Configure authentication using single sign-on
Integrate Splunk UBA with your existing authentication system using single sign-on (SSO). You can configure SSO in Splunk UBA with multiple identity providers.
- To configure SSO for any supported identity provider using metadata files, see Configure SSO using metadata files.
- If you want to configure SSO without using metadata files:
Required attributes
Splunk UBA requires the following attributes from your SSO identity provider:
SSO Attribute | Description |
---|---|
role | The list of groups to which the user is assigned. A user's role is used to map to the roles in your Splunk UBA instance's SAML configuration. |
realName | Name of the user that will be used as the login display name. |
Email address of the user that will be used as the login display name. |
If both realName
and mail
are provided, the email address is used as the login display name. If neither is provided, you will see "Unknown User".
Configure SSO using metadata files
Configure single sign-on for all identity providers using metadata files in your environment.
- Log into Splunk UBA as a user with Admin privileges.
- Create an account role that matches the group name in your identity provider. For example, if your identity provider user is assigned to the group uba_users, create an account role in Splunk UBA called uba_users (not case-sensitive). You can either create a new account role, or clone an existing one. All users in this group will have the permissions configured in this role. See Create a custom role or Clone an existing role.
Since User, Analyst, Admin, and Content_Developer are Splunk UBA roles by default, you do not need to create these account roles if your identity provider group names match these role names.
If the role is not properly configured in Splunk UBA, you will see the following error message:
"No permissions are granted to this username."
- After the account role is created, select Manage > Settings.
- Verify that Authentication is selected, then click on the SSO Authentication checkbox.
- Click Download File to download the SP metadata file from Splunk UBA. Add this file to your SAML environment to connect it to Splunk UBA.
If you use a custom certificate, you might need to replace the self-signed certificate from UBA in the .xml metadata file that is generated.
- Click Select File to download or browse and select your metadata file, or copy and paste your metadata directly into the Metadata Contents field and click Apply. Refer to your identity provider documentation if you are not sure how to locate your metadata file.
- Enter an entity ID in the EntityId field. This is an identifier for this Splunk UBA instance that is unique across all entities on the identity provider.
- Review and verify the remaining fields on the page that are automatically populated from the metadata files.
- Click OK.
Configure SSO with Ping Identity as your identity provider
To configure SSO for Splunk UBA with Ping Identity as your identity provider, make sure you have properly configured your Ping Identity environment, including:
- Create a Service Provider connection on Ping Federate with "Browser SSO profile" as the Connection Type.
- Make a directory with the name "idpcerts" under the
/var/vcap/store/caspida/certs
path if it does not exist already. - Select and export the signed certificate for Digital Signature Settings. Save this file to the
/var/vcap/store/caspida/certs/idpcerts
directory in Splunk UBA. - Import the Splunk UBA 3rd party/self-signed certificate as a Digital Verification Certificate.
Incorrectly importing the certificate may result in infinite login redirect loops. If you are seeing this behavior verify that the Splunk UBA 3rd party/self-signed certificate is imported correctly.
In Splunk UBA, perform the following tasks:
- Log into Splunk UBA as a user with Admin privileges.
- Create an account role that matches the Ping Identity group name. For example, if your Ping Identity user is assigned to the group uba_users, create an account role in Splunk UBA called uba_users (not case-sensitive). You can either create a new account role, or clone an existing one. All users in this group will have the permissions configured in this role. See Create a custom role or Clone an existing role.
Since User, Analyst, Admin, and Content_Developer are Splunk UBA roles by default, you do not need to create these account roles if your identity provider group names match these role names.
If the role is not properly configured in Splunk UBA, you will see the following error message:
"No permissions are granted to this username."
- After the account role is created, select Manage > Settings.
- Verify that Authentication is selected, then click on the SSO Authentication checkbox and complete the fields.
