Splunk® Enterprise

Securing Splunk Enterprise

About multifactor authentication with Duo Security

Duo Security is a two-factor authentication method that uses a second device to verify your identity separately from your username and password. It keeps your account secure even if you password has been compromised.

Using Duo Security, you can configure a primary and secondary login for your Splunk Enterprise users. Duo Security multifactor authentication secures Splunk Web logins on Splunk Enterprise instances.

Splunk Cloud Platform does not support multifactor authentication with Duo Security.

How Duo Security authentication works

To set up Duo Security multifactor authentication, administrators take the following steps:

  • Using Duo Admin Panel, set up protection of Splunk Enterprise with Duo Security.
  • Enroll users and their devices that they use for authentication See https://duo.com/docs/enrolling-users in Duo documentation.
  • Configure Splunk Enterprise to use Duo Security authentication.

Users must install the Duo Mobile application on their devices to be able to authenticate. After a user enrolls in Duo, they log in to Splunk Enterprise with their Splunk username and password and then use a second device to authenticate.

Universal Prompt for Duo Security

Duo Universal Prompt is an enhanced authentication experience for Duo Security users. It provides more secure and advanced authentication experience than the Traditional Prompt which is the default experience on previous Splunk Enterprise versions. The Universal Prompt supports advanced authentication features like Verified Duo Push, Risk-Based Authentication, and Passwordless login which streamline the experience for end-users and administrators. To learn about the Universal Prompt, see https://guide.duo.com/universal-prompt in the Duo documentation.

After the Duo Universal Prompt is enabled, at first login to Splunk Enterprise, Duo chooses one of your configured login option automatically. It is the most secure from the methods available to you. Examples of the methods include Platform Authenticators like TouchID, Verified Duo Push, or Duo Mobile generated passcodes. To learn about Duo authentication methods, see https://help.duo.com/s/article/7472 in Cisco Duo Knowledge Base.

If you still use the Traditional Prompt for Duo multifactor authentication, upgrade Splunk Enterprise on-premises to versions: 9.1.6, 9.1.7, 9.2.3, 9.3.1, or higher. These versions support Duo Universal Prompt. Next, migrate from the Traditional Prompt to the Universal Prompt. Due to the announced deprecation of the Traditional Prompt, continued use of this experience might result in authentication failures in the future. Versions: 9.2.0, 9.2.1, 9.2.2, and 9.3.0 do not support Duo Universal Prompt.

To learn how to migrate to the Duo the Universal Prompt, see Migrate from the Duo Traditional Prompt to the Duo Universal Prompt.

Using Duo Security with other authentication methods

You can use Duo Security with native authentication, LDAP external authentication, and scripted authentication.

Duo Security is not compatible with SAML and SSO authentication methods.

Duo Security can't be used with the RSA SecurID multifactor authentication. You can use only one of these methods at a time.

Last modified on 11 September, 2024
Configure SAML SSO using configuration files on Splunk Enterprise   Configure Splunk Enterprise to use Duo Security multifactor authentication

This documentation applies to the following versions of Splunk® Enterprise: 9.1.6, 9.1.7, 9.2.3, 9.2.4, 9.3.1, 9.3.2, 9.4.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters