Deployment Architecture

SAML Support on Search head Clusters

Path Finder

Hello !

With the latest v 6.3 that was released earlier today, one of the features that was introduced was the ability of Splunk Enterprise to handle SAML based authentication (without needing custom messy Apache configurations, etc).

The question I had was whether SAML based SSO solution will work with Search Head Clustering ?

I was unable to find any mention about this in the documentation.

Can anyone provide any insight on this ?

Thanks and Regards,
Madan Sudhindra

1 Solution

Splunk Employee
Splunk Employee

You only have to enable SAML on the search head, once you do that, search head cluster behavior will work as normal.

Hope that helps.

View solution in original post

Path Finder

Hi @jworthington

Reading through the documentation, it seems that SAML based SSO is only supported with Ping Identity as an Identity Provider.

Are standards based SAML 2.0 providers (non Ping Identity) not supported yet ? If so, when do you expect them to be supported ?
Our IdP does not support an Attribute Query URL. How would we configure SAML in the absence of such a URL.

Also, I dont see any mention of where the IdP should post the SAML response to a Splunk search-head (Assertion Consumer Service URL).

Thanks,
Madan Sudhindra

Splunk Employee
Splunk Employee

It's a good best practice to configure them the same way, I would think. And the the server.pem or saml.pem DEFNITELY need to be same on all the Search heads in a SHC set up so that they can communicate.

Path Finder

OK. Thanks.

I'll try this out in the next week and post my findings to this thread.

0 Karma

Splunk Employee
Splunk Employee

Great, look forward to hearing back about how things go. I'm the writer for the topics so please let me know if you find something that is not helpful or something that you think might improve the docs!

Splunk Employee
Splunk Employee

You only have to enable SAML on the search head, once you do that, search head cluster behavior will work as normal.

Hope that helps.

View solution in original post

Path Finder

Thanks for the quick reply.

I have 4 search heads in my cluster. Would I set the entity ID of all four search heads to the same value (splunk.foo.com) ?

0 Karma

New Member

Madan,

so the entity ID should be the same for all the search heads in the cluster or each should have its own ID?

Ruby

0 Karma

Builder

Yes, the entity ID of all the search heads in the cluster will be same.

0 Karma