topic Re: How to migrate from LDAP authentication to Microsoft Azure Single Sign On with change of username? in Security

How to migrate from LDAP authentication to Microsoft Azure Single Sign On with change of username?

joxley — Tue, 12 Apr 2016 10:08:50 GMT

I want to migrate from LDAP Authentication to Microsoft Azure AD Single Sign On.

I currently have LDAP authentication set up with my active directory domain using the sAMAccountName as the login field. This means that I log into Splunk with the username john. With the release of Splunk 6.4.0 and SSO with Azure AD, I want to move to that.

I have figured out how to use the email address as the username by setting the nameIdFormat field in authentication.conf.

Migration Plan

Move each folder in /etc/users/$sAMAccountName to /etc/users/$emailAddress
For each user do a recursive sed s/$sAMAccountName/$emailAddress/
Switch to SSO and map roles (which I've already prepared on a dev server)

I foresee an issue with this. When I change the authentication to SSO, there will be no users on the system. Users will only be created on first login. Does this mean that all the scheduled searches won't run until that specific user logs in?

Should I create a scheduled search user specifically for this reason and set it up beforehand?

Additional Questions

Should I leave /etc/users/*/*/history out of the set command?
Does the history matter that much?
What else have I forgotten?

Re: How to migrate from LDAP authentication to Microsoft Azure Single Sign On with change of username?

jkat54 — Tue, 12 Apr 2016 23:58:08 GMT

I think you're right on with your thought process. However I fell that by creating the '/etc/users/emailAddy' folders you're effectively creating users in the "sSo world" so that once SSO is enabled users will exist and their saved searches will be fine. I say go forth and write the manual for all those who will follow!!!

Re: How to migrate from LDAP authentication to Microsoft Azure Single Sign On with change of username?

joxley — Thu, 30 Jun 2016 10:42:45 GMT

Here's my story for others to follow and hopefully improve upon

I mostly followed the Splunk docs to configure single sign-on.

For doing a SAML group to Splunk role mapping, you need to use the AAD group IDs which you can get using the Powershell Get-MsolGroup commandlet.

I also put in the line nameIdFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress to the [saml] stanza. This means usernames will be the UPN rather than a horrible object ID.

So I wrote a migration script to do the migration which requires csvcut. I have a lookup file in my splunk instance already, built daily using an ldap search which is where the sAMAccountName to userPrincipalName mapping comes from.

The script does the following:

Rename the users directory
Do an in-place sed to change ownership of all public objects
Build a file of new users to insert into authentication.conf

Saved searches require an existing user to run (else they are orphaned). With Azure AD as an identity provider, Splunk needs to create a cache, so to speak, of users. It does this by putting a username = list;of;roles into authentication.conf under the stanza [userToRoleMap_SAML] when a user first logs in. I want all scheduled searches to run, so whenever a public knowledge object is found, I add that user to the new-auths file. Then I imported it into the authentication.conf file manually as a seed.

Re: How to migrate from LDAP authentication to Microsoft Azure Single Sign On with change of username?

jthairu_splunk — Thu, 29 Mar 2018 16:43:26 GMT

How did you transfer ownership of existing items (dashboards, reports, alerts etc) from LDAP users to AzureAD users?