Security

How to configure OKTA SAML2 authentication with Splunk?

andrewjhill
Explorer

Support for OKTA SAML authentication was just announced with Splunk 6.4:
http://blogs.splunk.com/2016/04/05/splunk-enterprise-6-4/

Our team is very eager to get this implemented, however, we could not find documentation for this topic. Has anyone had success configuring OKTA SAML2 with Splunk Enterprise? Furthermore, have you been able to successfully pass roles from OKTA to Splunk?

Any help would be greatly appreciated.

Thanks!

niemesrw
Path Finder

OK, I just had to add a new search head and here are my steps:

  • Enable SSL on your splunk server
  • Ensure you have a FQDN for your server
  • Ensure you know your splunk server's hostname (in my case I used the EC2 hostname)
  • Ensure you have a OKTA / AD group to map Splunk roles to

OKTA SETUP:

  • Login to OKTA and choose to create a new app (don't search for the splunk app - it won't work)
  • Choose "create a new app" and SAML 2.0
  • Give it a name and click next

In your new app use the following fields:

Sign-On URL should be in this format: https://ec2-xx-xx-xx-xx.us-west-2.compute.amazonaws.com:8443/saml/acs
(note the /saml/acs in the URL)

Audience URI should be the server hostname
Default RelayState should be /
Name ID format: Unspecified
Application username: Okta username
Group statements should be
role : Starts with

Save the application

Assign the application to users - I use the same group as the role I've mapped

Download the metadata

SPLUNK SETUP:

  • Go into SAML configuration and upload the metadata file.
  • Click apply (this might be unnecessary.. not really sure)
  • Check Sign AuthnRequest
  • Click SAVE

Click New Group
Map the role to the AD / OKTA Group name

If you run into issues, you can always get back in using /en-US/account/login?loginType=splunk for local credentials

0 Karma

fspeece
New Member

I get an error when applying the SAML Config in splunk (but I am an admin and should have the permission):
"You do not have permission to perform this operation (requires capability: change_authentication)."

If I then go to to splunk home page I get:
"The app "None" is not available"

If I go to the Okta portal shortcut I then get:
"No valid splunk role found in the local mapping or assertion."

My mapping in auth.conf:
[rolemap_SAML]
admin = Splunk Admins
which is the group in AD and group in Okta that gives access to Splunk

0 Karma

niemesrw
Path Finder

You should verify you have 'change authentication' as part of the admin role. That's my guess on that one.

As far as the role mapping - have you modified OKTA to send the role of Splunk Admins over?

0 Karma

fspeece
New Member

Yes change auth is a part of the admin role.
Not sure how to do the 2nd part.

0 Karma

niemesrw
Path Finder

We're struggling with this as well since the splunk documentation isn't complete for the OKTA IdP. I have a support case open, but here's what I've been able to do w/o support so far:

First, I believe the sso url should be /saml/acs

Under group attribute statements on OKTA, put http://schemas.microsoft.com/ws/2008/06/identity/claims/role and then your group filter. We named them all with role-splunk* in them and verified using SAML tracer that they're coming over.

Now I see this: No valid splunk role found in the local mapping or assertion. I verified the rolemap_saml configuration in authentication.conf.

niemesrw
Path Finder

We had to do one more thing to map the roles from OKTA. Under the Group Attribute Statements, we added

role, name format: unspecified, filter: starts with (name of our AD group to pass)

0 Karma

artcarrera
Explorer

Niemesrw, did you create your own Okta app or did you use the pre-built one in the Okta? The one in the Okta docs does not seem to work right for me. Can you share your okta config below?

thx in advance.

0 Karma

andrewjhill
Explorer

We successfully implemented this creating a custom app in Okta versus using the prebuilt one. If you'd like the how-to, let me know.

Thanks!

fspeece
New Member

A how-to please!

0 Karma

niemesrw
Path Finder

I created a how-to answer and added it to this question. Let me know if it works for you.

0 Karma

artcarrera
Explorer

I would love it! That would save me a lot of headaches. 🙂 Thanks in advance.

0 Karma

artcarrera
Explorer

These OKTA settings below seem to be working.

Single Sign On URL- https://splunkserver:port/saml/acs
Recipient URL- https://splunkserver:port/saml/acs
Destination URL- https://splunkserver:port /saml/acs
Audience Restriction- https://splunkserver:port
Default Relay State (blank)
Name ID Format- Unspecified
Response- Signed
Assertion Signature- Signed
Signature Algorithm- RSA_SHA256
Digest Algorithm- SHA256
Assertion Encryption- Unencrypted
SAML Single Logout- Disabled
authnContextClassRef- PasswordProtectedTransport
Honor Force Authentication- Yes
SAML Issuer ID- http://www.okta.com/${org.externalKey}

ATTRIBUTE STATEMENTS
Name: myMail
Name Format: Unspecified
Value: user.email

Name: myRealName
Name Format: Unspecified
Value: user.firstName

GROUP ATTRIBUTE STATEMENTS
Name: myRole
Name Format: Unspecified
Filter: Starts with:

==================================================
In Splunk, just copy the metadata into the field and apply. You then need to set the 3 attribute names to: myRole, myRealName, myMail

Also make sure to add the appropriate role name(s). It/they must match the group name from AD.

thx,
art

fspeece
New Member

I got error when logging into splunk from okta portal: "No valid splunk role found in the local mapping or assertion." any idea what this could be?

0 Karma

ChrisG
Splunk Employee
Splunk Employee

Did you find the topics in the Securing Splunk Enterprise manual, starting with Configure single sign-on with SAML?

0 Karma