Enable or disable token authentication
You can enable token authentication at any time if your Splunk platform account has the appropriate permissions. Token authentication is off by default on the Splunk platform.
You can also disable token authentication at any time if you have enabled it and have the appropriate permissions. If token authentication is disabled, token users cannot authenticate into the instance, even if you have previously defined valid tokens.
Tokens retain their individual validity status regardless of whether token authentication is on or off, and when you re-enable token authentication after disabling it, holders of valid tokens can use them again.
Prerequisites for enabling or disabling token authentication
Before you can enable token authentication, you must satisfy the following requirements:
Splunk Cloud Platform
- You must configure your Splunk Cloud Platform instance to use either the native or the SAML authentication schemes.
- If you configure Splunk Cloud Platform to use the SAML authentication scheme, you must also either configure the instance to use a SAML identity provider (IdP) that supports Attribute Query Requests (AQR) or use authentication extensions. See Configure Splunk Cloud Platform to use SAML for authentication tokens.
- The account that you use to log into the Splunk platform must hold a role that has the
edit_tokens_settings
Splunk platform capability before you can turn token authentication on or off.
Splunk Enterprise
- You must enable Transport Layer Security (TLS)/SSL on your Splunk platform instance. See About securing Splunk Enterprise with SSL for details.
- You must confirm that you have enabled app key value store (KV Store). By default, KV store is enabled on search heads. See About app key value store in the Admin Manual for more information.
- The account that you use to log into the Splunk platform must hold a role that has the
edit_tokens_settings
Splunk platform capability before you can turn token authentication on or off.
Enable token authentication for a Splunk platform instance
You can enable token authentication by using Splunk Web, editing configuration files, or making a call to a Representational State Transfer (REST) endpoint.
At this time, you cannot use the Splunk CLI on Splunk Enterprise to enable or disable token authentication.
Enable token authentication using Splunk Web
When token authentication is off, the following message displays on the "Tokens" page in Splunk Web:
Token authentication is currently disabled To enable token authentication, click Enable Token Authentication.
Perform this procedure on the instance where you want to enable token authentication.
- Log in to the Splunk platform instance as an administrator-level user, or a user that can manage tokens settings.
You cannot use a token to log in to Splunk Web. You must provide a valid user name and password.
- After you log in successfully, in the system bar, select Settings > Tokens.
- Click Enable Token Authentication. The Splunk platform instance enables token authentication immediately, and there is no need to restart the instance.
Enable token authentication using REST
The curl
command does not come standard on Windows PowerShell. Instead, you can use the Invoke_RestMethod
PowerShell cmdlet on PowerShell versions 3.0 and higher.
- Open a shell prompt.
- Run the following command
curl -k -u <splunk_username>:<password> -X POST https://<servername>:<port>/services/admin/token-auth/tokens_auth -d disabled=false
The Splunk platform enables token authentication immediately. On Splunk Enterprise instances, there is no need to restart.
Enable token authentication using configuration files
Perform this procedure on the Splunk Enterprise instance where you want to enable token authentication. This option is not available on Splunk Cloud instances.
- Open a shell prompt or PowerShell window.
- Change to the
$SPLUNK_HOME/etc/system/local
directory. - Use a text editor to open the
authorize.conf
file for editing. - In the
authorize.conf
file, add the following lines of text:
[tokens_auth] disabled = false
- Save the
authorize.conf
file and close it. - Restart the Splunk platform.
Set a default relative token expiration time using configuration files
Optionally, to set a default relative time expiration for any tokens on the Splunk Enterprise instance, use this procedure. Expiration times that you specify in the token creation dialog override the default setting. You cannot perform this operation in Splunk Cloud or on Splunk Web, and you cannot set an expiration time in the past.
- Open a shell prompt or PowerShell window.
- Change to the
$SPLUNK_HOME/etc/system/local
directory. - Use a text editor to open the
authorize.conf
file for editing. - In the
tokens_auth
stanza, add the following line of text, substituting<relative time>
with a string that represents an amount of time from the time that you create a token:
expiration=<relative time>
For example, if you want to specify a default expiration time of 5 days for a token after you create it, set
<relative time>
to+5d
.
- Save the file and close it.
- Restart the Splunk platform.
See Time modifiers in the Search Reference manual for more information on time modifier syntax.
Disable token authentication on a Splunk platform instance
On Splunk Cloud instances, you can disable token authentication by using Splunk Web. On Splunk Enterprise instances, you can disable token authentication by using Splunk Web, editing configuration files, or making a call to a REST endpoint.
Disable token authentication using Splunk Web
Perform this procedure on the instance where you want to disable token authentication. You can use Splunk Web to disable token authentication on either Splunk Cloud or Splunk Enterprise instances
- Log in to the Splunk platform instance as a user that can edit token settings.
You cannot use a token to log in to Splunk Web. You must provide a valid user name and password.
- After you log in, in the system bar, select Settings > Tokens.
- Click Disable Token Authentication. The instance disables token authentication immediately, and there is no need to restart the instance.
Disable token authentication using REST
The curl
command does not come standard on Windows PowerShell. Instead, you can use the Invoke_RestMethod
PowerShell cmdlet.
- Open a shell prompt.
- Run the following command
curl -k -u <splunk_username>:<password> -X POST https://<servername>:<port>/services/admin/token-auth/tokens_auth -d disabled=true
The instance disables token authentication immediately, and there is no need to restart the instance.
Disable token authentication using configuration files
Perform this procedure on the Splunk Enterprise instance where you want to disable token authentication. This option is not available for Splunk Cloud instances.
- Open a shell prompt or PowerShell window.
- Change to the
$SPLUNK_HOME/etc/system/local
directory. - Use a text editor to open the
authorize.conf
file. - In the
authorize.conf
file, edit the following lines of text:
[tokens_auth] disabled = true
- Save the
authorize.conf
file and close it. - Restart Splunk Enterprise.
Create, use, manage, and delete tokens
After you enable token authentication, you can do the following with authentication tokens:
- Create tokens. See Create authentication tokens.
- Manage or delete tokens. See Manage or delete authentication tokens.
- Use tokens to authenticate. See Use authentication tokens.
If you disable token authentication, any tokens that are on the instance become inaccessible immediately, and you must enable token authentication again to restore access to tokens that are valid.
Configure Splunk Cloud Platform to use SAML for authentication tokens | Create authentication tokens |
This documentation applies to the following versions of Splunk Cloud Platform™: 9.2.2406, 8.2.2112, 8.2.2202, 9.0.2205, 8.2.2201, 8.2.2203, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403 (latest FedRAMP release)
Feedback submitted, thanks!