Splunk® Enterprise

Securing Splunk Enterprise

Configure Splunk Enterprise to use Duo Security multifactor authentication

If you have previously configured Splunk Enterprise to use Duo Security authentication through Duo Two-Factor Authentication for Splunk Enterprise, follow the steps in this topic to reconfigure multifactor login with Duo Security.

Prerequisites to configuring Splunk Enterprise for Duo Security multifactor authentication

  • You have created an account for Splunk Enterprise on the Duo website. See https://duo.com/docs/splunk#first-steps in the Duo documentation.
  • To use the Universal Prompt, which is a simplified Duo experience, you have upgraded Splunk Enterprise on-premises to one of the following versions:
    • 9.1.6
    • 9.2.3
    • 9.3.1
    • Or higher.

      Splunk Enterprise versions 9.2.0, 9.2.1, 9.2.2, and 9.3.0 do not support Duo Universal Prompt.

      If you already use Duo Security authentication to log in to Splunk Enterprise, Duo uses the Traditional Prompt to authenticate you. You must migrate to the Universal Prompt. See Migrate from the Duo Traditional Prompt to the Duo Universal Prompt.

Configure Splunk Enterprise to use Duo Security authentication

  1. In the Splunk bar, select Settings > Authentication Methods .
  2. Under Multifactor authentication, choose Duo Security.
  3. Select the Configure Duo Security link.
  4. On the Add new page, enter the following details:
      You can find the details in the Duo Admin Panel, on the Protect an Application page for Splunk Enterprise.
    • Integration Key, in the following format: DIXXXXXXXXXXXXXXXXXX
    • Secret Key
    • API Hostname, in the following format: api-XXXXXXXX.duosecurity.com
  5. To specify how to authenticate users in Splunk Enterprise when the Duo Security method is unavailable, select one of the following options:
    • Let users login - Users who have successfully logged into Splunk Web can access Splunk Enterprise even if the secondary Duo authentication fails.
    • Do not let users login - Users who have successfully logged into Splunk Web cannot access Splunk Enterprise if the secondary Duo authentication fails.
  6. To require Duo multifactor authentication against REST endpoints, select Enable 2FA for REST endpoints.

    If selected, log in to the Splunk platform instance using Duo authentication to get a valid session key, or requests to those endpoints must include a valid session key in the following format: 'curl -H "Authorization:Splunk sessionKey" -X GET <resource>'

  7. Enter a time limit, in seconds, that specifies how long Duo Security attempts authentication before the connection times out.
  8. Select Save to save your changes.

Duo Security authentication takes effect immediately. You do not have to reload the authentication configuration using the Authentication methods page.

Last modified on 09 September, 2024
About multifactor authentication with Duo Security   Configure Duo multifactor authentication for Splunk Enterprise in the configuration file

This documentation applies to the following versions of Splunk® Enterprise: 9.1.6, 9.2.3, 9.3.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters