Security

How to integrate SAML authentication for Splunk Cloud?

ankumar_juniper
Explorer

Hi Splunkers,

I am working on integrating the SAML authentication for Splunk Cloud. I have a few questions before I start working in integration.

  1. SAML2.0 is pretty standard. What makes Splunk support only specific Identity Providers rather than all the standard SAML2.0 implementations out there?!

  2. Does Splunk Cloud support deep link URLs?

  3. Which default SAML binding does Splunk require HTTP POST Or REDIRECT Or ARTIFACT?! Does it support other bindings too?

    1. How can I get the sp metadata from Splunk Cloud?

pbrunel_splunk
Splunk Employee
Splunk Employee

1) SAML2.0 is pretty standard. What makes Splunk support only specific Identity Providers rather than all the standard SAML2.0 implementations out there?!

Every vendors implement portion of SAML 2.0 and leave out the rest. We need to test / ensure that the IdP works with our code base. This will help us to meet our cloud related SLA to our customers.

2) Does Splunk Cloud support deep link URLs?

Yes we do, We track the user’s link(example – a saved search link etc.) using the ‘relayState’ parameter of SAML. When a user logs in using SAML, we sent the user’s link to the IDP as a part of the SAML request in a SP initiated workflow. Once the user is authenticated, we get the relayState back in the SAML response and we redirect the user to the link.

3) Which default SAML binding does Splunk require HTTP POST Or REDIRECT Or ARTIFACT?! Does it support other bindings too?

We support POST (6.3/6.4), REDIRECT (6.4.1)

4) How can I get the sp metadata from Splunk Cloud?

Log in as a local user. Navigate to splunkweb’s endpoint - ‘https://:/en-us/saml/spmetadata' endpoint. This has Splunk’s SP metadata and you can copy the entire xml out. Note:- If saml is not configured, a template entity id called ‘SplunkentityId’ is generated as a placeholder. This entity id can be changed when SAML is configured.

#thankyoueng

alain_odea
Engager

There is a slight catch with Splunk Cloud that doesn't happen with Splunk Web in my experience. I've set up SAML SSO on both configurations.

When configuring SAML on Splunk Cloud from Okta was that I needed to configure a load balancer in the SAML configuration. Otherwise it went to sh1.CUSTOMERINSTANCENAME.splunkcloud.com:8443 which isn't Internet accessible.

Here were my steps (note the missing steps 7-10 that are special for Splunk Cloud since it has a load balancer involved):

  1. Log into my Splunk Cloud
  2. Go to Settings | Access Controls
  3. Set External to SAML
  4. Click Configure Splunk to use SAML
  5. By Metadata XML File, click Select File and browse to metadata file from Okta
  6. Scroll down and copy Issuer ID and then paste it into the Entity ID field
  7. Scroll down and set Name ID Format to Unspecified
  8. [MISSING STEP] Click the HTTP POST buttons by SSO Binding and SLO Binding
  9. [MISSING STEP] set Fully qualified domain name or IP of the load balancer to https://CUSTOMERINSTANCENAME.splunkcloud.com (replace CUSTOMERINSTANCENAME with yours or your customer's real instance name)
  10. [MISSING STEP] set Redirect port - load balancer port to 443
  11. Click Save
0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...