I want to migrate from LDAP Authentication to Microsoft Azure AD Single Sign On.
I currently have LDAP authentication set up with my active directory domain using the sAMAccountName
as the login field. This means that I log into Splunk with the username john
. With the release of Splunk 6.4.0 and SSO with Azure AD, I want to move to that.
I have figured out how to use the email address as the username by setting the nameIdFormat
field in authentication.conf
.
Migration Plan
/etc/users/$sAMAccountName
to /etc/users/$emailAddress
sed s/$sAMAccountName/$emailAddress/
I foresee an issue with this. When I change the authentication to SSO, there will be no users on the system. Users will only be created on first login. Does this mean that all the scheduled searches won't run until that specific user logs in?
Should I create a scheduled search user specifically for this reason and set it up beforehand?
Additional Questions
/etc/users/*/*/history
out of the set command?Here's my story for others to follow and hopefully improve upon
I mostly followed the Splunk docs to configure single sign-on.
For doing a SAML group to Splunk role mapping, you need to use the AAD group IDs which you can get using the Powershell Get-MsolGroup commandlet.
I also put in the line nameIdFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
to the [saml]
stanza. This means usernames will be the UPN rather than a horrible object ID.
So I wrote a migration script to do the migration which requires csvcut. I have a lookup file in my splunk instance already, built daily using an ldap search which is where the sAMAccountName
to userPrincipalName
mapping comes from.
The script does the following:
Saved searches require an existing user to run (else they are orphaned). With Azure AD as an identity provider, Splunk needs to create a cache, so to speak, of users. It does this by putting a username = list;of;roles
into authentication.conf
under the stanza [userToRoleMap_SAML]
when a user first logs in. I want all scheduled searches to run, so whenever a public knowledge object is found, I add that user to the new-auths file. Then I imported it into the authentication.conf file manually as a seed.
Here's my story for others to follow and hopefully improve upon
I mostly followed the Splunk docs to configure single sign-on.
For doing a SAML group to Splunk role mapping, you need to use the AAD group IDs which you can get using the Powershell Get-MsolGroup commandlet.
I also put in the line nameIdFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
to the [saml]
stanza. This means usernames will be the UPN rather than a horrible object ID.
So I wrote a migration script to do the migration which requires csvcut. I have a lookup file in my splunk instance already, built daily using an ldap search which is where the sAMAccountName
to userPrincipalName
mapping comes from.
The script does the following:
Saved searches require an existing user to run (else they are orphaned). With Azure AD as an identity provider, Splunk needs to create a cache, so to speak, of users. It does this by putting a username = list;of;roles
into authentication.conf
under the stanza [userToRoleMap_SAML]
when a user first logs in. I want all scheduled searches to run, so whenever a public knowledge object is found, I add that user to the new-auths file. Then I imported it into the authentication.conf file manually as a seed.
How did you transfer ownership of existing items (dashboards, reports, alerts etc) from LDAP users to AzureAD users?
I think you're right on with your thought process. However I fell that by creating the '/etc/users/emailAddy' folders you're effectively creating users in the "sSo world" so that once SSO is enabled users will exist and their saved searches will be fine. I say go forth and write the manual for all those who will follow!!!