Secure SSO with TLS certificates on Splunk Enterprise
On Splunk Enterprise, you can use certificates to secure single sign-on operations with transport layer security (TLS) certificates. Splunk Cloud Platform already secures communications end-to-end between your browser and the instance.
The following settings from the authentication.conf configuration file let Splunk Enterprise perform TLS verification between the Splunk Enterprise Instance and the Simple Object Access Protocol (SOAP) instance that provides the AttributeQuery
service.
Setting name | Setting Type | Description |
---|---|---|
sslVersions | comma-separated list | A list of SSL versions that the Splunk Enterprise instance is to support. |
sslCommonNameToCheck | string | Splunk Enterprise limits most outbound HTTPS connections to hosts that use a certificate with this common name. The sslVerifyServerCert setting must be true for this setting to have an effect.
|
sslAltNameToCheck | comma-separated list | Splunk Enterprise can verify certificates with a "Subject Alternative Name" that matches any of the alternate names in this list. The sslVerifyServerCert setting must be true for this setting to have an effect.
|
ecdhCurveName | string | The name of the Elliptic Curve - Diffie Hellmann (ECDH) curve that Splunk Enterprise is to use for negotiation for ECDH keys. |
serverCert | string | The location of the server certificate file |
sslPassword | string | The password for the server certificate. |
caCertFile | string | The public key of the authority that signs the certificates. |
sslVerifyServerCert | Boolean | Whether or not Splunk Enterprise verifies the common name and the alternate name of a certificate and considers the certificate valid if either name matches. |
blacklistedAutoMappedRoles | comma-separated list | A list of Splunk roles that you do not want Splunk Enterprise to auto-map if they arrive in the response from the IdP. |
blacklistedUsers | comma-separated list | A list of user names that Splunk must reject from the IDP response. |
nameIdFormat | string | If supported by the IdP, while making SAML Authentication request this value can be used to specify the format of the Subject returned in SAML Assertion. |
ssoBinding | string | the binding Splunk Enterprise is to use when it makes a service-provider-initiated SAML request. The binding must match the one configured on the IdP. |
sloBinding | string | The binding Splunk Enterprise is to use when it makes a logout request or sends a logout response to complete the logout workflow. The binding must match the one configured on the IdP. |
signatureAlgorithm | string | the signature algorithm to user for a SP-initiated SAML request. 'signedAuthnRequest' must
be true for this setting to have an effect. The algorithm applies to both the HTTP POST and redirect binding. |
inboundSignatureAlgorithm | semicolon-separated list | A list of signature algorithms that are accepted in SAML responses. This setting affects both HTTP POST and HTTP Redirect bindings. |
replicateCertificates | Boolean | Whether or not IdP certificate files must be replicated manually across Splunk Enterprise nodes. If certificate replication is not enabled, you must replicate certificate files manually, or verification of SAML signed assertions fails. |
Configure SSO in Computer Associates (CA) SiteMinder | Configure Ping Identity with leaf or intermediate SSL certificate chains |
This documentation applies to the following versions of Splunk Cloud Platform™: 9.3.2408, 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release)
Feedback submitted, thanks!