Splunk® User Behavior Analytics

Administer Splunk User Behavior Analytics

Configure authentication using single sign-on

Integrate Splunk UBA with your existing authentication system using single sign-on (SSO). Before you begin, complete the required attributes.

Required attributes

Splunk UBA requires the following attributes from your SSO identity provider:

SSO attribute Description
role The list of groups to which the user is assigned. A user's role is used to map to the roles in your Splunk UBA instance's SAML configuration.
realName Name of the user that will be used as the login display name.
mail Email address of the user that will be used as the login display name.

If both realName and mail are provided, the email address is used as the login display name. If neither is provided, you will see "Unknown User".

Identity provider options

After you complete the required attributes you can configure SSO in Splunk UBA. Several identity providers are available:


Configure SSO using metadata files

Configure single sign-on for all identity providers using metadata files in your environment.

  1. Log into Splunk UBA as a user with Admin privileges.
  2. Create an account role that matches the group name in your identity provider. For example, if your identity provider user is assigned to the group uba_users, create an account role in Splunk UBA called uba_users (not case-sensitive). You can either create a new account role, or clone an existing one. All users in this group will have the permissions configured in this role. See Create a custom role or Clone an existing role.

    Since User, Analyst, Admin, and Content_Developer are Splunk UBA roles by default, you do not need to create these account roles if your identity provider group names match these role names.

    If the role is not properly configured in Splunk UBA, you will see the following error message:

    "No permissions are granted to this username."
  3. After the account role is created, select Manage > Settings.
  4. Verify that Authentication is selected, then click on the SSO Authentication checkbox.
  5. Click Download File to download the SP metadata file from Splunk UBA. Add this file to your SAML environment to connect it to Splunk UBA.

    If you use a custom certificate, you might need to replace the self-signed certificate from UBA in the .xml metadata file that is generated.

  6. Click Select File to download or browse and select your metadata file, or copy and paste your metadata directly into the Metadata Contents field and click Apply. Refer to your identity provider documentation if you are not sure how to locate your metadata file.
  7. Enter an entity ID in the SP Entity ID field. This is an identifier for this Splunk UBA instance that is unique across all entities on the identity provider.
  8. Review and verify the remaining fields on the page that are automatically populated from the metadata files.
  9. Click OK.

Configure SSO with Ping Identity as your identity provider

To configure SSO for Splunk UBA with Ping Identity as your identity provider, make sure you have properly configured your Ping Identity environment, including:

  1. Create a Service Provider connection on Ping Federate with "Browser SSO profile" as the Connection Type.
  2. Make a directory with the name "idpcerts" under the /var/vcap/store/caspida/certs path if it does not exist already.
  3. Select and export the signed certificate for Digital Signature Settings. Save this file to the /var/vcap/store/caspida/certs/idpcerts directory in Splunk UBA.
  4. Import the Splunk UBA 3rd party/self-signed certificate as a Digital Verification Certificate.

Incorrectly importing the certificate may result in infinite login redirect loops. If you are seeing this behavior verify that the Splunk UBA 3rd party/self-signed certificate is imported correctly.

In Splunk UBA, perform the following tasks:

  1. Log into Splunk UBA as a user with Admin privileges.
  2. Create an account role that matches the Ping Identity group name. For example, if your Ping Identity user is assigned to the group uba_users, create an account role in Splunk UBA called uba_users (not case-sensitive). You can either create a new account role, or clone an existing one. All users in this group will have the permissions configured in this role. See Create a custom role or Clone an existing role.

    Since User, Analyst, Admin, and Content_Developer are Splunk UBA roles by default, you do not need to create these account roles if your identity provider group names match these role names.

