Configure Splunk Cloud Platform to use SAML for authentication tokens
Currently, the Splunk platform supports using authentication tokens in Splunk Cloud Platform with the Microsoft Azure and Okta Security Assertion Markup Language (SAML) identity providers (IdPs), as well as other providers that support attribute query requests (AQR), which lets Splunk Cloud Platform retrieve information about users on the IdP. When you configure Splunk Cloud Platform to use SAML as an authentication scheme, you let Splunk Cloud Platform query these IdPs to confirm that tokens you create in Splunk Cloud Platform for authentication are valid.
Splunk Cloud Platform also supports authentication tokens when it uses either the native or Lightweight Directory Access Protocol (LDAP) authentication schemes. To learn more about authentication tokens, how they work, and how you enable or disable them individually or globally, see Set up authentication with tokens.
Prerequisites for using Splunk Cloud Platform with authentication tokens
- You must use one of the following SAML IdPs. There is no support for other IdPs at this time:
- Microsoft Azure
- Okta
- Any other IdP that supports AQR.
- You must hold credentials that let you configure authentication schemes in Splunk Cloud Platform
- You must configure Splunk Cloud Platform to use SAML as an authentication scheme, if you have not already
- You must configure SAML authentication extensions for the IdPs to retrieve user information
Configure Splunk Cloud Platform to use SAML as an authentication scheme
Before Splunk Cloud Platform can use Microsoft Azure or Okta to authenticate tokens, you must configure your Splunk Cloud Platform instance to use SAML for authentication.
If you have already configured your Splunk Cloud Platform instance to use SAML, you do not have to perform this procedure again.
- Log into Splunk Cloud Platform as an administrator level user.
- From the system bar, click Settings > Authentication Methods.
- Under External, click SAML. A link Configure Splunk to use SAML appears.
- Click Configure Splunk to use SAML. The SAML configuration dialog box appears.
- In the General Settings section of the "SAML configuration" dialog box, supply the appropriate information to access the Microsoft Azure or Okta IdP. You must supply at least the following in the "General Settings" section:
- Single Sign-on (SSO) URL
- IdP Certificate Chains
- Issuer ID
- Entity ID
- In the Alias section, supply the three aliases as provided by your IdP:
- Role alias
- RealName alias
- Mail alias
Configure authentication extensions
When you configure authentication extensions, you specify a script for either Microsoft Azure or Okta, a timeout for the script to run, and a timeout for Splunk Cloud Platform to cache user information that it retrieves from the IdP.
When Splunk Cloud Platform queries the IdP and runs the appropriate script to get user information, the script timeout determines how long Splunk Cloud Platform waits to get user information from the IdP. You can configure it to wait anywhere from 300 to 3600 seconds, or 5 minutes to 1 hour. 300 seconds is the default.
After Splunk Cloud Platform successfully retrieves the information, it caches it, and the Get user info time-to-live determines how long Splunk Cloud Platform retrieves user information from the cache. During this period, Splunk Cloud Platform does not query the IdP for the information it has cached.
The lowest amount of time that Splunk Cloud Platform caches user information is 3600 seconds or 1 hour. You can set this timeout higher to reduce the chance of potentially overloading your IdP with authentication requests, but doing so also increases the chance that Splunk Cloud Platform might not have the most up-to-date user information, which can pose a security risk.
Configure extensions for the Microsoft Azure identity provider
Splunk Cloud Platform requires the getUserInfo
authentication extension to connect to Microsoft Azure as an identity provider.
If you have a user on the IdP that is a member of more than 150 groups, then Splunk Cloud Platform also requires the login
authentication extension.
- Log into Splunk Cloud Platform as an administrator level user.
- From the system bar, click Settings > Authentication Methods.
- Click "Configure Splunk to use SAML". The "SAML configuration" dialog box appears.
- In the Script path field within the Authentication Extensions section of the "SAML configuration" dialog box , type in
SAML_script_azure.py
. - In the Script timeout field, type in
300s
. - In the Get User Info time-to-live field, type in
3600s
. - Click the Script functions field.
- In the pop-up window that appears, click
getUserInfo
. - (Optional) If there is at least one user on the IdP that is a member of more than 150 groups, repeat Steps 7-8 to add the
login
script function. - Under Script Secure Arguments, click Add Input.
- In the Key field, type in
clientId
. - In the Value field, type in the Azure client ID.
- Repeat Steps 10-12 to add the
clientSecret
key and the Azure client secret value that Splunk Cloud Platform is to use for authentication.. - Repeat Steps 10-12 to add the
tenantId
key and the Azure tenant ID value. - (Optional) If you want Splunk Cloud Platform to retrieve roles that are in nested groups within the Azure environment, repeat Steps 9-11 to add the
groupType
key andtransitive
as thegroupType
value. - Click Save. Splunk Cloud Platform saves the Azure configuration and returns you to the SAML Groups page.
Configure authentication extensions for the Okta identity provider
- Log into Splunk Cloud Platform as an administrator level user.
- From the system bar, click Settings > Authentication Methods.
- Click "Configure Splunk to use SAML". The "SAML configuration" dialog box appears.
- In the Script path field within the Authentication Extensions section of the "SAML configuration" dialog box , type in
SAML_script_okta.py
. - In the Script timeout field, type in
300s
. - In the Get User Info time-to-live field, type in
3600s
. - Click the Script functions field.
- In the pop-up window that appears, click
getUserInfo
. - Under Script Secure Arguments, click Add Input.
- In the Key field, type in
apiKey
. - In the Value field, type in the API key for your IdP.
- Click "Add input" again.
- In the "Key" field, type in
baseUrl
. - in the "Value" field, type in the URL of your Okta instance.
- Click Save. Splunk Cloud Platform saves the Okta configuration and returns you to the SAML Groups page.
Set up authentication with tokens | Enable or disable token authentication |
This documentation applies to the following versions of Splunk Cloud Platform™: 9.3.2408, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2208, 8.2.2112, 9.0.2205, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release)
Feedback submitted, thanks!