Deployment Architecture

Is it possible to deploy idpCerts?

scottsavarese
New Member

For SAML authentication, we need to provide a certificate chain to validate the SAML response. The certificate chain appears to be hardcoded to $SPLUNK_HOME/etc/auth/idpCerts. There is a configuration option that will let you specify a subdirectory underneath, but there doesn't seem to be a way to configure anything else.

This is great for people that configure SAML via the UI. But not so great for people that use deployment server or similar tools to deploy their configuration to $SPLUNK_HOME/etc/apps. Right now, the SAML authentication.conf file can be deployed, but won't work on its own unless someone manually pushes the certifications to the search heads out of band.

Is there a way to deploy certificate chains using deploymentserver? Can I customize the name of the subdirectory from idpCertChain_1 ?

Thanks.

0 Karma

scottsavarese
New Member

See the conversation with harsmarvania57. I'm actually able to set idpCertPath to something outside of etc/auth with some caveats.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

Regarding IDP certificate Path, you can use idpCertPath parameter in authentication.conf to define other path to retrieve certificate, I have never tried this but I can test in my lab environment.

idpCertPath = <Pathname>
* OPTIONAL
* This setting is required if 'signedAssertion' is set to true.
* This value is relative to $SPLUNK_HOME/etc/auth/idpCerts.
* The value for this setting can be the name of the certificate file or a directory.
* If it is empty, Splunk will automatically verify with certificates in all subdirectories
  present in $SPLUNK_HOME/etc/auth/idpCerts.
* If the saml response is to be verified with a IDP (Identity Provider) certificate that
  is self signed, then this setting holds the filename of the certificate.
* If the saml response is to be verified with a certificate that is a part of a
  certificate chain(root, intermediate(s), leaf), create a subdirectory and place the
  certificate chain as files in the subdirectory.
* If there are multiple end certificates, create a subdirectory such that, one subdirectory
  holds one certificate chain.
* If multiple such certificate chains are present, the assertion is considered verified,
  if validation succeeds with any certifcate chain.
* The file names within a certificate chain should be such that root certificate is alphabetically
  before the intermediate which is alphabetically before of the end cert.
  ex. cert_1.pem has the root, cert_2.pem has the first intermediate cert, cert_3.pem has the second
      intermediate certificate and cert_4.pem has the end certificate.

And example given in authentication.conf documentation showing that you can configure other path as well for IDP Certificate Chain.

[samlv2]
attributeQuerySoapPassword = changeme
attributeQuerySoapUsername = test
entityId = test-splunk
idpAttributeQueryUrl = https://exsso/idp/attrsvc.ssaml2
idpCertPath = /home/splunk/etc/auth/idp.crt

Regarding sub directory, can't you combine all leaf, intermediate and root cert in single file and push it via Deployment Server in your app and provide that file in parameter idpCertPath?

0 Karma

scottsavarese
New Member

That path is actually relative to the idpCerts directory. It just creates a subdirectory under $SPLUNK_HOME/etc/auth/idpCerts.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Yes but when you use Splunk UI, if you have access to command line you can configure it in other path as well and provide that directory in idpCertPath in authentication.conf

0 Karma

scottsavarese
New Member

Sorry, but no... idpCertPath is a relative path as per the authentication.conf documentation you posted. So I wasn't able to move the certs to my apps directory. But give it a try yourself. Just because I couldn't get it to work doesn't mean I did it right.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

In my lab environment, I have idpCertPath = /opt/splunk/etc/auth/idpCert.pem and it is working fine which is outside $SPLUNK_HOME/etc/auth/idpCerts

0 Karma

scottsavarese
New Member

I finally got it working... The issue I had was that I had a full chain and thus couldn't point to a single file. I had to point to the directory I want the chain in. I couldn't just put the certs in the directory I specified (which is where I failed). Instead I still had to use idpCertChain_1.

Putting it another way... If idpCertPath is set to /opt/splunk/etc/apps/myapp/certs, my certs actually live in /opt/splunk/etc/apps/myapp/certs/idpCertChain_1 and were named cert_1, cert_2, etc.

Thanks for the help.
Scott

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...