topic Re: Splunk SAML SSO MetadataExchange in Security

Splunk SAML SSO MetadataExchange

Tsjunne — Mon, 03 Apr 2017 15:43:25 GMT

It is possible to setup ADFS to automatically refresh SAML metadata using an endpoint.
Splunk has such an endpoint accoring to the docs (/saml/spmetadata) , but it looks like it doesn't allow anonymous access.
Is there any way to exclude this path from authentication?
And the other way around, is it possible to have Splunk automatically refresh the IDP metadata?
This would enable the Splunk SSO setup to automatically refresh rollover certificates.

Re: Splunk SAML SSO MetadataExchange

suarezry — Tue, 04 Apr 2017 15:42:29 GMT

For splunk, you could update the IdP config and/or certificates and then reload the authentication config:
https://answers.splunk.com/answers/129654/how-to-i-trigger-reload-of-authentication-configuration-programmatically.html

To automatically retrieve /saml/spmetadata you would need to use REST API:
https://docs.splunk.com/Documentation/Splunk/6.5.2/RESTREF/RESTaccessExamples#admin.2FSAML-sp-metadata_GET

Re: Splunk SAML SSO MetadataExchange

Tsjunne — Tue, 04 Apr 2017 16:12:08 GMT

The whole point is to have an endpoint on each side that is accissible anonymously and be able to set up the application to poll the URL every once in a while to automatically refresh certificates. So the first link would assume that this is done manually and the second link passes authentication data. The /saml/spmetadata URL returns the metadata directly without the REST wrapper, so that would be more appropriate, but it also requires authentication.

Re: Splunk SAML SSO MetadataExchange

suarezry — Tue, 04 Apr 2017 18:01:43 GMT

The whole point is to have an endpoint on each side that is accissible anonymously and be able to set up the application to poll the URL every once in a while to automatically refresh certificates.

I understand what you're looking for. To my knowledge that functionality doesn't exist. I'm giving you the next best option that I know of, unless someone else has a better suggestion.

So the first link would assume that this is done manually

You were asking for a way to update IdP metadata automatically. The question was pretty vague so my suggestion and link was a way to do this programmatically.

and the second link passes authentication data. The /saml/spmetadata URL returns the metadata directly without the REST wrapper, so that would be more appropriate, but it also requires authentication.

Again, that functionality doesn't exist. I'm suggesting a way for you to do this programmatically. Again, the implementation is up to you.

I'm curious, the splunk metadata does not change, why do you need a fresh copy?

Re: Splunk SAML SSO MetadataExchange

Tsjunne — Tue, 04 Apr 2017 18:26:39 GMT

Well, the metadata also contains the certificate to verify the splunk signatures on the SAML requests. And this certificate has a limited lifetime. So if ADFS is able to fetch the new certificates on a schedule, there's no admin overhead to keep the two in sync.

But i guess that i could have the proxy handle the authorization for Splunk and then i'll have to write a custom scheduled task to fetch the meta data from ADFS, update the IDP certificate and reload the config like you suggested in the first link.

Thank for the pointer!

Re: Splunk SAML SSO MetadataExchange

suarezry — Tue, 04 Apr 2017 20:21:29 GMT

Well, the metadata also contains the certificate to verify the splunk signatures on the SAML requests. And this certificate has a limited lifetime. So if ADFS is able to fetch the new certificates on a schedule, there's no admin overhead to keep the two in sync.

If you are referring to the splunk certificates then you simply generate third-party or self-signed certs with an extended lifetime like 3-5 years. It would save you the hassle. Does this work for you?