Splunk® Enterprise

Securing Splunk Enterprise

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

About multifactor authentication with RSA Authentication Manager

Multifactor authentication allows you to configure a primary and secondary login for your Splunk Enterprise users. You can configure multifactor authentication using RSA Authentication Manager for Splunk Web, REST endpoints, and CLI. Multifactor authentication secures the Splunk Enterprise web (8000) and management (8089) ports. After multifactor authentication is configured, the user enters a passcode to log in. The passcode is a combination of the user's authentication PIN and the RSA-generated tokencode. For example, if the user's PIN is 1111 and RSA generates a tokencode of 2222, the passcode is 11112222. The tokencode may be generated from an RSA key fob or a mobile/desktop application.


You need to have configured your RSA Authentication Manager before you attempt to configure RSA authentication on your Splunk Enterprise installation.

You need to have the change_authentication capability to configure multifactor authentication with RSA Authentication Manager.


You cannot configure multifactor authentication in the following circumstances:

  • REST endpoints authenticate via pass4symmkey.
  • You have a configuration where there is a distributed search without index clustering where peers are added to the distsearch.conf file by entering the credentials of an admin user on the indexer. This is a one-time operation that is needed to push the search head's public key to the indexer.

How multifactor authentication works with other forms of authentication

Note that you cannot use any form of multifactor authentication with SSO or SAML authentication. Multifactor authentication works with the following sources of authentication:

  • Native authentication
  • LDAP
  • Scripted authentication
Last modified on 13 August, 2018
Configure Duo multifactor authentication for Splunk Enterprise in the configuration file
Configure RSA authentication from Splunk Web

This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.2.0

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters