Reporting

Why is the Splunk SAML SSO unable to open direct email link?

Explorer

Hello,

Since we switched to SAML SSO, we are unable to open Splunk links directly from our email. Every time I click on a link, it redirects to the Idp and authenticating and then displays portalinsight search page instead of results of the query. The email link works if I am already signed in but that is rare. I don’t have Splunk open most of the time.

Any ideas how to prevent this in SAML SSO?

Thanks in Advance.

0 Karma

I know this isn't a perfect answer, but I've experienced the same behavior and find it best to keep a tab open in my browser with a Splunk session. Any subsequent emails that contain links to Splunk reports open just fine as long as I keep one tab open with a current session. I think it has to do with the header rewriting necessary to redirect to the SSO service, but I'm not an expert in that area.

0 Karma

Explorer

yeah, that's the workaround and it works that way. However, I am not logged into Splunk all day and also session won't be active all the time. It's kind of inconvenience for the users to click twice to see the exact page.

0 Karma

Champion

did you check hostname passed in email ?

0 Karma

Explorer

yes, the email link has the hostname. Ideally, it should authenticate with SSO and then direct to the results page. Instead it takes us to the default search. We need to click the email link again to view the results keeping the same session.

0 Karma

Champion

Can you verify hostname in alert_actions.conf and actual hostname of your splunk instance?

0 Karma

Explorer

In the alert_actions.conf, we have the VIP name:port not the actual name of the searchhead server. We have three searchhead servers, it has the VIP name:port and splunk SSO works with the VIP.

0 Karma

Champion

Can you try to change to only hostname. Refer below:

hostname = <string>
     * Sets the hostname used in the web link (url) sent in alerts.
     * This value accepts two forms.
        * hostname
         examples: splunkserver, splunkserver.example.com
        * protocol://hostname:port
         examples: http://splunkserver:8000, https://splunkserver.example.com:443
     * When this value is a simple hostname, the protocol and port which
       are configured within splunk are used to construct the base of
       the url.
     * When this value begins with 'http://', it is used verbatim.  
       NOTE: This means the correct port must be specified if it is not
       the default port for http or https.
     * This is useful in cases when the Splunk server is not aware of
       how to construct an externally referencable url, such as SSO
       environments, other proxies, or when the Splunk server hostname
       is not generally resolvable.
     * Defaults to current hostname provided by the operating system, or if that fails "localhost".
     * When set to empty, default behavior is used.
0 Karma

Explorer

We will make this change and test for the behavior. I will update you the status. Thanks for your help.

0 Karma

Explorer

Hello,

Sorry it did not work, it is still the same. Whenever it does the SSO, it always redirect to the http:////en-US/app/portalinsight/search and we need to click the link again to see the results page.

0 Karma

Explorer

Hi Gurav, Do you have any other suggestion to make it work?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!