I am working on integrating the SAML authentication for Splunk Cloud. I have a few questions before I start working in integration.
SAML2.0 is pretty standard. What makes Splunk support only specific Identity Providers rather than all the standard SAML2.0 implementations out there?!
Does Splunk Cloud support deep link URLs?
Which default SAML binding does Splunk require HTTP POST Or REDIRECT Or ARTIFACT?! Does it support other bindings too?
1) SAML2.0 is pretty standard. What makes Splunk support only specific Identity Providers rather than all the standard SAML2.0 implementations out there?!
Every vendors implement portion of SAML 2.0 and leave out the rest. We need to test / ensure that the IdP works with our code base. This will help us to meet our cloud related SLA to our customers.
2) Does Splunk Cloud support deep link URLs?
Yes we do, We track the user’s link(example – a saved search link etc.) using the ‘relayState’ parameter of SAML. When a user logs in using SAML, we sent the user’s link to the IDP as a part of the SAML request in a SP initiated workflow. Once the user is authenticated, we get the relayState back in the SAML response and we redirect the user to the link.
3) Which default SAML binding does Splunk require HTTP POST Or REDIRECT Or ARTIFACT?! Does it support other bindings too?
We support POST (6.3/6.4), REDIRECT (6.4.1)
4) How can I get the sp metadata from Splunk Cloud?
Log in as a local user. Navigate to splunkweb’s endpoint - ‘https://:/en-us/saml/spmetadata' endpoint. This has Splunk’s SP metadata and you can copy the entire xml out. Note:- If saml is not configured, a template entity id called ‘SplunkentityId’ is generated as a placeholder. This entity id can be changed when SAML is configured.
There is a slight catch with Splunk Cloud that doesn't happen with Splunk Web in my experience. I've set up SAML SSO on both configurations.
When configuring SAML on Splunk Cloud from Okta was that I needed to configure a load balancer in the SAML configuration. Otherwise it went to sh1.CUSTOMERINSTANCENAME.splunkcloud.com:8443 which isn't Internet accessible.
Here were my steps (note the missing steps 7-10 that are special for Splunk Cloud since it has a load balancer involved):