    If the role is not properly configured in Splunk UBA, you will see the following error message:

    "No permissions are granted to this username."
  3. After the account role is created, select Manage > Settings.
  4. Verify that Authentication is selected, then click on the SSO Authentication checkbox and complete the fields.
    Field Description
    SP Entity ID An identifier for this Splunk UBA instance that is unique across all entities in your Ping Identity environment. For example, SplunkUBA.
    IdP Entity ID This is the Entity ID of the Identity Provider (IdP). This field is optional.
    IdP Certificate Location and name of the PingIdentity certificate. This file is exported and located in the Splunk UBA certs/idpcerts directory. For example, /var/vcap/store/caspida/certs/idpcerts/ping.pem.
    Private Key file Full path and name of the Splunk UBA 3rd party certificate or self-signed certificate. The certificate must be located in the Splunk UBA certs directory or a subdirectory under the certs directory based on the current deployment settings. For example, /var/vcap/store/caspida/certs/mycerts/my-server.key.pem. See Request and add a new certificate to Splunk UBA to access the Splunk UBA web interface in Install and Upgrade Splunk User Behavior Analytics for more information about creating 3rd party or self-signed certificates.
    Login Url SSO application endpoint. Click Application Endpoints on the IdP Configuration menu to see a list of endpoints and descriptions applicable to your federation role. An SSO application endpoint has the format Ping URL + SSO endpoint + ?PartnerSpId=xxx, such as https://sso002.example.com:9031/idp/startSSO.ping?PartnerSpId=splunkuba01.
    Login Callback Path The location where the SAML assertion is sent with an HTTP POST. This is often referred to as the SAML Assertion Consumer Service (ACS) URL for your Splunk UBA instance. For example, if your identity provider is configured with https://uba/saml/acs, then specify /saml/acs in this field.
    Logout Url SLO application endpoint. Click Application Endpoints on the IdP Configuration menu to see a list of endpoints and descriptions applicable to your federation role. An SLO application endpoint has the format Ping URL + SLO endpoint + ?PartnerSpId=xxx, such as https://sso002.example.com:9031/idp/startSLO.ping?PartnerSpId=splunkuba01.
    Logout Callback Path The location where the logout response will be sent. For example, if your identity provider is configured with https://uba/saml/logout, then specify /saml/logout in this field.
  5. Click OK.
  6. Verify that you want to restart Splunk UBA for these changes to take effect. If yes, click OK to restart Splunk UBA.

Configure SSO with Okta as your identity provider

To configure SSO for Splunk UBA with Okta as your identity provider, make sure you have properly configured your Okta environment, including:

  • Added Splunk UBA as a new App with the Splunk UBA 3rd party/self-signed certificate uploaded.
  • Configured the desired user groups.
  • Make a directory with the name "idpcerts" under the /var/vcap/store/caspida/certs path if it does not exist already.
  • Downloaded the Okta X.509 certificate. Save this file to the /var/vcap/store/caspida/certs/idpcerts directory in Splunk UBA.

Then, perform the following tasks:

  1. Log into Splunk UBA as a user with Admin privileges.
  2. Create an account role that matches the Okta group name. For example, if your Okta user is assigned to the group uba_users, create an account role in Splunk UBA called uba_users. You can either create a new account role, or clone an existing one. All users in this group will have the permissions configured in this role. See Create a custom role or Clone an existing role.

    Since User, Analyst, Admin, and Content_Developer are Splunk UBA roles by default, you do not need to create these account roles if your identity provider group names match these role names.

    If the role is not properly configured in Splunk UBA, you will see the following error message:

    "No permissions are granted to this username."

