Splunk® Enterprise

Securing Splunk Enterprise

Best practices for using SAML as an authentication scheme for single-sign on

Following are some best practices to maintain a high level of security when you configure the Splunk platform to use Security Assertion Markup Language as an authentication scheme.

Many of these best practices work for both Splunk Cloud Platform and Splunk Enterprise. As a Splunk Cloud Platform user, you must open a support ticket to make changes to your instance with configuration files.

  1. Always enable TLS for Splunk Web. This ensures that all communications between your browser, your Splunk platform instance, and your identity provider (IdP) are secure.
  2. Enable authentication request signing to ensure that all SAML responses, for example Attribute Query Requests (AQR), assertions, and logout responses, are encrypted.

  3. For SAML responses from your IdP, use an SSL certificate chain, rather than a group of self-signed certificates.
  4. Configure your identity provider (IdP) to use the HTTP POST or redirect SAML bindings for SAML responses that the IdP sends to the Splunk platform. When you use HTTP redirect SAML bindings, the Splunk platform verifies the SAML response against the end-entity, or leaf, certificate that you installed on the instance. The Splunk platform does not perform certificate revocation list (CRL) validation during response verification.

  5. Make sure that any TLS certificates that you use are valid, and have not expired or been revoked.
  6. Configure user exclude lists to ensure that accounts in the exclude list cannot log in or remain logged in. You can do this with the authentication.conf configuration file.
    excludedUsers = <comma-separated list>
    A list of user names from the SAML response that the Splunk platform is to exclude
  7. Set a list of non-trusted users that are in control of IdP group names. For example, you can limit access by specifying that Splunk roles such as the admin and power roles are added to the auto-mapped rules section. You do this with the authentication.conf configuration file.
    excludedUsers = <comma-separated list>
    A list of user names from the IdP response that the Splunk platform is to exclude
  8. The Splunk platform supports auto-mapped roles by default. If the IdP returns Splunk roles in an assertion, the Splunk platform uses them. To turn off auto-mapping for roles, add the list of roles to the excludedAutoMappedRoles setting in the authentication.conf file.
    excludedAutoMappedRoles = <comma separated list>
    A list of Splunk roles from the IdP response that should be prevented from being auto-mapped by the Splunk platform.
  9. Do not assign the admin role to the defaultRolesIfMissing setting in the authentication.conf configuration file. The Splunk platform temporarily uses the admin role to send group information in the SAML assertion until the IdP is configured.
Last modified on 17 April, 2024
Configuring SAML in a search head cluster   Configure SAML SSO using configuration files on Splunk Enterprise

This documentation applies to the following versions of Splunk® Enterprise: 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.2.0, 9.2.1

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters