topic Re: Is it possible to deploy idpCerts? in Deployment Architecture

Is it possible to deploy idpCerts?

scottsavarese — Wed, 09 Jan 2019 13:03:58 GMT

For SAML authentication, we need to provide a certificate chain to validate the SAML response. The certificate chain appears to be hardcoded to $SPLUNK_HOME/etc/auth/idpCerts. There is a configuration option that will let you specify a subdirectory underneath, but there doesn't seem to be a way to configure anything else.

This is great for people that configure SAML via the UI. But not so great for people that use deployment server or similar tools to deploy their configuration to $SPLUNK_HOME/etc/apps. Right now, the SAML authentication.conf file can be deployed, but won't work on its own unless someone manually pushes the certifications to the search heads out of band.

Is there a way to deploy certificate chains using deploymentserver? Can I customize the name of the subdirectory from idpCertChain_1 ?

Thanks.

Re: Is it possible to deploy idpCerts?

harsmarvania57 — Wed, 09 Jan 2019 13:46:28 GMT

Hi,

Regarding IDP certificate Path, you can use idpCertPath parameter in authentication.conf to define other path to retrieve certificate, I have never tried this but I can test in my lab environment.

idpCertPath = <Pathname>
* OPTIONAL
* This setting is required if 'signedAssertion' is set to true.
* This value is relative to $SPLUNK_HOME/etc/auth/idpCerts.
* The value for this setting can be the name of the certificate file or a directory.
* If it is empty, Splunk will automatically verify with certificates in all subdirectories
  present in $SPLUNK_HOME/etc/auth/idpCerts.
* If the saml response is to be verified with a IDP (Identity Provider) certificate that
  is self signed, then this setting holds the filename of the certificate.
* If the saml response is to be verified with a certificate that is a part of a
  certificate chain(root, intermediate(s), leaf), create a subdirectory and place the
  certificate chain as files in the subdirectory.
* If there are multiple end certificates, create a subdirectory such that, one subdirectory
  holds one certificate chain.
* If multiple such certificate chains are present, the assertion is considered verified,
  if validation succeeds with any certifcate chain.
* The file names within a certificate chain should be such that root certificate is alphabetically
  before the intermediate which is alphabetically before of the end cert.
  ex. cert_1.pem has the root, cert_2.pem has the first intermediate cert, cert_3.pem has the second
      intermediate certificate and cert_4.pem has the end certificate.

And example given in authentication.conf documentation showing that you can configure other path as well for IDP Certificate Chain.

[samlv2]
attributeQuerySoapPassword = changeme
attributeQuerySoapUsername = test
entityId = test-splunk
idpAttributeQueryUrl = https://exsso/idp/attrsvc.ssaml2
idpCertPath = /home/splunk/etc/auth/idp.crt

Regarding sub directory, can't you combine all leaf, intermediate and root cert in single file and push it via Deployment Server in your app and provide that file in parameter idpCertPath?

Re: Is it possible to deploy idpCerts?

scottsavarese — Wed, 09 Jan 2019 14:20:16 GMT

That path is actually relative to the idpCerts directory. It just creates a subdirectory under $SPLUNK_HOME/etc/auth/idpCerts.

Re: Is it possible to deploy idpCerts?

harsmarvania57 — Wed, 09 Jan 2019 14:22:44 GMT

Yes but when you use Splunk UI, if you have access to command line you can configure it in other path as well and provide that directory in idpCertPath in authentication.conf

Re: Is it possible to deploy idpCerts?

scottsavarese — Wed, 09 Jan 2019 14:27:44 GMT

Sorry, but no... idpCertPath is a relative path as per the authentication.conf documentation you posted. So I wasn't able to move the certs to my apps directory. But give it a try yourself. Just because I couldn't get it to work doesn't mean I did it right.

Re: Is it possible to deploy idpCerts?

harsmarvania57 — Wed, 09 Jan 2019 14:29:48 GMT

In my lab environment, I have idpCertPath = /opt/splunk/etc/auth/idpCert.pem and it is working fine which is outside $SPLUNK_HOME/etc/auth/idpCerts

Re: Is it possible to deploy idpCerts?

scottsavarese — Tue, 29 Sep 2020 22:44:00 GMT

I finally got it working... The issue I had was that I had a full chain and thus couldn't point to a single file. I had to point to the directory I want the chain in. I couldn't just put the certs in the directory I specified (which is where I failed). Instead I still had to use idpCertChain_1.

Putting it another way... If idpCertPath is set to /opt/splunk/etc/apps/myapp/certs, my certs actually live in /opt/splunk/etc/apps/myapp/certs/idpCertChain_1 and were named cert_1, cert_2, etc.

Thanks for the help.
Scott

Re: Is it possible to deploy idpCerts?

scottsavarese — Wed, 09 Jan 2019 17:01:56 GMT

See the conversation with harsmarvania57. I'm actually able to set idpCertPath to something outside of etc/auth with some caveats.