For SAML authentication, we need to provide a certificate chain to validate the SAML response. The certificate chain appears to be hardcoded to
$SPLUNK_HOME/etc/auth/idpCerts. There is a configuration option that will let you specify a subdirectory underneath, but there doesn't seem to be a way to configure anything else.
This is great for people that configure SAML via the UI. But not so great for people that use deployment server or similar tools to deploy their configuration to
$SPLUNK_HOME/etc/apps. Right now, the SAML
authentication.conf file can be deployed, but won't work on its own unless someone manually pushes the certifications to the search heads out of band.
Is there a way to deploy certificate chains using deploymentserver? Can I customize the name of the subdirectory from
Regarding IDP certificate Path, you can use
idpCertPath parameter in authentication.conf to define other path to retrieve certificate, I have never tried this but I can test in my lab environment.
idpCertPath = <Pathname> * OPTIONAL * This setting is required if 'signedAssertion' is set to true. * This value is relative to $SPLUNK_HOME/etc/auth/idpCerts. * The value for this setting can be the name of the certificate file or a directory. * If it is empty, Splunk will automatically verify with certificates in all subdirectories present in $SPLUNK_HOME/etc/auth/idpCerts. * If the saml response is to be verified with a IDP (Identity Provider) certificate that is self signed, then this setting holds the filename of the certificate. * If the saml response is to be verified with a certificate that is a part of a certificate chain(root, intermediate(s), leaf), create a subdirectory and place the certificate chain as files in the subdirectory. * If there are multiple end certificates, create a subdirectory such that, one subdirectory holds one certificate chain. * If multiple such certificate chains are present, the assertion is considered verified, if validation succeeds with any certifcate chain. * The file names within a certificate chain should be such that root certificate is alphabetically before the intermediate which is alphabetically before of the end cert. ex. cert_1.pem has the root, cert_2.pem has the first intermediate cert, cert_3.pem has the second intermediate certificate and cert_4.pem has the end certificate.
And example given in authentication.conf documentation showing that you can configure other path as well for IDP Certificate Chain.
[samlv2] attributeQuerySoapPassword = changeme attributeQuerySoapUsername = test entityId = test-splunk idpAttributeQueryUrl = https://exsso/idp/attrsvc.ssaml2 idpCertPath = /home/splunk/etc/auth/idp.crt
Regarding sub directory, can't you combine all leaf, intermediate and root cert in single file and push it via Deployment Server in your app and provide that file in parameter
Sorry, but no... idpCertPath is a relative path as per the authentication.conf documentation you posted. So I wasn't able to move the certs to my apps directory. But give it a try yourself. Just because I couldn't get it to work doesn't mean I did it right.
I finally got it working... The issue I had was that I had a full chain and thus couldn't point to a single file. I had to point to the directory I want the chain in. I couldn't just put the certs in the directory I specified (which is where I failed). Instead I still had to use idpCertChain_1.
Putting it another way... If
idpCertPath is set to
/opt/splunk/etc/apps/myapp/certs, my certs actually live in
/opt/splunk/etc/apps/myapp/certs/idpCertChain_1 and were named cert_1, cert_2, etc.
Thanks for the help.