Unified Identity: Splunk Cloud Platform and Splunk Observability Cloud ๐
Splunk Cloud Platform offers Unified Identity with Splunk Observability Cloud.
What is Unified Identity? ๐
Unified Identity is the integration of Splunk Cloud Platform and Splunk Observability Cloud. Users can access both platforms using a single identity by logging into Splunk Observability Cloud with SSO using their Splunk Cloud Platform credentials. Splunk Cloud Platform serves as the Identity Provider (IdP). You can use a third party identity provider, such as Okta, but you will lose the benefits of the integrated experience. See What are the benefits of Unified Identity?
When you integrate your Splunk Cloud Platform and Splunk Observability Cloud instances and activate Unified Identity, administrators can set up all users in a central location, Splunk Cloud Platform. Splunk Cloud Platform admins control user and data access permissions for both platforms separately in respective products. For more information, see Create and manage users in Splunk Observability Cloud. To learn about user roles and permissions in Splunk Cloud Platform, see About configuring role-based user access . The integration extends permissions to access data indexed in Splunk Cloud Platform to Splunk Observability Cloud applications with no administrative overhead. See User provisioning for more information.
Who can access Single Sign On (SSO) and the benefits of Unified Identity? ๐
All customers who have both Splunk Cloud Platform and Splunk Observability Cloud can access Unified Identity. Users must be on Splunk Cloud Platform version 9.x and higher. The AWS or GCP region for your Splunk Cloud Platform instance must map to your Splunk Observability Cloud instance realm as shown in the following table:
Splunk Observability Cloud realm |
AWS Region |
---|---|
us0 |
AWS US East Virginia (us-east-1) |
us1 |
AWS US West Oregon (us-west-2) |
eu0 |
AWS EU Dublin (eu-west-1) |
eu1 |
AWS EU Frankfurt (eu-central-1) |
eu2 |
AWS EU London (eu-west-2) |
au0 |
AWS AP Sydney (ap-southeast-2) |
jp0 |
AWS AP Tokyo (ap-northeast-1) |
Note
Unified Identity is not supported in GovCloud or GCP regions.
What are the benefits of Unified Identity? ๐
Organizations that complete the integration of Splunk Cloud Platform and Splunk Observability Cloud experience the following benefits:
End users can access Splunk Observability Cloud with Single Sign On (SSO) using Splunk Cloud Platform as the Identity Provider (IdP).
Splunk Cloud Platform administrators can extend SAML settings for SSO configured in Splunk Cloud Platform to Splunk Observability Cloud applications.
When using any Splunk Observability Cloud application, a user can access all data in Splunk Cloud Platform indexes that the userโs role in Splunk Cloud Platform has permissions to access.
Users can navigate data and dashboards between Splunk Cloud Platform and Splunk Observability Cloud seamlessly after logging in with Splunk Cloud Platform SSO once.
Note
You can use a third party identity provider other tha Splunk Cloud Platform, but you will lose the benefits of the integrated experience.
How to set up Unified Identity ๐
You can pair only one Splunk Cloud Platform instance with one Splunk Observability Cloud instance at a time. Only one Splunk Observability Cloud organization can pair with a single Splunk Cloud Platform search head. Customers with multiple Splunk Observability Cloud organizations must choose one to pair with the chosen Splunk Cloud Platform instance.
Prerequisites ๐
You must be an admin of the Splunk Cloud Platform and Splunk Observability Cloud instances that you want to pair.
Set up Unified Identity for new Splunk Observability Cloud customers ๐
Splunk Cloud Platform customers who want to purchase Splunk Observability Cloud must take the following actions to set up Unified Identity:
Inform your Splunk sales representative that you want to purchase Splunk Observability Cloud or start a trial. The sales representative initiates a Splunk Observability Cloud trial that is already integrated with their Splunk Cloud Platform instance.
Turn on token authentication to allow Splunk Observability Cloud to view your Splunk Cloud Platform logs. See Enable or disable token authentication to learn how.
Set up Unified Identity for existing Splunk Observability Cloud customers ๐
There are 2 ways you can pair your Splunk Observability Cloud and Splunk Cloud Platform organizations: using command-line interface with Admin Config Services (ACS) commands or using API endpoints. These instructions cover both ways. If you havenโt installed the ACS command-line tool and want to use it, see Administer Splunk Cloud Platform using the ACS CLI .
If you already have a Splunk Cloud Platform account and a Splunk Observability Cloud account, take the following actions to set up Unified Identity:
Turn on token authentication to allow Splunk Observability Cloud to view your Splunk Cloud Platform logs. See Enable or disable token authentication to learn how.
Obtain a user API access token (session token) from your Splunk Observability Cloud account. See Retrieve and manage user API access tokens using Splunk Observability Cloud to learn how.