Field Description EntityId An identifier for this Splunk UBA instance that is unique across all entities in your Ping Identity environment. For example, SplunkUBA
.IdP Certificate Location and name of the PingIdentity certificate. This file is exported and located in the Splunk UBA certs/idpcerts
directory. For example,/var/vcap/store/caspida/certs/idpcerts/ping.pem
.Private Key file Full path and name of the Splunk UBA 3rd party certificate or self-signed certificate. The certificate must be located in the Splunk UBA certs
directory or a subdirectory under thecerts
directory based on the current deployment settings. For example,/var/vcap/store/caspida/certs/mycerts/my-server.key.pem
. See Request and add a new certificate to Splunk UBA to access the Splunk UBA web interface in Install and Upgrade Splunk User Behavior Analytics for more information about creating 3rd party or self-signed certificates.Login Url SSO application endpoint. Click Application Endpoints on the IdP Configuration menu to see a list of endpoints and descriptions applicable to your federation role. An SSO application endpoint has the format Ping URL + SSO endpoint + ?PartnerSpId=xxx
, such ashttps://sso002.example.com:9031/idp/startSSO.ping?PartnerSpId=splunkuba01
.Login Callback Path The location where the SAML assertion is sent with an HTTP POST. This is often referred to as the SAML Assertion Consumer Service (ACS) URL for your Splunk UBA instance. For example, if your identity provider is configured with https://uba/saml/acs
, then specify/saml/acs
in this field.Logout Url SLO application endpoint. Click Application Endpoints on the IdP Configuration menu to see a list of endpoints and descriptions applicable to your federation role. An SLO application endpoint has the format Ping URL + SLO endpoint + ?PartnerSpId=xxx
, such ashttps://sso002.example.com:9031/idp/startSLO.ping?PartnerSpId=splunkuba01
.Logout Callback Path The location where the logout response will be sent. For example, if your identity provider is configured with https://uba/saml/logout
, then specify/saml/logout
in this field. - Click OK.
- Verify that you want to restart Splunk UBA for these changes to take effect. If yes, click OK to restart Splunk UBA.
Configure SSO with Okta as your identity provider
To configure SSO for Splunk UBA with Okta as your identity provider, make sure you have properly configured your Okta environment, including:
- Added Splunk UBA as a new App with the Splunk UBA 3rd party/self-signed certificate uploaded.
- Configured the desired user groups.
- Make a directory with the name "idpcerts" under the
/var/vcap/store/caspida/certs
path if it does not exist already. - Downloaded the Okta X.509 certificate. Save this file to the
/var/vcap/store/caspida/certs/idpcerts
directory in Splunk UBA.
Then, perform the following tasks:
- Log into Splunk UBA as a user with Admin privileges.
- Create an account role that matches the Okta group name. For example, if your Okta user is assigned to the group uba_users, create an account role in Splunk UBA called uba_users. You can either create a new account role, or clone an existing one. All users in this group will have the permissions configured in this role. See Create a custom role or Clone an existing role.
Since User, Analyst, Admin, and Content_Developer are Splunk UBA roles by default, you do not need to create these account roles if your identity provider group names match these role names.
If the role is not properly configured in Splunk UBA, you will see the following error message:
"No permissions are granted to this username."
Check that the following attribute statements are correctly added:
Name Name format Value realName Unspecified user.email Check that the following group attribute statements are correctly added:
Name Name format Filter role Unspecified Matches regex: .* - After the account role is created, select Manage > Settings.
- Verify that Authentication is selected, then click on the SSO Authentication checkbox and complete the fields.
Field Description EntityId An identifier for this Splunk UBA instance that is unique across all entities in your Okta environment. For example, SplunkUBA
IdP Certificate Location and name of the Okta X.509 certificate. This file is downloaded from Okta and located in the Splunk UBA certs/idpcerts
directory. For example,/var/vcap/store/caspida/certs/idpcerts/okta.pem
.Private Key file Full path and name of the Splunk UBA 3rd party certificate or self-signed certificate. The certificate must be located in the Splunk UBA certs
directory or a subdirectory under thecerts
directory based on the current deployment settings. For example,/var/vcap/store/caspida/certs/mycerts/my-server.key.pem
. See Request and add a new certificate to Splunk UBA to access the Splunk UBA web interface in Install and Upgrade Splunk User Behavior Analytics for more information about creating 3rd party or self-signed certificates.Login Url Single sign-on URL of the identity provider. Login Callback Path The location where the SAML assertion is sent with an HTTP POST. This is often referred to as the SAML Assertion Consumer Service (ACS) URL for your Splunk UBA instance. For example, if your identity provider is configured with https://uba/saml/acs
, then specify/saml/acs
in this field.Logout Url Single logout URL of the identity provider. Logout Callback Path The location where the logout response will be sent. For example, if your identity provider is configured with https://uba/saml/logout
, then specify/saml/logout
in this field. - Click OK.
- Verify that you want to restart Splunk UBA for these changes to take effect. If yes, click OK to restart Splunk UBA.
Configure SSO with ADFS as your identity provider
To configure SSO for Splunk UBA with ADFS as your identity provider, make sure you have properly configured your ADFS environment, including:
- Add the Relying Party Trust with the Splunk UBA 3rd party/self-signed certificate uploaded
- Manually generate and download the ADFS X.509 certificate.
- In ADFS, go to ADFS > Endpoints.
