Security

How to migrate from LDAP authentication to Microsoft Azure Single Sign On with change of username?

joxley
Path Finder

I want to migrate from LDAP Authentication to Microsoft Azure AD Single Sign On.

I currently have LDAP authentication set up with my active directory domain using the sAMAccountName as the login field. This means that I log into Splunk with the username john. With the release of Splunk 6.4.0 and SSO with Azure AD, I want to move to that.

I have figured out how to use the email address as the username by setting the nameIdFormat field in authentication.conf.

Migration Plan

  1. Move each folder in /etc/users/$sAMAccountName to /etc/users/$emailAddress
  2. For each user do a recursive sed s/$sAMAccountName/$emailAddress/
  3. Switch to SSO and map roles (which I've already prepared on a dev server)

I foresee an issue with this. When I change the authentication to SSO, there will be no users on the system. Users will only be created on first login. Does this mean that all the scheduled searches won't run until that specific user logs in?

Should I create a scheduled search user specifically for this reason and set it up beforehand?

Additional Questions

  1. Should I leave /etc/users/*/*/history out of the set command?
  2. Does the history matter that much?
  3. What else have I forgotten?
1 Solution

joxley
Path Finder

Here's my story for others to follow and hopefully improve upon

I mostly followed the Splunk docs to configure single sign-on.

For doing a SAML group to Splunk role mapping, you need to use the AAD group IDs which you can get using the Powershell Get-MsolGroup commandlet.

I also put in the line nameIdFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress to the [saml] stanza. This means usernames will be the UPN rather than a horrible object ID.

So I wrote a migration script to do the migration which requires csvcut. I have a lookup file in my splunk instance already, built daily using an ldap search which is where the sAMAccountName to userPrincipalName mapping comes from.

The script does the following:

  1. Rename the users directory
  2. Do an in-place sed to change ownership of all public objects
  3. Build a file of new users to insert into authentication.conf

Saved searches require an existing user to run (else they are orphaned). With Azure AD as an identity provider, Splunk needs to create a cache, so to speak, of users. It does this by putting a username = list;of;roles into authentication.conf under the stanza [userToRoleMap_SAML] when a user first logs in. I want all scheduled searches to run, so whenever a public knowledge object is found, I add that user to the new-auths file. Then I imported it into the authentication.conf file manually as a seed.

View solution in original post

joxley
Path Finder

Here's my story for others to follow and hopefully improve upon

I mostly followed the Splunk docs to configure single sign-on.

For doing a SAML group to Splunk role mapping, you need to use the AAD group IDs which you can get using the Powershell Get-MsolGroup commandlet.

I also put in the line nameIdFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress to the [saml] stanza. This means usernames will be the UPN rather than a horrible object ID.

So I wrote a migration script to do the migration which requires csvcut. I have a lookup file in my splunk instance already, built daily using an ldap search which is where the sAMAccountName to userPrincipalName mapping comes from.

The script does the following:

  1. Rename the users directory
  2. Do an in-place sed to change ownership of all public objects
  3. Build a file of new users to insert into authentication.conf

Saved searches require an existing user to run (else they are orphaned). With Azure AD as an identity provider, Splunk needs to create a cache, so to speak, of users. It does this by putting a username = list;of;roles into authentication.conf under the stanza [userToRoleMap_SAML] when a user first logs in. I want all scheduled searches to run, so whenever a public knowledge object is found, I add that user to the new-auths file. Then I imported it into the authentication.conf file manually as a seed.

jthairu_splunk
Splunk Employee
Splunk Employee

How did you transfer ownership of existing items (dashboards, reports, alerts etc) from LDAP users to AzureAD users?

0 Karma

jkat54
SplunkTrust
SplunkTrust

I think you're right on with your thought process. However I fell that by creating the '/etc/users/emailAddy' folders you're effectively creating users in the "sSo world" so that once SSO is enabled users will exist and their saved searches will be fine. I say go forth and write the manual for all those who will follow!!!

0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...