Configure authentication for Splunk platform users
Configure how Splunk platform users are authenticated when accessing Splunk UBA.
Configure load balancing for persistent sessions
Use a third-party hardware or software load balancer in front of your set of clustered search heads to access the set of search heads through a single interface, without needing to specify a particular one. Configure the load balancer so that user sessions are "sticky" or "persistent" to remain on a single search head throughout the session. See Use a load balancer with search head clustering in the Splunk Enterprise Distributed Search manual.
Configure Splunk authentication using Splunk UBA
Perform the following tasks to configure Splunk authentication using Splunk UBA:
- On the Splunk platform, create the same roles that exist in Splunk UBA. For first-time deployments, you must create the
uba_user
,uba_analyst
, anduba_admin
roles, along with any other custom roles created in Splunk UBA. There must be a one-to-one mapping of roles between the Splunk platform and Splunk UBA, and the role names must match. Role names are case-insensitive, so a role calleduba_testRole
on the Splunk platform maps touba_testrole
in Splunk UBA. To learn more about creating users and roles in the Splunk platform, see About users and roles.When creating a new role in the Splunk platform, you must first select the
uba_user
role in the Inheritance section of the page. After the new role is created, it can be assigned to any user in the Splunk platform.When testing authentication with the Splunk platform, the user account being used for testing must also have one of the
uba_user
,uba_analyst
, oruba_admin
roles assigned to it. - In Splunk UBA, select Manage > Settings.
- Verify the Authentication tab is selected (by default).
- Select UBA Authentication to have your Splunk UBA instance authenticate users.
- Select Splunk Authentication to have your Splunk instance perform user authentication. You are prompted to provide additional information:
- Host name and port of your Splunk instance. If search head clustering is configured and a load balancer is available, it is recommended to specify the load balancer host name to avoid a single point of failure. Ensure that port 8089 is accessible on the load balancer.
- By default only the Splunk accounts with the
uba_user
role can log in as UBA users. If the Splunk Users option is selected, Splunk accounts with theuser
role can also log in as UBA users. - By default only the Splunk accounts with the
uba_admin
role can log in as UBA admins. If the Splunk Admins option is selected, Splunk accounts with theadmin
role can also log in as UBA admins. - Select both Splunk Users and Splunk Admins and click Test Connection to verify that the connection with your Splunk instance is working.
- Click OK to save your changes.
Configure Splunk authentication using the CLI
If you do not want to create new roles in the Splunk platform, set the allowSplunkUserRole
and allowSplunkAdminRole
settings to true
to allow users with the Splunk platform user
role or admin
role, respectively, to log in to Splunk UBA from the Splunk platform.
If you configure Splunk Authentication by using Splunk UBA, this configuration overrides any setting made using the CLI.
- Log in to the Splunk UBA management server as the caspida user using SSH.
- Open the
/etc/caspida/local/conf/uba-site.properties
file. - Edit or create the
ui.splunk.authentication
setting to match the following example:Setui.splunk.authentication={"hostname": "<SplunkServer>", "port": "8089", "allowSplunkUserRole": true, "allowSplunkAdminRole": false}
allowSplunkUserRole
totrue
to allow users with the user role in the Splunk platform to view data from Splunk UBA in the Splunk platform. Replace<SplunkServer>
with the Splunk search head host name. If search head clustering is configured and a load balancer is available, it is recommended to specify the load balancer host name to avoid a single point of failure. Ensure that port 8089 is accessible on the load balancer.
Manage user accounts and account roles in Splunk UBA | Configure authentication using single sign-on |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.4.1, 5.0.5, 5.0.5.1, 5.1.0, 5.1.0.1, 5.2.0, 5.2.1, 5.3.0, 5.4.0, 5.4.1
Feedback submitted, thanks!