- Locate the FederationMetadata URL in the Metadata section. This URL can be accessed by using a browser to download/save the XML metadata into a file. An example URL is:
https://localhost/FederationMetadata/2007-06/FederationMetadata.xml
- Make a directory with the name "idpcerts" under the
/var/vcap/store/caspida/certs
path if it does not exist already. - Get the unique content of the
<X509Certificate>
and use the content to create the certificate file calledadfs.pem
. Add this file to the/var/vcap/store/caspida/certs/idpcerts
directory in Splunk UBA.
Then, perform the following tasks:
- Log into Splunk UBA as a user with Admin privileges.
- Create an account role that matches the ADFS group name. For example, if your ADFS user is assigned to the group uba_users, create an account role in Splunk UBA called uba_users. You can either create a new account role, or clone an existing one. All users in this group will have the permissions configured in this role. See Create a custom role or Clone an existing role.
Since User, Analyst, Admin, and Content_Developer are Splunk UBA roles by default, you do not need to create these account roles if your identity provider group names match these role names.
If the role is not properly configured in Splunk UBA, you will see the following error message:
"No permissions are granted to this username."
- After the account role is created, select Manage > Settings.
- Verify that Authentication is selected, then click on the SSO Authentication checkbox and complete the fields.
Field Description EntityId An identifier for this Splunk UBA instance that is unique across all entities in your ADFS environment. For example, SplunkUBA
IdP Certificate Location and name of the ADFS X.509 certificate you generated earlier. For example, /var/vcap/store/caspida/certs/idpcerts/adfs.pem
.Private Key file Full path and name of the Splunk UBA 3rd party certificate or self-signed certificate. The certificate must be located in the Splunk UBA certs
directory or a subdirectory under thecerts
directory based on the current deployment settings. For example,/var/vcap/store/caspida/certs/mycerts/my-server.key.pem
. See Request and add a new certificate to Splunk UBA to access the Splunk UBA web interface in Install and Upgrade Splunk User Behavior Analytics for more information about creating 3rd party or self-signed certificates.Login Url Single sign-on URL of the identity provider. Login Callback Path SAML Assertion Consumer Endpoints path. For example, if your identity provider is configured with https://uba/saml/acs
, then specify/saml/acs
in this field.Logout Url Single logout URL of the identity provider. Logout Callback Path The SAML Logout Endpoints path. For example, if your identity provider is configured with https://uba/saml/logout
, then specify/saml/logout
in this field. - Click OK.
- Verify that you want to restart Splunk UBA for these changes to take effect. If yes, click OK to restart Splunk UBA.
Configure SSO with OneLogin as your identity provider
To configure SSO for Splunk UBA with OneLogin as your identity provider, make sure you have properly configured your OneLogin environment, including:
- Added Splunk UBA as a new app.
- Configured the desired user groups.
- Verify that the OneLogin users in the desired user groups have both their username and email fields configured.
- Make a directory with the name "idpcerts" under the
/var/vcap/store/caspida/certs
path if it does not exist already. - Downloaded the OneLogin X.509 certificate. Save this file to the
/var/vcap/store/caspida/certs/idpcerts
directory in Splunk UBA.
Then, perform the following tasks in Splunk UBA:
- Log into Splunk UBA as a user with Admin privileges.
- Create an account role that matches the OneLogin group name. For example, if your OneLogin user is assigned to the group uba_users, create an account role in Splunk UBA called uba_users (not case-sensitive). You can either create a new account role, or clone an existing one. All users in this group will have the permissions configured in this role. See Create a custom role or Clone an existing role.
Since User, Analyst, Admin, and Content_Developer are Splunk UBA roles by default, you do not need to create these account roles if your identity provider group names match these role names.
If the role is not properly configured in Splunk UBA, you will see the following error message:
"No permissions are granted to this username."
- After the account role is created, select Manage > Settings.
- Verify that Authentication is selected, then click on the SSO Authentication checkbox and complete the fields.
