Docs » Authentication and Security » About SSO integrations for Splunk Observability Cloud » Configure an ADFS SSO integration

Configure an ADFS SSO integration 🔗

The Microsoft Active Directory Federation Services (ADFS) SSO integration lets your users log in to Observability Cloud using your Microsoft ADFS portal.

Before you begin configuring the ADFS integration, ensure you have completed the steps in Configure SSO integrations for Splunk Observability Cloud, including the section Name an SSO integration to learn about naming your integrations.

This integration is only available for Microsoft Entra ID (formerly Azure Active Directory) with ADFS. In addition, you need to have the following fields in your ADFS configuration:

  • First Name

  • Last Name

  • Email

The procedure for configuring ADFS with Splunk Observability Cloud has these sections:

Send your domain information to Splunk Support 🔗

Your users can’t authenticate using an ADFS SSO integration until Splunk activates it. To request the activation, contact Splunk Observability Cloud support.

Be ready to provide your login email domain. For example, if your users log in to SSO with user IDs like kai@example.com, then example.com is the login email domain.

After support activates the integration, users can authenticate using ADFS SSO.

Create a new ADFS SSO integration in Observability Cloud 🔗

To create a new ADFS integration in Observability Cloud:

  1. Log in to Splunk Observability Cloud.

  2. Open the ADFS guided setup . Optionally, you can navigate to the guided setup on your own:

    1. In the left navigation menu, select Data Management.

    2. Select Add Integration.

    3. In the integration filter menu, select All.

    4. In the Search field, search for Azure Directory FS, and select it.

  3. In the Name field, enter a name for your ADFS SSO integration.

  4. Save the Integration ID field value to a file. You’ll need this value in a subsequent step.

  5. If you want to set up ADFS to integrate with multiple organizations:
    1. Select Integration-specific Entity ID.

    2. Save the URI displayed next to the check box. You’ll need it in a subsequent step to configure ADFS. To learn more, see Integrate an identity provider with multiple organizations.

  6. Keep this page open. You’ll upload the Certificate and Metadata files in a subsequent step.

Add Observability Cloud to ADFS 🔗

Add Observability Cloud as a relying party in ADFS:

  1. In separate browser tab or window, log in to the ADFS server and open the ADFS management console.

  2. In the console, right-click on Relying Party Trusts, select Add Relying Party Trust, then select Start.

  3. Select Claims aware, then select Next.

  4. Select Enter data about the relying party manually, then select Next.

  5. For Display name, enter Splunk Observability Cloud, then select Next.

  6. On the screen that appears, leave the default certificate settings unchanged.

  7. On the Configure URL page, leave the two options deselected and select Next.

  8. On the Configure Identifiers page, enter your entity ID in the Relying party trust identifiers text box:

    • If you’re setting up multiple integrations for ADFS, enter the integration-specific entity ID you obtained previously.

    • If you’re using a single integration for ADFS, enter one of these entity IDs, depending on the realm you’re in:

      • If your organization uses realm us0, enter the following:

        https://api.signalfx.com/v1/saml/metadata

      • If your organization uses another realm, enter the following:

        https://api.<YOUR_REALM>.signalfx.com/v1/saml/metadata

    To learn more about realms, see Note about realms.

  9. Select Add, then select Next.

  10. The next step in the guided setup lets you configure multifactor authentication. Because Observability Cloud doesn’t require this option, select Next.

  11. On the Choose access control policy page, do the following:

    1. Select Permit everyone.

    2. Optionally, you can select I do not want to configure access control policies at this time In a later step, you can add authorization rules. Adding rules isn’t part of the integration procedure, so it’s not described here.

    3. Select Next.

  12. Review your settings, and then select Next.

  13. On the Ready to Add Trust page, select Next.

  14. On the Finish page, deselect Configure claims issuance policy for this application, then select Close.

  15. On the page that appears, select Relying Party Trusts, right-click Splunk Observability Cloud, then select Properties.

  16. Select the Advanced tab, then from the Secure Hash Algorithm list, select SHA-256.

  17. Select the Endpoints tab, then select Add SAML… In the dialog box, do the following:

    • From the Endpoint type list, select SAML Assertion Consumer.

    • From the Binding list, select POST.

    • Select Set the trusted URL as default.

