.

In Splunk Web click Settings > Users to see all of your Splunk users. On the Users page you can click on roles and users to examine or edit permissions. You can use this page to create a list of the data available to each user or group of users. See Use access control to secure Splunk data in Securing Splunk Enterprise.

To find a specific user you can use the CLI to search for a user and role. See Find existing users and roles in Securing Splunk Enterprise.

LDAP authentication

When administrators configure Splunk to work with LDAP, they create something called "LDAP strategies". LDAP strategies are collections of configuration data that the Splunk platform uses to work with your LDAP configuration. Splunk can be directed to query these "strategies" in a particular order when searching for LDAP users. See Set up user authentication with LDAP in Securing Splunk Enterprise.

Discover or modify existing LDAP configurations

Familiarize yourself with the existing LDAP groups and permissions mappings by looking at all LDAP strategies in your deployment.

  1. From the system bar, select Settings > Authentication methods'.
  2. Select LDAP.
  3. A link "Configure Splunk to use LDAP" appears. Select that link.
  4. The "LDAP strategies" page appears. From this page, you can select strategies and view their information and track those LDAP mappings to Splunk roles.

For further information on configuring LDAP strategies in Splunk Enterprise, see Configure LDAP with Splunk Web in Securing Splunk Enterprise.

Multifactor authentication

Splunk Enterprise currently supports multifactor authentication with Duo Security. See About two-factor authentication with Duo Security in Securing Splunk Enterprise.

Find or modify existing configurations

Find out if your deployment uses Duo Multifactor Authentication through Splunk Web.

  1. From the system bar, select Settings > Authentication Methods.
  2. Under Multifactor Authentication, select Duo Security.
  3. A link "Configure Duo Security" appears. Select that link.
  4. If your deployment uses Duo MFA, a list of Duo MFA connections appears. On this page you can review and manage those connector configurations. See Configure Splunk Enterprise to use Duo Security two-factor authentication in Securing Splunk Enterprise for further information.

Single sign-on with the SAML protocol

Splunk software can leverage the SAML authentication protocol for single sign-on (SSO), using information provided by an external identity provider (IdP). See Authentication using single sign-on with SAML in Securing Splunk Enterprise.

Find or modify existing authentication configurations

Find out if your users are configured for SAML SSO.

  1. From the system bar, select Settings > Authentication Methods.
  2. Select SAML.
  3. A link "Configure Splunk to use LDAP" appears. Select that link.
  4. The "SAML groups" page appears. You can view any SAML configurations and see if your system has SSO authentication configured for groups of users. From there you can drill down to your IdP information, the mapped groups, and the users assigned to that group.

Proxy single sign-on authentication

ProxySSO lets you configure Single-Sign On (SSO) for Splunk instances through a reverse proxy server. A user logged in using ProxySSO can seamlessly access Splunk Web.

Find existing configurations

You can view any existing HTTP request headers that the proxy server sends to Splunk Web:

Set enableWebDebug=true in web.conf under settings stanza:

http://<ProxyServerIP>:<ProxyServerPort>/debug/sso

ProxySSO login events are logged in var/log/splunkd.log.

Last modified on 12 December, 2022
Review your apps and add-ons   Review security configurations and certificates

This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters