Hi Splunkers!!,

We have recently configured SSO in Splunk using Keycloak, and it's working fine — users are able to log in through the Keycloak identity provider.

Now, we have a new requirement where some users should be able to bypass SSO and use the traditional Splunk login (username/password) instead.

Current Setup:

• Splunk SSO is configured via Keycloak (SAML).

• All users are redirected to Keycloak for authentication.

• We now want to allow dual login options:

  • Primary: SSO via Keycloak (default for most users).

  • Secondary: Traditional login for selected users (e.g., admins, service accounts).

Objective:

Allow both SSO and non-SSO (Splunk local authentication) login methods to coexist.


Below is our setting for SSO.

[authentication]
authSettings = saml
authType = SAML

[roleMap_SAML]
commissioning_engineer = integration
hlc_support_engineer = integration

[saml]
caCertFile = D:\Splunk\etc\auth\cacert.pem
clientCert = D:\Splunk\etc\auth\server.pem
entityId = splunk
fqdn = https://splunk.kigen-iht-001.cnaw.k8s.kigen.com
idpCertExpirationCheckInterval = 86400s
idpCertExpirationWarningDays = 90
idpCertPath = idpCert.pem
idpSLOUrl = https://keycloak.walamb-iht-001.cnap.k8s.kigen.com/auth/realms/production/protocol/saml
idpSSOUrl = https://keycloak.walamb-iht-001.cnap.k8s.kigen.com/auth/realms/production/protocol/saml
inboundDigestMethod = SHA1;SHA256;SHA384;SHA512
inboundSignatureAlgorithm = RSA-SHA1;RSA-SHA256;RSA-SHA384;RSA-SHA512
issuerId = https://keycloak.walamb-iht-001.cnap.k8s.kigen.com/auth/realms/production
lockRoleToFullDN = true
redirectPort = 443
replicateCertificates = true
scimEnabled = false
signAuthnRequest = true
signatureAlgorithm = RSA-SHA1
signedAssertion = true
sloBinding = HTTP-POST
sslPassword = $7$CCkQUt0tA8sZJMmU+8kigen0zdv/mxXjJsLRbmuBkEnMfhQ==
ssoBinding = HTTP-POST

[userToRoleMap_SAML]
kg-user = commiss_engineer;hlc_support_engineer::::