Splunk® Enterprise

Securing Splunk Enterprise

Splunk Enterprise version 9.0 will no longer be supported as of June 14, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Set up user authentication with external systems

You can use scripted authentication, such as with external protocols and services like privileged access management (PAM) and remote authentication dial-in user service (RADIUS), to log users into Splunk Enterprise. Read this topic to learn about the steps you need to take to configure scripted authentication on Splunk Enterprise deployments.

Native Splunk authentication takes precedence over any other type of authentication scheme. When you configure scripted authentication, the Splunk native authentication scheme still processes logins before passing the request onward to the scripted authentication scheme.

Splunk Cloud Platform doesn't support scripted authentication of any kind. Don't try to use scripted authentication to log users into Splunk Cloud, even by using a Splunk app.

How scripted authentication works

In scripted authentication, a Python script that you create serves as the middleman between Splunk Enterprise and an external authentication system such as PAM or RADIUS.

The API consists of a few functions that handle communications between Splunk Enterprise and the authentication system. You need to create a script with handlers that implement those functions.

To integrate your authentication system with Splunk Enterprise, confirm that the authentication system is running and then do the following:

  1. Create a Python authentication script. See Create the authentication script for the procedure.
  2. Enable your script by editing the authentication.conf configuration file to specify scripted authentication and its associated settings. See Edit authentication.conf for the procedure.

Example scripts

Splunk provides several example authentication scripts and associated configuration files, including one set for RADIUS and another for PAM. There is also a simple script called dumbScripted.py, which focuses on the interaction between the script and Splunk deployments.

The scripts that Splunk provides are examples that you can modify or extend as needed. Splunk does not support them, and there is no guarantee that they will fully meet your authentication and security needs.

You can use an example script and configuration file as the starting point for creating your own script. You must modify them for your environment.

You can find these examples in $SPLUNK_HOME/share/splunk/authScriptSamples/. That directory also contains a README file with information on the examples, as well as additional information on setting up the connection between Splunk Enterprise and external systems.

Last modified on 22 March, 2022
Configure Splunk Enterprise to use a common access card for authentication   Create the authentication script

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.2.0, 9.2.1, 9.2.2

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters