Deployment Architecture

SAML Support on Search head Clusters

msudhindra
Path Finder

Hello !

With the latest v 6.3 that was released earlier today, one of the features that was introduced was the ability of Splunk Enterprise to handle SAML based authentication (without needing custom messy Apache configurations, etc).

The question I had was whether SAML based SSO solution will work with Search Head Clustering ?

I was unable to find any mention about this in the documentation.

Can anyone provide any insight on this ?

Thanks and Regards,
Madan Sudhindra

1 Solution

jworthington_sp
Splunk Employee
Splunk Employee

You only have to enable SAML on the search head, once you do that, search head cluster behavior will work as normal.

Hope that helps.

View solution in original post

msudhindra
Path Finder

Hi @jworthington

Reading through the documentation, it seems that SAML based SSO is only supported with Ping Identity as an Identity Provider.

Are standards based SAML 2.0 providers (non Ping Identity) not supported yet ? If so, when do you expect them to be supported ?
Our IdP does not support an Attribute Query URL. How would we configure SAML in the absence of such a URL.

Also, I dont see any mention of where the IdP should post the SAML response to a Splunk search-head (Assertion Consumer Service URL).

Thanks,
Madan Sudhindra

jworthington_sp
Splunk Employee
Splunk Employee

It's a good best practice to configure them the same way, I would think. And the the server.pem or saml.pem DEFNITELY need to be same on all the Search heads in a SHC set up so that they can communicate.

msudhindra
Path Finder

OK. Thanks.

I'll try this out in the next week and post my findings to this thread.

0 Karma

jworthington_sp
Splunk Employee
Splunk Employee

Great, look forward to hearing back about how things go. I'm the writer for the topics so please let me know if you find something that is not helpful or something that you think might improve the docs!

jworthington_sp
Splunk Employee
Splunk Employee

You only have to enable SAML on the search head, once you do that, search head cluster behavior will work as normal.

Hope that helps.

msudhindra
Path Finder

Thanks for the quick reply.

I have 4 search heads in my cluster. Would I set the entity ID of all four search heads to the same value (splunk.foo.com) ?

0 Karma

ruby_sheen
New Member

Madan,

so the entity ID should be the same for all the search heads in the cluster or each should have its own ID?

Ruby

0 Karma

suarezry
Builder

Yes, the entity ID of all the search heads in the cluster will be same.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...