    Check that the following attribute statements are correctly added:

    Name Name format Value
    realName Unspecified user.email

    Check that the following group attribute statements are correctly added:

    Name Name format Filter
    role Unspecified Matches regex: .*
  3. After the account role is created, select Manage > Settings.
  4. Verify that Authentication is selected, then click on the SSO Authentication checkbox and complete the fields.
    Field Description
    SP Entity ID An identifier for this Splunk UBA instance that is unique across all entities in your Okta environment. For example, SplunkUBA
    IdP Entity ID This is the Entity ID of the Identity Provider (IdP). This field is optional.
    IdP Certificate Location and name of the Okta X.509 certificate. This file is downloaded from Okta and located in the Splunk UBA certs/idpcerts directory. For example, /var/vcap/store/caspida/certs/idpcerts/okta.pem.
    Private Key file Full path and name of the Splunk UBA 3rd party certificate or self-signed certificate. The certificate must be located in the Splunk UBA certs directory or a subdirectory under the certs directory based on the current deployment settings. For example, /var/vcap/store/caspida/certs/mycerts/my-server.key.pem. See Request and add a new certificate to Splunk UBA to access the Splunk UBA web interface in Install and Upgrade Splunk User Behavior Analytics for more information about creating 3rd party or self-signed certificates.
    Login Url Single sign-on URL of the identity provider.
    Login Callback Path The location where the SAML assertion is sent with an HTTP POST. This is often referred to as the SAML Assertion Consumer Service (ACS) URL for your Splunk UBA instance. For example, if your identity provider is configured with https://uba/saml/acs, then specify /saml/acs in this field.
    Logout Url Single logout URL of the identity provider.
    Logout Callback Path The location where the logout response will be sent. For example, if your identity provider is configured with https://uba/saml/logout, then specify /saml/logout in this field.
  5. Click OK.
  6. Verify that you want to restart Splunk UBA for these changes to take effect. If yes, click OK to restart Splunk UBA.

Configure SSO with ADFS as your identity provider

To configure SSO for Splunk UBA with ADFS as your identity provider, make sure you have properly configured your ADFS environment, including:

  • Add the Relying Party Trust with the Splunk UBA 3rd party/self-signed certificate uploaded
  • Manually generate and download the ADFS X.509 certificate.
  1. In ADFS, go to ADFS > Endpoints.
  2. Locate the FederationMetadata URL in the Metadata section. This URL can be accessed by using a browser to download/save the XML metadata into a file. An example URL is:
    https://localhost/FederationMetadata/2007-06/FederationMetadata.xml
  3. Make a directory with the name "idpcerts" under the /var/vcap/store/caspida/certs path if it does not exist already.
  4. Get the unique content of the <X509Certificate> and use the content to create the certificate file called adfs.pem. Add this file to the /var/vcap/store/caspida/certs/idpcerts directory in Splunk UBA.

Then, perform the following tasks:

  1. Log into Splunk UBA as a user with Admin privileges.
  2. Create an account role that matches the ADFS group name. For example, if your ADFS user is assigned to the group uba_users, create an account role in Splunk UBA called uba_users. You can either create a new account role, or clone an existing one. All users in this group will have the permissions configured in this role. See Create a custom role or Clone an existing role.

    Since User, Analyst, Admin, and Content_Developer are Splunk UBA roles by default, you do not need to create these account roles if your identity provider group names match these role names.

    If the role is not properly configured in Splunk UBA, you will see the following error message:

    "No permissions are granted to this username."
  3. After the account role is created, select Manage > Settings.
  4. Verify that Authentication is selected, then click on the SSO Authentication checkbox and complete the fields.
    Field Description
    SP Entity ID An identifier for this Splunk UBA instance that is unique across all entities in your ADFS environment. For example, SplunkUBA
    IdP Entity ID This is the Entity ID of the Identity Provider (IdP). This field is optional.
    IdP Certificate Location and name of the ADFS X.509 certificate you generated earlier. For example, /var/vcap/store/caspida/certs/idpcerts/adfs.pem.
    Private Key file Full path and name of the Splunk UBA 3rd party certificate or self-signed certificate. The certificate must be located in the Splunk UBA certs directory or a subdirectory under the certs directory based on the current deployment settings. For example, /var/vcap/store/caspida/certs/mycerts/my-server.key.pem. See Request and add a new certificate to Splunk UBA to access the Splunk UBA web interface in Install and Upgrade Splunk User Behavior Analytics for more information about creating 3rd party or self-signed certificates.
    Login Url Single sign-on URL of the identity provider.
    Login Callback Path SAML Assertion Consumer Endpoints path. For example, if your identity provider is configured with https://uba/saml/acs, then specify /saml/acs in this field.
    Logout Url Single logout URL of the identity provider.
    Logout Callback Path The SAML Logout Endpoints path. For example, if your identity provider is configured with https://uba/saml/logout, then specify /saml/logout in this field.
  5. Click OK.
  6. Verify that you want to restart Splunk UBA for these changes to take effect. If yes, click OK to restart Splunk UBA.

