Splunk® Enterprise

Securing Splunk Enterprise

Splunk Enterprise version 9.0 will no longer be supported as of June 14, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

About proxy single sign-on

Proxy single sign-on, or proxy SSO, is an authentication method that lets you configure single sign-on authentication for Splunk Enterprise instances through a reverse proxy server.

With proxy SSO, a proxy server exists between the Splunk Enterprise deployment and an external authentication service. You can pass user identity and group information in HTTP headers from the proxy server to Splunk Enterprise. Splunk Enterprise uses the information it receives in these headers to authenticate users and subsequently authorize them through groups that have been mapped to Splunk roles.

Authentication using proxy SSO provides the following benefits:

  • It combines authentication and authorization into one step for the user, which streamlines the login process
  • It eliminates a direct connection between Splunk Enterprise and the external authentication service, which increases security
  • It reduces the number of configuration steps for authentication
  • It lowers the amount of network communication between Splunk Enterprise and authentication services, making authentication more efficient
  • It expands the number of authentication service options you can use beyond Lightweight Directory Access Protocol (LDAP), as the proxy server passes the required authentication and authorization information

It's not possible to configure proxy SSO in Splunk Enterprise using Splunk Web. Instead, you must use the Representational State Transfer (REST API) or modify configuration files, as described in Configure proxy single sign on.

Splunk Cloud Platform does not support authentication using proxy SSO.

Prerequisites to configuring proxy SSO

To set up proxy SSO, you must have the following:

  • A proxy server
    • This proxy server must be configured to send HTTP headers as part of an HTTP web request or response.
  • A working Splunk Enterprise deployment

For more information about how to configure these items and set up proxy SSO, see Configure proxy SSO.

How proxy SSO works

  1. You configure a proxy server to handle authentication requests between Splunk Enterprise and an external authentication service.
  2. You map groups on the external application service to roles on the Splunk Enterprise deployment.
  3. The proxy server authenticates against the configured authentication service and creates an HTTP request.
  4. Splunk Enterprise receives HTTP headers from the trusted reverse proxy server.
  5. Splunk Enterprise checks the trustedIP setting in its web.conf configuration file to determine that it is receiving a request from the trusted proxy server IP address.
  6. Based on the headers that Splunk Enterprise receives from the trusted proxy server, Splunk Enterprise accepts or denies the login request.

After a successful login, the client web browser creates a session cookie and the user can then access Splunk Web.

Last modified on 10 November, 2023

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.1.0, 9.1.1, 9.1.2, 9.2.0, 9.2.1

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters