Since we switched to SAML SSO, we are unable to open Splunk links directly from our email. Every time I click on a link, it redirects to the Idp and authenticating and then displays portalinsight search page instead of results of the query. The email link works if I am already signed in but that is rare. I don’t have Splunk open most of the time.
Any ideas how to prevent this in SAML SSO?
Thanks in Advance.
I know this isn't a perfect answer, but I've experienced the same behavior and find it best to keep a tab open in my browser with a Splunk session. Any subsequent emails that contain links to Splunk reports open just fine as long as I keep one tab open with a current session. I think it has to do with the header rewriting necessary to redirect to the SSO service, but I'm not an expert in that area.
yeah, that's the workaround and it works that way. However, I am not logged into Splunk all day and also session won't be active all the time. It's kind of inconvenience for the users to click twice to see the exact page.
yes, the email link has the hostname. Ideally, it should authenticate with SSO and then direct to the results page. Instead it takes us to the default search. We need to click the email link again to view the results keeping the same session.
In the alert_actions.conf, we have the VIP name:port not the actual name of the searchhead server. We have three searchhead servers, it has the VIP name:port and splunk SSO works with the VIP.
Can you try to change to only hostname. Refer below:
hostname = <string> * Sets the hostname used in the web link (url) sent in alerts. * This value accepts two forms. * hostname examples: splunkserver, splunkserver.example.com * protocol://hostname:port examples: http://splunkserver:8000, https://splunkserver.example.com:443 * When this value is a simple hostname, the protocol and port which are configured within splunk are used to construct the base of the url. * When this value begins with 'http://', it is used verbatim. NOTE: This means the correct port must be specified if it is not the default port for http or https. * This is useful in cases when the Splunk server is not aware of how to construct an externally referencable url, such as SSO environments, other proxies, or when the Splunk server hostname is not generally resolvable. * Defaults to current hostname provided by the operating system, or if that fails "localhost". * When set to empty, default behavior is used.
Sorry it did not work, it is still the same. Whenever it does the SSO, it always redirect to the http:////en-US/app/portalinsight/search and we need to click the link again to see the results page.