Note
The API token must have
admin
privileges.Pair your Splunk Observability Cloud and Splunk Cloud Platform organizations:
To pair with command-line interface, enter the following Admin Config Services (ACS) command:
acs observability pair --o11y-access-token "<enter-o11y-access-token>"
Replace
<enter-o11y-access-token>
in the example above, with the user API access token you retrieved from Splunk Observability Cloud in previous step.To pair with API endpoints, collect the following information then run the curl command:
Splunk Cloud Platform admin API access token (Create a new authentication token with an admin user. See Use Splunk Web to create authentication tokens .)
O11y API access token (obtained it in step 2 above)
Splunk Cloud Platform instance name (the custom subdomain for your Splunk Cloud stack)
Run the curl command:
curl --location 'https://admin.splunk.com/<enter-stack-name>/adminconfig/v2/observability/sso-pairing' \ --header 'Content-Type: application/json' \ --header 'Authorization: Bearer <enter-splunk-admin-api-token>' \ --header 'o11y-access-token': '<enter-o11y-api-token>'
Whether you used the command-line interface or API endpoints, the pairing command returns a pairing id:
"id": "<pairing-id>"
You can use the pairing id to get the current status of the pairing.
To get the status using command-line interface, run the following ACS command:
acs observability pairing-status-by-id --pairing-id "<enter-pairing-id>" --o11y-access-token "<enter-o11y-access-token>"
Replace the pairing id and the access token with your own values.
To get the status using API endpoints, run the following curl command with the data you obtained in step 3b:
curl --location --request GET 'https://admin.splunk.com/<enter-stack-name>/adminconfig/v2/observability/sso-pairing/<enter-pairing-id>' \ --header 'Content-Type: application/json' \ --header 'Authorization: Bearer <enter-splunk-admin-api-token>' --header 'o11y-access-token': '<enter-o11y-api-token>'
The system returns a status message showing whether or not the pairing was a success. Statuses are SUCCESS, FAILED, or IN_PROGRESS.
"pairingId": "<pairing-id>" "status": "SUCCESS"
Users will receive an email telling them to authenticate to Splunk Observability Cloud using the new authentication method through Splunk Cloud Platform SSO. Note that users can continue to use their previous login method. If you want to force all users to authenticate through Splunk Cloud Platform SSO, reach out to Splunk Customer Support to deactivate local login. To deactivate login through a third party identity provider, go to Data Management > Available integrations in Splunk Observability Cloud, select the appropriate integration (for example, Okta), and select Deactivate.
User provisioning ๐
To benefit from Unified Identity, all users must have a Splunk Cloud Platform user with the o11y_access
role.
If your organization uses Okta for SSO (Single Sign On), the o11y_access
role is mapped to the Okta group. The Okta admin must add the o11y_access
role to the Okta group to complete the authorization process. If the Okta admin is not available, contact Splunk Support to enable local authentication.
Existing Splunk Cloud Platform users ๐
In Splunk Cloud Platform, create the custom role o11y_access
and assign it to all users who you want to grant access to Splunk Observability Cloud. See Create and manage roles with Splunk Web for more information on Splunk Cloud Platform roles. Follow only the instructions in the Add or edit a role section. Note that you do not need to assign the role any capabilities or indexes.
Note
If you do not create and assign the custom role o11y_access
, users receive the following error message when trying to log in to Splunk Observability Cloud: โYou do not have access to Splunk Observability Cloud. Contact your Splunk Cloud Platform administrator for assistance.โ
If the user does not exist in Splunk Observability Cloud, the integration automatically creates a user in Splunk Observability Cloud and maps Splunk Cloud Platform roles to the following Splunk Observability Cloud roles:
Role in Splunk Cloud Platform |
Role in Splunk Observability Cloud |
---|---|
sc_admin |
admin |
power, can_delete |
power |
user |
power |
The system defines the mapping process, and a user cannot change it at provisioning time or after. The mapping is strictly from Splunk Cloud Platform to Splunk Observability Cloud, and not the reverse. No Splunk Cloud Platform roles map to the Splunk Observability Cloud roles โusageโ or โread_onlyโ.
Existing Splunk Observability Cloud users ๐
If an existing Splunk Observability Cloud user does not have a Splunk Cloud Platform account, create a Splunk Cloud Platform user for them and give it the o11y_access
role. You do not need to assign the o11y_access
role any capabilities or indexes. The user can now access Splunk Cloud Platform and can sign into Splunk Observability Cloud with SSO using their Splunk Cloud Platform credentials. Splunk Cloud Platform and Splunk Observability Cloud Log Observer respect index access assigned to the user in Splunk Cloud Platform. The Splunk Observability Cloud user retains their existing Splunk Observability Cloud role.