Configure SSO with OneLogin as your identity provider

To configure SSO for Splunk UBA with OneLogin as your identity provider, make sure you have properly configured your OneLogin environment, including:

  • Added Splunk UBA as a new app.
  • Configured the desired user groups.
  • Verify that the OneLogin users in the desired user groups have both their username and email fields configured.
  • Make a directory with the name "idpcerts" under the /var/vcap/store/caspida/certs path if it does not exist already.
  • Downloaded the OneLogin X.509 certificate. Save this file to the /var/vcap/store/caspida/certs/idpcerts directory in Splunk UBA.

Then, perform the following tasks in Splunk UBA:

  1. Log into Splunk UBA as a user with Admin privileges.
  2. Create an account role that matches the OneLogin group name. For example, if your OneLogin user is assigned to the group uba_users, create an account role in Splunk UBA called uba_users (not case-sensitive). You can either create a new account role, or clone an existing one. All users in this group will have the permissions configured in this role. See Create a custom role or Clone an existing role.

    Since User, Analyst, Admin, and Content_Developer are Splunk UBA roles by default, you do not need to create these account roles if your identity provider group names match these role names.

    If the role is not properly configured in Splunk UBA, you will see the following error message:

    "No permissions are granted to this username."
  3. After the account role is created, select Manage > Settings.
  4. Verify that Authentication is selected, then click on the SSO Authentication checkbox and complete the fields.
    Field Description
    SP Entity ID An identifier for this Splunk UBA instance that is unique across all entities in your OneLogin environment. For example, SplunkUBA
    IdP Entity ID This is the Entity ID of the Identity Provider (IdP). This field is optional.
    IdP Certificate The location and name of the OneLogin certificate. This is downloaded from OneLogin and located in the Splunk UBA certs/idpcerts directory, as described earlier in the procedure. For example, /var/vcap/store/caspida/certs/idpcerts/OneLogin.pem.
    Private Key file The full path and name of the Splunk UBA 3rd party certificate or self-signed certificate. The certificate must be located in the Splunk UBA certs directory or a subdirectory under the certs directory based on the current deployment settings. For example, /var/vcap/store/caspida/certs/mycerts/my-server.key.pem. See Request and add a new certificate to Splunk UBA to access the Splunk UBA web interface in Install and Upgrade Splunk User Behavior Analytics for more information about creating 3rd party or self-signed certificates.
    Login Url The OneLogin single sign-on URL, provided as the SAML Endpoint (HTTP) in your OneLogin App SSO tab.
    Login Callback Path The location where the SAML assertion is sent with an HTTP POST. This is often referred to as the SAML Assertion Consumer Service (ACS) URL for your Splunk UBA instance. For example, if your identity provider is configured with https://uba/saml/acs, then specify /saml/acs in this field.
    Logout Url The OneLogin single logout URL, provided as the SLO Endpoint (HTTP) in your OneLogin App SSO tab.
    Logout Callback Path The location where the logout response will be sent. For example, if your identity provider is configured with https://uba/saml/logout, then specify /saml/logout in this field.
  5. Click OK.
  6. Verify that you want to restart Splunk UBA for these changes to take effect. If yes, click OK to restart Splunk UBA.