    • For Trusted URL, enter the URL, replacing <INTEGRATION_ID> with the integration ID you copied in step 3 of the section Create a new ADFS SSO integration in Observability Cloud:

      • If your organization is in realm us0, enter the following:

      https://api.signalfx.com/v1/saml/acs/<INTEGRATION_ID>

      • If your organization is in another realm, enter the following:

      https://api.<YOUR_REALM>.signalfx.com/v1/saml/acs/<INTEGRATION_ID>

      To learn more about realms, see Note about realms.

  18. Select OK to close the Add an endpoint dialog box.

  19. Select OK to close the Splunk Observability Cloud Properties dialog box.

  20. On the page that appears, select Relying Party Trusts and right-click on Splunk Observability Cloud.

  21. From the Claim rule policy list, select Edit Claim Issuance Policy….

  22. Select Add Rule….

  23. Select Send LDAP Attributes as Claims, and then select Next.

  24. Enter a name for the claim rule, such as “LDAP”, then from the Attribute store list, select Microsoft Entra ID.

  25. In the Mapping of LDAP attributes to outgoing claim types pane, use the drop-down lists to set the mappings between the LDAP Attribute and Outgoing Claim Type columns:

    • E-Mail-Addresses (email address LDAP attribute): User.email

    • Given-Name (First Name LDAP attribute): User.FirstName

    • Surname (Last Name LDAP attribute): User.LastName

    • SAM-Account-Name (unique user identifier LDAP attribute): PersonImmutableID.

  26. Select Add rule… again, then select Transform an incoming claim.

  27. Enter a name for the claim rule, such as “Email to name ID”.

  28. Configure this rule to pass through Name ID, if it’s not already provided by your ADFS or SAML implementation.

    For example, if you want to pass through User.email as the Name ID, do the following:

    1. From the Incoming claim type drop-down list, select User.email.

    2. From the Outgoing claim type drop-down list, select Name ID.

    3. Regardless of the types you choose, from the Outgoing name ID format drop-down list, select Persistent Identifier.

    4. Select Finish.

Obtain ADFS certificate to install to Observability Cloud 🔗

Obtain an ADFS certificate to install to Observability Cloud:

  1. In the ADFS management console, select Service, then select Certificates.

  2. From the Token-signing list, right-click the certificate, then select View Certificate.

  3. Select Detail, then select Copy to file. The certificate export wizard appears.

  4. Select Next, then select DER encoded binary X.509.

  5. Enter certificate.cer, then select Finish.

  6. Convert the certificate from a .cer format to a .pem format, using the openssl tool:

    openssl x509 -inform der -in certificate.cer -out certificate.pem

    In a following step, you upload this file to Observability Cloud.

Obtain federation metadata file to install to Observability Cloud 🔗

Obtain a federation metadata file to install to Observability Cloud:

  1. In the ADFS management console, navigate to Endpoints.

  2. Locate the Federation Metadata endpoint and copy the URL that appears. It’s similar to the following:

    https://<YOUR_SERVER_IP>/FederationMetadata/2007-06/FederationMetadata.xml.

  3. Open a new browser window or tab, then navigate to the URL you copied. This opens a file download dialog box.

  4. Save the file FederationMetadata.xml. In a following step, you upload this file to Observability Cloud.

Note

URLs must belong to ADFS in order to validate. Accepted domains include windows.net and windows-ppe.net.

Upload the ADFS certificate and federation metadata to Observability Cloud 🔗

In Observability Cloud, do the following:

  1. Find the ADFS page you opened in a previous step.

  2. Select the Upload File link in the Certificate field and upload the certificate.pem file.

  3. Select the Upload File link in the Metadata field and upload the FederationMetadata.xml file.

  4. Select Save.

The ADFS SSO integration is now available to users in your ADFS organization. When users log in to Observability Cloud from ADFS for the first time, they receive an email containing a link that they must open in order to authenticate. This only occurs the first time the user signs in. Subsequent login attempts don’t require validation.

If you want to turn off the email authentication feature, contact Splunk Observability Cloud support.

Note

The ADFS portal is the only way that your users can log in to Observability Cloud.

If you are a Splunk Observability Cloud customer and are not able to see your data in Splunk Observability Cloud, you can get help in the following ways.

Available to Splunk Observability Cloud customers

Available to prospective customers and free trial users

  • Ask a question and get answers through community support at Splunk Answers .

  • Join the Splunk #observability user group Slack channel to communicate with customers, partners, and Splunk employees worldwide. To join, see Chat groups in the Get Started with Splunk Community manual.

To learn about even more support options, see Splunk Customer Success .