Configuring SAML in a search head cluster
You can configure SAML on a search head that does or does not use a load balancer. For authentication requests to be signed (recommended), you must use the same signing certificate on all search head members in the cluster.
Every search head in the cluster must have the public key of the IdP. Splunk uses this key to verify the signature of the SAML authentication response. When you use SplunkWeb to configure SAML, the public key from metadata is automatically set to replicate to Search.
1. Generate a public/private key pair.
2. Concatenate the generated key pair into one pem file. This file is used for signing authentication requests going out from Splunk. Concatenate in the following order:
- Public key is self signed:
- Private key
- Public key
- Public key is signed by a intermediate/rootCA:
- Private key
- Public key
- Issuers of PublicKeys. Should match the order in that the certificate issuers present.
- root CA.
3. Replicate the new certificate file to the location relative to $SPLUNK_HOME on each search head. Make sure to give the certificate the same name on all search heads. For example:
4. Edit the Splunk metadata: In the <X509Certificate> file, swap the public key in the metadata with the public key from the new certificate. Then remove the -----BEGIN CERTIFICATE-----
and -----END CERTIFICATE-----
tags.
5. Configure your IdP using the Splunk metadata. See the instructions for your IdP.
6. Collect your IdP metadata and use it to configure Splunk. Previous steps created a SAML-related configuration in $SPLUNK_HOME/etc/system/local/authentication.conf
.
Note: To enable seamless Single Logout, we recommend that you configure search head members to all have same entityID.
7. Add the path to the ClientCert parameter in authentication configuration:
8. If the private key you created in step 1. is encrypted and you set up a password for the private key sslPassword = <password for private key>
then you must repeat steps ABC for all search head members.
9. Reload authentication on all search heads to implement your changes.
10. To validate your configuration, log in to each search head individually to ensure all search heads are using the same key for signing authentication requests and that the IdP is configured with the right cert for verifying signature of the request.
Troubleshoot SAML SSO | Best practices for using SAML as an authentication scheme for single-sign on |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0
Feedback submitted, thanks!