Field Description EntityId An identifier for this Splunk UBA instance that is unique across all entities in your OneLogin environment. For example, SplunkUBA
IdP Certificate The location and name of the OneLogin certificate. This is downloaded from OneLogin and located in the Splunk UBA certs/idpcerts
directory, as described earlier in the procedure. For example,/var/vcap/store/caspida/certs/idpcerts/OneLogin.pem
.Private Key file The full path and name of the Splunk UBA 3rd party certificate or self-signed certificate. The certificate must be located in the Splunk UBA certs
directory or a subdirectory under thecerts
directory based on the current deployment settings. For example,/var/vcap/store/caspida/certs/mycerts/my-server.key.pem
. See Request and add a new certificate to Splunk UBA to access the Splunk UBA web interface in Install and Upgrade Splunk User Behavior Analytics for more information about creating 3rd party or self-signed certificates.Login Url The OneLogin single sign-on URL, provided as the SAML Endpoint (HTTP) in your OneLogin App SSO tab. Login Callback Path The location where the SAML assertion is sent with an HTTP POST. This is often referred to as the SAML Assertion Consumer Service (ACS) URL for your Splunk UBA instance. For example, if your identity provider is configured with https://uba/saml/acs
, then specify/saml/acs
in this field.Logout Url The OneLogin single logout URL, provided as the SLO Endpoint (HTTP) in your OneLogin App SSO tab. Logout Callback Path The location where the logout response will be sent. For example, if your identity provider is configured with https://uba/saml/logout
, then specify/saml/logout
in this field. - Click OK.
- Verify that you want to restart Splunk UBA for these changes to take effect. If yes, click OK to restart Splunk UBA.
Configure SSO with Azure AD as your identity provider
To configure SSO for Splunk UBA with Azure AD as your identity provider, make sure you have properly configured your Azure AD environment, including:
- Added Splunk UBA as a new app.
- Configured the desired user and groups.
- Verify that the Azure AD users in the desired groups have their username, email, and group fields configured.
- Create a directory in Splunk UBA with the name "idpcerts" under the /var/vcap/store/caspida/certs path if it does not exist already.
- Downloaded the Azure AD SSO Certificate (Base64). Save this
*.cer
file as a*.pem
file to the /var/vcap/store/caspida/certs/idpcerts directory in Splunk UBA.
Then, perform the following tasks in Splunk UBA:
- Log into Splunk UBA as a user with Admin privileges.
- Create an account role that matches the Azure AD group's Object ID. For example, if your Azure AD user is assigned to the group uba_users with Object ID "3e1a9a14-0b9c-4682-a28e-cfe3120cdad9", create an account role in Splunk UBA called "3e1a9a14-0b9c-4682-a28e-cfe3120cdad9".
You can either create a new account role, or clone an existing one. All users in this group will have the permissions configured in this role. See Create a custom role or Clone an existing role in the Administer Splunk User Behavior Analytics manual.
Since User, Analyst, Admin, and Content_Developer are Splunk UBA roles by default, you do not need to create these account roles if your identity provider group names match these role names.
If the role is not properly configured in Splunk UBA, you will see the following error message:
"No permissions are granted to this username."
- After the account role is created, select Manage > Settings.
- Verify that Authentication is selected, then click on the SSO Authentication checkbox and complete the fields:
Field Description SP Entity ID An identifier for this Splunk UBA instance that is unique across all entities in your Azure AD environment. For example, SplunkUBA
.IdP Entity ID This is the Entity ID of the Identity Provider (IdP). This field is optional. IdP Certificate The location and name of the Azure AD certificate. This is downloaded from Azure AD and located in the Splunk UBA certs/idpcerts
directory, as described earlier in the procedure. For example,/var/vcap/store/caspida/certs/idpcerts/AzureAD.pem
.Private Key file The full path and name of the Splunk UBA 3rd party certificate or self-signed certificate. The certificate must be located in the Splunk UBA certs
directory or a subdirectory under thecerts
directory based on the current deployment settings. For example,/var/vcap/store/caspida/certs/mycerts/my-server.key.pem
. See Request and add a new certificate to Splunk UBA in the Install and Upgrade Splunk User Behavior Analytics manual for more information about creating 3rd party or self-signed certificates.Login Url The Azure AD single sign-on URL, provided as the SAML Endpoint (HTTP) in your Azure AD App SSO configuration page. Login Callback Path The location where the SAML assertion is sent with an HTTP POST. This is often referred to as the SAML Assertion Consumer Service (ACS) URL for your Splunk UBA instance. For example, if your identity provider is configured with https://uba/saml/acs
, then specify/saml/acs
in this field.Logout Url The Azure AD single logout URL, provided as the SLO Endpoint (HTTP) in your Azure AD App SSO configuration page. Logout Callback Path The location where the logout response will be sent. For example, if your identity provider is configured with https://uba/saml/logout
, then specify/saml/logout
in this field. - Click OK.
- Verify that you want to restart Splunk UBA for these changes to take effect. If yes, click OK to restart Splunk UBA.
Configure authentication for Splunk platform users | Use the Splunk UBA login type when Splunk authentication or SSO is not available |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.1.0, 5.1.0.1
Feedback submitted, thanks!