If an existing Splunk Observability Cloud user already has a Splunk Cloud Platform user, assign the o11y_access
role to the user in the Splunk Cloud Platform instance.
New users ๐
To add a new user to Splunk Observability Cloud after the integration is complete, a Splunk Cloud Platform administrator must do the following:
Create a new user in Splunk Cloud Platform either locally or through a third party IdP.
Give the new user the custom
o11y_access
role. You do not need to assign the role any capabilities or indexes.
The user can now log in to Splunk Observability Cloud with their Splunk Cloud Platform permissions.
After initial user provisioning ๐
Once users are set up, Splunk Cloud Platform admins and Splunk Observability Cloud admins must manage roles independently. After initial setup, role updates in either product platform do not impact a userโs role in the other platform. However, a userโs permissions to specific indexes in Splunk Cloud Platform are always controlled by a userโs role and permissions in Splunk Cloud Platform.
What to expect at first login ๐
The first time a user tries to log in to Splunk Observability Cloud after the integration, they are directed to their Splunk Cloud Platform login page.
Follow these steps at first login to Splunk Observability Cloud:
Select Sign in with Splunk Cloud.
Provide your Splunk Cloud Platform credentials. If you get the No access error message, contact your administrator. See No access error for more information.
Enter and confirm your email. If you already have a Splunk Observability Cloud user, enter the email associated with it to link it to your Splunk Cloud Platform user. If you enter an email address that does not exist in Splunk Observability Cloud, the system creates a new Splunk Observability Cloud user and assigns it a role based on the role mapping table in the Existing Splunk Cloud Platform users section.
You then receive an e-mail to verify your identity. Verify your identity in the e-mail to be authenticated in Splunk Observability Cloud. After authentication, the Splunk Observability Cloud user can only see logs data in Log Observer that their Splunk Cloud Platform user has permissions to see.
After the first login, you do not need to provide your Splunk Cloud Platform credentials again. On subsequent logins, if you are already logged in to Splunk Cloud Platform, select Sign in with Splunk Cloud and you are automatically signed in to Splunk Observability Cloud.
No access error ๐
Contact your Splunk Cloud Platform administrator if you receive the following No access error message:
Users receive this error message if their Splunk Cloud Platform administrator did not give them the custom role o11y_access
. The o11y_access
role is required to access Splunk Observability Cloud.
Working in Splunk Observability Cloud after the integration ๐
In addition to logging in with SSO, users and admins experience other differences after the integration is complete.
Point-and-click log analysis ๐
One important advantage of the integration is that users can now query their Splunk Cloud Platform logs in Log Observerโs no-code UI. Users can create advanced queries without knowing SPL with Log Observerโs filters and aggregations. See Query logs in Log Observer Connect for more information.
When you use Log Observer Connect, your logs remain in your Splunk Cloud Platform instance and are accessible only to Log Observer Connect. Log Observer Connect does not store or index your logs data.
Unified user session ๐
You can navigate seamlessly back and forth between Splunk Cloud Platform and any Splunk Observability Cloud application (Infrastructure Monitoring, APM, Log Observer, RUM, and Synthetics) to see all data that your Splunk Cloud Platform role has permissions to see. Users need to log in only once to gain access to Splunk Cloud Platform and Splunk Observability Cloud. You donโt need additional login to move from one platform to the other when exploring data.
Splunk Cloud Platform maintenance windows ๐
During a Splunk Cloud Platform maintenance window, users cannot log in to Splunk Observability Cloud with Splunk Cloud Platform for SSO. Login can be impacted from 2 to 5 minutes during Splunk Cloud Platform maintenance windows. Users can log into Splunk Observability Cloud again as soon as the maintenance window is completed.
During a maintenance window, Splunk Cloud Platform displays a banner indicating the start and end time of the window. If a user is already logged in to Splunk Observability Cloud at the start of a maintenance window, the user is not impacted directly. However, access to Splunk Cloud Platform logs in Log Observer Connect are unavailable during the maintenance window. You can continue working in Splunk Observability Cloud.
Typically, there are two planned maintenance windows per month for a Splunk Cloud Platform instance. Customers can determine the scheduling of maintenance windows and usually set them up to occur during the customerโs downtime. Talk to your Splunk Cloud Platform administrator about the planned maintenance windows.
Changing identity providers ๐
If you no longer want to use Splunk Cloud Platform as your identity provider for SSO when signing in to Splunk Observability Cloud, set up a third party IdP for Splunk Observability Cloud login before you deactivate your Splunk Cloud Platform instance. Deactivating Splunk Cloud Platform only after setting up a new third party IdP ensures that your Splunk Observability Cloud users do not lose access.