Splunk® Enterprise

Securing Splunk Enterprise

This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Migrate from the Duo Traditional Prompt to the Duo Universal Prompt

The Universal Prompt is an enhanced authentication experience for Duo Security users. It provides more secure and advanced authentication experience than the Traditional Prompt which has been the default experience in previous Splunk Enterprise versions.

Due to the announced deprecation of the Traditional Prompt, you must migrate from the Traditional to the Universal Prompt by taking the following steps.

1. Upgrade to one of the Splunk Enterprise versions that support the Duo Universal Prompt

Versions that support the Duo Universal Prompt include 9.1.6, 9.2.3, 9.3.1, or higher except versions 9.2.0, 9.2.1, 9.2.2, and 9.3.0.

After you upgrade, in the Duo Admin Panel, the Traditional prompt is enabled. You can check it in the following way:

  1. In the left panel, select Applications.
  2. Under All Applications, select Splunk.
  3. On the Splunk page, to see the status, scroll down to the Universal Prompt section.

2. Test with multiple users whether they are able to log in using Duo multifactor authentication (MFA)

  1. If users log in using Duo MFA, it means that the Duo Traditional Prompt works correctly with the upgraded Splunk Enterprise version. See universalPrompt setting - scenarios.
  2. If users are unable to log in using Duo MFA, roll back to the Traditional Prompt and start again.

Before you continue, make sure that users can log in using Duo MFA. Enabling the Universal Prompt can't be reversed.

Roll back to the Traditional Prompt

  1. On the Splunk Enterprise instance where you want to migrate to Duo Universal Prompt, open $SPLUNK_HOME/etc/system/local/authentication.conf file.
  2. Under the 2FA stanza, add the universalPrompt setting if it is not there, and set its value to False. See Scenarios depending on the value of the universalPrompt setting.
  3. If possible, restart the Splunk Enterprise instance.
  4. If restarting the Splunk Enterprise instance is impossible, take these steps:
    1. Create an appSecretKey by generating a SHA1 hash of a random value. Use one of the following ways to generate the SHA1 hash:
      - Use the SHA1 Hash Generator page. See https://passwordsgenerator.net/sha1-hash-generator/#google_vignette.
      - Run the following command: 
      [Unset]
echo `openssl rand -hex 20`  | openssl dgst -sha1

      - Run the following python script: 

      [Python]
import hashlib
import os
str(hashlib.sha1(os.urandom(32)).hexdigest())
    2. To set the universalPrompt setting to the value of False, send the following request. Include the appSecretKey that you created.
      To obtain a secret_key value, run the splunk login CLI command. To learn about administrative commands, see Administrative CLI commands in the Admin Manual. 
      [Python]
curl --request POST \
  --url https://<sh_uri>:<mgmt_port>/services/admin/Duo-MFA/duo-mfa \
  --header 'Authorization: Splunk <secret_key> \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data universalPrompt=false
  --data appSecretKey=<app_secret_key>


      The Duo Traditional Prompt using the original working code has been enabled.


  5. If users are still unable to log with Duo MFA, take these steps until your development team resolves the Duo MFA issues:
    1. Remove the 2FA stanza from the configuration file. To learn about the 2FA stanza, see Configure Duo multifactor authentication for Splunk Enterprise in the configuration file.
    2. Disable Duo MFA by deleting the following authentication settings from the configuration file: 
      externalTwoFactorAuthVendor = <Duo>
externalTwoFactorAuthSettings = <2FA stanza name, usually 'duo-mfa'>

3. Enable the Duo Universal Prompt

  1. In the Duo Admin Panel, on the Splunk page, scroll down to the Universal Prompt section and select the See Update Progress link.
  2. Select the Activate Universal Prompt for 1 app button.
  3. Test with multiple users that they are able to log in using the Universal Prompt.
    1. If users log in using Duo MFA, you have successfully completed the migration.
    2. If users are unable to log in using Duo MFA, under Activate Universal Prompt, select Show Traditional Prompt. Next, investigate with your development team what causes issues when logging in using the Universal Prompt.

universalPrompt setting - scenarios

This table presents configuration scenarios depending on the value of the universalPrompt setting.

universalPrompt value - Splunk Enterprise universalPrompt value - Duo Admin Panel Triggered flow Comments
True - default value after upgrading to version that supports the Universal Prompt False - default value after upgrading to version that supports the Universal Prompt Upgraded version with the Traditional Prompt See 1. Upgrade to one the Splunk Enterprise versions that support the Universal prompt.
False False Previous version with the Traditional Prompt See 2. Test with multiple users if they are able to log in using Duo MFA.
True False Upgraded version with the Traditional Prompt See 3. Enable the Duo Universal Prompt.
True True Upgraded version with the Universal Prompt Migration completed successfully

Troubleshoot a validation issue

Duo MFA token validation failed error

  • This error may occur during login after you update the on-premises installation of Splunk Enterprise to version 9.1.6, 9.1.7, 9.2.3, or 9.3.1.
  • It affects setups that require using username aliases or username normalization to log in. The username that Splunk Enterprise uses to validate the successful Duo Universal Prompt authentication does not match the username that you entered when logging in.
Last modified on 20 November, 2024
Configure Duo multifactor authentication for Splunk Enterprise in the configuration file   About multifactor authentication with RSA Authentication Manager

This documentation applies to the following versions of Splunk® Enterprise: 9.1.6, 9.1.7, 9.2.3, 9.2.4, 9.3.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters