How to configure OKTA SAML2 authentication with Sp...

andrewjhill · ‎04-07-2016

Support for OKTA SAML authentication was just announced with Splunk 6.4:
http://blogs.splunk.com/2016/04/05/splunk-enterprise-6-4/

Our team is very eager to get this implemented, however, we could not find documentation for this topic. Has anyone had success configuring OKTA SAML2 with Splunk Enterprise? Furthermore, have you been able to successfully pass roles from OKTA to Splunk?

Any help would be greatly appreciated.

Thanks!

niemesrw · ‎06-27-2016

OK, I just had to add a new search head and here are my steps:

Enable SSL on your splunk server
Ensure you have a FQDN for your server
Ensure you know your splunk server's hostname (in my case I used the EC2 hostname)
Ensure you have a OKTA / AD group to map Splunk roles to

OKTA SETUP:

Login to OKTA and choose to create a new app (don't search for the splunk app - it won't work)
Choose "create a new app" and SAML 2.0
Give it a name and click next

In your new app use the following fields:

Sign-On URL should be in this format: https://ec2-xx-xx-xx-xx.us-west-2.compute.amazonaws.com:8443/saml/acs
(note the /saml/acs in the URL)

Audience URI should be the server hostname
Default RelayState should be /
Name ID format: Unspecified
Application username: Okta username
Group statements should be
role : Starts with

Save the application

Assign the application to users - I use the same group as the role I've mapped

Download the metadata

SPLUNK SETUP:

Go into SAML configuration and upload the metadata file.
Click apply (this might be unnecessary.. not really sure)
Check Sign AuthnRequest
Click SAVE

Click New Group
Map the role to the AD / OKTA Group name

If you run into issues, you can always get back in using /en-US/account/login?loginType=splunk for local credentials

fspeece · ‎07-01-2016

I get an error when applying the SAML Config in splunk (but I am an admin and should have the permission):
"You do not have permission to perform this operation (requires capability: change_authentication)."

If I then go to to splunk home page I get:
"The app "None" is not available"

If I go to the Okta portal shortcut I then get:
"No valid splunk role found in the local mapping or assertion."

My mapping in auth.conf:
[rolemap_SAML]
admin = Splunk Admins
which is the group in AD and group in Okta that gives access to Splunk

niemesrw · ‎07-01-2016

You should verify you have 'change authentication' as part of the admin role. That's my guess on that one.

As far as the role mapping - have you modified OKTA to send the role of Splunk Admins over?

fspeece · ‎07-06-2016

Yes change auth is a part of the admin role.
Not sure how to do the 2nd part.

niemesrw · ‎04-13-2016

We're struggling with this as well since the splunk documentation isn't complete for the OKTA IdP. I have a support case open, but here's what I've been able to do w/o support so far:

First, I believe the sso url should be /saml/acs

Under group attribute statements on OKTA, put http://schemas.microsoft.com/ws/2008/06/identity/claims/role and then your group filter. We named them all with role-splunk* in them and verified using SAML tracer that they're coming over.

Now I see this: No valid splunk role found in the local mapping or assertion. I verified the rolemap_saml configuration in authentication.conf.

niemesrw · ‎04-14-2016

We had to do one more thing to map the roles from OKTA. Under the Group Attribute Statements, we added

role, name format: unspecified, filter: starts with (name of our AD group to pass)

artcarrera · ‎06-14-2016

Niemesrw, did you create your own Okta app or did you use the pre-built one in the Okta? The one in the Okta docs does not seem to work right for me. Can you share your okta config below?

thx in advance.

andrewjhill · ‎06-14-2016

We successfully implemented this creating a custom app in Okta versus using the prebuilt one. If you'd like the how-to, let me know.

Thanks!

fspeece · ‎06-24-2016

A how-to please!

niemesrw · ‎06-27-2016

I created a how-to answer and added it to this question. Let me know if it works for you.

artcarrera · ‎06-14-2016

I would love it! That would save me a lot of headaches. 🙂 Thanks in advance.

artcarrera · ‎06-14-2016

These OKTA settings below seem to be working.

Single Sign On URL- https://splunkserver:port/saml/acs
Recipient URL- https://splunkserver:port/saml/acs
Destination URL- https://splunkserver:port /saml/acs
Audience Restriction- https://splunkserver:port
Default Relay State (blank)
Name ID Format- Unspecified
Response- Signed
Assertion Signature- Signed
Signature Algorithm- RSA_SHA256
Digest Algorithm- SHA256
Assertion Encryption- Unencrypted
SAML Single Logout- Disabled
authnContextClassRef- PasswordProtectedTransport
Honor Force Authentication- Yes
SAML Issuer ID- http://www.okta.com/${org.externalKey}

ATTRIBUTE STATEMENTS
Name: myMail
Name Format: Unspecified
Value: user.email

Name: myRealName
Name Format: Unspecified
Value: user.firstName

GROUP ATTRIBUTE STATEMENTS
Name: myRole
Name Format: Unspecified
Filter: Starts with:

==================================================
In Splunk, just copy the metadata into the field and apply. You then need to set the 3 attribute names to: myRole, myRealName, myMail

Also make sure to add the appropriate role name(s). It/they must match the group name from AD.

thx,
art

fspeece · ‎06-24-2016

I got error when logging into splunk from okta portal: "No valid splunk role found in the local mapping or assertion." any idea what this could be?

ChrisG · ‎04-07-2016

Did you find the topics in the Securing Splunk Enterprise manual, starting with Configure single sign-on with SAML?

How to configure OKTA SAML2 authentication with Splunk?

Monitoring MariaDB and MySQL

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Federated Analytics for Amazon Security Lake