Deployment Architecture
Highlighted

SAML SSO on search head cluster behind load balancer

Explorer

I have been trying to configure SAML SSO for the search head clusters running behind the LB. Our setup is Splunk WIP (wide IP Port 80) --> two VIPs in each DC which has Splunk search head servers under then listening on port 8000.It is working fine with LDAP settings.

  • We are able to get SSO working by generating the metadata from the individual search head server listening on port 8000. However Load Balancing is not working since it always redirects to the same server where we generated the metadata. How we have generate a saml metadata file such that SAML SSO works with Wide IP? like how it is working with LDAP.
  • I tried changing the saml/acs URL to the WIP but it doesn't work.

Does anyone come across this situation? any ideas how to deal with this>

Thanks in Advance,

Highlighted

Re: SAML SSO on search head cluster behind load balancer

Builder

SAML does work on a search head cluster provided you use the same SSL certs across your search heads and that the metadata on each search head is the same. The metadata is based on your $SPLUNK_HOME/etc/system/local/authentication.conf settings.

If you are having problems with this then post your authentication.conf and I can help.

0 Karma
Highlighted

Re: SAML SSO on search head cluster behind load balancer

Explorer

We do not have SSL cert for our splunk instance. However, I have SSL cert of the federation URL copied under each search head server under this path $SPLUNK_HOME/etc/auth/idpCerts/

Below is the saml configuration from authentication.conf

[saml]
allowSslCompression = true
attributeQueryRequestSigned = false
attributeQueryResponseSigned = false
attributeQueryTTL = 3600
entityId = WebPortalSplunk
fqdn = http://webportalsplunk
idpSSOUrl = https://federationuat.client.bcorp.com/idp/startSSO.ping?PartnerSpId=WebPortalSplunk
maxAttributeQueryQueueSize = 100
maxAttributeQueryThreads = 2
redirectPort = 8000
signAuthnRequest = false
signedAssertion = false
sslVerifyServerCert = false
sslVersions = SSL3,TLS1.0,TLS1.1,TLS1.2

Thanks

0 Karma
Highlighted

Re: SAML SSO on search head cluster behind load balancer

Builder

Is your WIP http://webportalsplunk? Can you post the metadata that is generated from this config?

Is this from the searchHead that works with SAML but does not work with Load Balancing? Is your LB F5? Do you have a session persistence on your WIP to ensure that the same client is directed to the same search head? (I'm not sure if session persistence is actually required on the load balancer,this is just what we have configured in our working environment.)

0 Karma
Highlighted

Re: SAML SSO on search head cluster behind load balancer

Explorer

Yes, if I generate the metadata from the pool members behind the VIP, SAMLworks.
Yes, our LB is F5. I think persistence is enabled. As of now, it works with LDAP perfectly. If you send me your email I can send the metadata file directly. I am not able to upload it here or use other file sharing tools.

0 Karma
Highlighted

Re: SAML SSO on search head cluster behind load balancer

Builder

Thanks, can you post the metadata generated from this config?

0 Karma
Highlighted

Re: SAML SSO on search head cluster behind load balancer

Explorer

Sorry, I can't access http://pastebin.com as this is blocked in our proxy.

0 Karma
Highlighted

Re: SAML SSO on search head cluster behind load balancer

Explorer

Can you share your LB setup? because I am not able to generate the metadata with my setup http:///saml/spmetadata I am able to generate using http://:8000/saml/spmetadata

0 Karma
Highlighted

Re: SAML SSO on search head cluster behind load balancer

Builder
ltm pool /myPartition/traf_splunk_https_pool {
    description "Splunk Clustered Search Head Pool"
    load-balancing-mode predictive-member
    members {
        /myPartition/splunk1_node:8000 {
            address 192.168.0.11
        }
        /myPartition/splunk2_node:8000 {
            address 192.168.0.12
        }
        /myPartition/splunk3_node:8000 {
            address 192.168.0.13
        }
    }
    monitor /myPartition/https_splunk_8000 
}

ltm virtual /myPartition/traf_splunk_https_vs {
    description "Splunk Clustered Search Head"
    destination /myPartition/192.168.12.12:443
    ip-protocol tcp
    mask 255.255.255.255
    persist {
        /myPartition/splunk_sourceaddr-persistence-profile {
            default yes
        }
    }
    pool /myPartition/traf_splunk_https_pool
    profiles {
        /Common/tcp { }
    }
    rules {
        /myPartition/restrictToInternal_irule
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-address enabled
    translate-port enabled
}
0 Karma
Highlighted

Re: SAML SSO on search head cluster behind load balancer

Explorer

Thanks. our setup is below how different from yours?
Wide IP
| \
DC1 VIP DC2 VIP
| \
apache proxy1 apache proxy2
| \
Splunksvr1:8000 Splunksvr2:8000

0 Karma