Configure SSO with Microsoft Entra ID as your identity provider

Microsoft Entra ID is formerly known as Azure Entra AD. See, https://www.microsoft.com/en-ca/security/business/identity-access/microsoft-entra-id

To configure SSO for Splunk UBA with Microsoft Entra ID as your identity provider, make sure you have properly configured your Microsoft Entra ID environment, including:

  • Added Splunk UBA as a new app.
  • Configured the desired user and groups.
  • Verify that the Microsoft Entra ID users in the desired groups have their username, email, and group fields configured.
  • Create a directory in Splunk UBA with the name "idpcerts" under the /var/vcap/store/caspida/certs path if it does not exist already.
  • Downloaded the Microsoft Entra ID SSO Certificate (Base64). Save this *.cer file as a *.pem file to the /var/vcap/store/caspida/certs/idpcerts directory in Splunk UBA.

Then, perform the following tasks in Splunk UBA:

  1. Log into Splunk UBA as a user with Admin privileges.
  2. Create an account role that matches the Microsoft Entra ID group's Object ID. For example, if your Microsoft Entra ID user is assigned to the group uba_users with Object ID "3e1a9a14-0b9c-4682-a28e-cfe3120cdad9", create an account role in Splunk UBA called "3e1a9a14-0b9c-4682-a28e-cfe3120cdad9". You can either create a new account role, or clone an existing one. All users in this group will have the permissions configured in this role. See Create a custom role or Clone an existing role in the Administer Splunk User Behavior Analytics manual.

    Since User, Analyst, Admin, and Content_Developer are Splunk UBA roles by default, you do not need to create these account roles if your identity provider group names match these role names.

    If the role is not properly configured in Splunk UBA, you will see the following error message:

    "No permissions are granted to this username."
  3. After the account role is created, select Manage > Settings.
  4. Verify that Authentication is selected, then click on the SSO Authentication checkbox and complete the fields:
    Field Description
    SP Entity ID An identifier for this Splunk UBA instance that is unique across all entities in your Microsoft Entra ID environment. For example, SplunkUBA.
    IdP Entity ID This is the Entity ID of the Identity Provider (IdP). This field is optional.
    IdP Certificate The location and name of the Microsoft Entra ID certificate. This is downloaded from Microsoft Entra ID and located in the Splunk UBA certs/idpcerts directory, as described earlier in the procedure. For example, /var/vcap/store/caspida/certs/idpcerts/EntraID.pem.
    Private Key file The full path and name of the Splunk UBA 3rd party certificate or self-signed certificate. The certificate must be located in the Splunk UBA certs directory or a subdirectory under the certs directory based on the current deployment settings. For example, /var/vcap/store/caspida/certs/mycerts/my-server.key.pem. See Request and add a new certificate to Splunk UBA in the Install and Upgrade Splunk User Behavior Analytics manual for more information about creating 3rd party or self-signed certificates.
    Login Url The Microsoft Entra ID single sign-on URL, provided as the SAML Endpoint (HTTP) in your Microsoft Entra ID App SSO configuration page.
    Login Callback Path The location where the SAML assertion is sent with an HTTP POST. This is often referred to as the SAML Assertion Consumer Service (ACS) URL for your Splunk UBA instance. For example, if your identity provider is configured with https://uba/saml/acs, then specify /saml/acs in this field.
    Logout Url The Microsoft Entra ID single logout URL, provided as the SLO Endpoint (HTTP) in your Microsoft Entra ID App SSO configuration page.
    Logout Callback Path The location where the logout response will be sent. For example, if your identity provider is configured with https://uba/saml/logout, then specify /saml/logout in this field.
  5. Click OK.
  6. Verify that you want to restart Splunk UBA for these changes to take effect. If yes, click OK to restart Splunk UBA.
Last modified on 19 June, 2024
Configure authentication for Splunk platform users   Use the Splunk UBA login type when Splunk authentication or SSO is not available

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.4.0, 5.4.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters