Is it possible to use SAML 2 for Splunk to achieve both single sign-on (SSO) and role-based access control (RBAC)?


I am investigating the feasibility of using SAML 2 for Splunk to achieve both single sign-on (SSO) and role-based access control (RBAC).

Splunk has a number of ways for user authentication:

  • Splunk internal: User information is stored in Splunk itself. A user would have to sign on each and every time visiting a different Splunk web host.
  • LDAP: Splunk uses an LDAP server as user ID store.
  • Proxy SSO: Splunk web must run behind a proxy server, such as Apache or IIS, which actually implements the sign-on part of SSO.
  • Scripted authentication: Splunk calls a custom script to perform user ID acquisition and authentication.

For user access authorization:

  • LDAP: Using LDAP for authentication allows Splunk to map LDAP groups to Splunk roles for access control.
  • Script: The script for authentication is also used to assign roles to the user.

Splunk does not seem to allow both SSO and RBAC simultaneously: The only mechanism for SSO is running Splunk web behind a proxy server. But in that case, it still relies on internally stored user information or LDAP group mappings to assign roles to an authenticated user, if this post in the Splunk Answers still holds true. Even if that changes, fronting every Splunk web service with a proxy creates an administrative challenge when you have many Splunk search heads running on both Linux and Windows, for example. Unless, of course, one uses something like Novel NetIQ or Citrix NetScaler. But those mechanisms introduce complexities of their own.

Scripted authentication would offer a way to implement both SSO and RBAC simultaneously if Splunk passes along HTTP request headers to the script. But that does not seem to be the case from reading the documentation.

Is that about right? Thanks for any comments.

New Member

I manage to use saml to map everyone in my company to one AD with user role so every time that a new user come with have the saml auth. with a role that cant do anything, just point them to a portal that will use splunk api to create and add/remove roles with that user(ldap) on splunk and if that ldap exist in splunk it will take precedence over saml when he logs with the roles that he requested.

0 Karma

Splunk Employee
Splunk Employee

I think this might answer your question.

With SAML in Splunk, there is an 'undocumented' feature when it comes to the group->role mapping.

IF you have a group in your AD (or LDAP) that a comes across in the SAML assertion 'role' attribute, AND you have an exactly the same named role in Splunk, Splunk will associate that use to that role automatically without having to have a group->role mapping explicitly set in the SAML configuration (authentication.conf).

For instance, if you have an AD group named 'acme-splunk-users' and you had a custom Splunk role created named 'acme-splunk-users' then any user with that group would automatically map to that Splunk role without the explicit mapping created in the SAML configuration.

Now - that being said - it would still be a two step process. You would need to create a new custom role in Splunk for every new AD group that you create and wish to have come into Splunk via SAML. There is not an automagic way of doing that otherwise.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!