Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is it possible to use SAML 2 for Splunk to achieve both single sign-on (SSO) and role-based access control (RBAC)?

ww9rivers
Contributor
‎04-08-2015 12:48 PM

I am investigating the feasibility of using SAML 2 for Splunk to achieve both single sign-on (SSO) and role-based access control (RBAC).

Splunk has a number of ways for user authentication:

  • Splunk internal: User information is stored in Splunk itself. A user would have to sign on each and every time visiting a different Splunk web host.
  • LDAP: Splunk uses an LDAP server as user ID store.
  • Proxy SSO: Splunk web must run behind a proxy server, such as Apache or IIS, which actually implements the sign-on part of SSO.
  • Scripted authentication: Splunk calls a custom script to perform user ID acquisition and authentication.

For user access authorization:

  • LDAP: Using LDAP for authentication allows Splunk to map LDAP groups to Splunk roles for access control.
  • Script: The script for authentication is also used to assign roles to the user.

Splunk does not seem to allow both SSO and RBAC simultaneously: The only mechanism for SSO is running Splunk web behind a proxy server. But in that case, it still relies on internally stored user information or LDAP group mappings to assign roles to an authenticated user, if this post in the Splunk Answers still holds true. Even if that changes, fronting every Splunk web service with a proxy creates an administrative challenge when you have many Splunk search heads running on both Linux and Windows, for example. Unless, of course, one uses something like Novel NetIQ or Citrix NetScaler. But those mechanisms introduce complexities of their own.

Scripted authentication would offer a way to implement both SSO and RBAC simultaneously if Splunk passes along HTTP request headers to the script. But that does not seem to be the case from reading the documentation.

Is that about right? Thanks for any comments.

Reply

smarius
New Member
‎11-01-2018 05:11 AM

I manage to use saml to map everyone in my company to one AD with user role so every time that a new user come with have the saml auth. with a role that cant do anything, just point them to a portal that will use splunk api to create and add/remove roles with that user(ldap) on splunk and if that ldap exist in splunk it will take precedence over saml when he logs with the roles that he requested.

0 Karma
Reply

pgreer_splunk
Splunk Employee
Splunk Employee
‎10-20-2016 10:34 AM

I think this might answer your question.

With SAML in Splunk, there is an 'undocumented' feature when it comes to the group->role mapping.

IF you have a group in your AD (or LDAP) that a comes across in the SAML assertion 'role' attribute, AND you have an exactly the same named role in Splunk, Splunk will associate that use to that role automatically without having to have a group->role mapping explicitly set in the SAML configuration (authentication.conf).

For instance, if you have an AD group named 'acme-splunk-users' and you had a custom Splunk role created named 'acme-splunk-users' then any user with that group would automatically map to that Splunk role without the explicit mapping created in the SAML configuration.

Now - that being said - it would still be a two step process. You would need to create a new custom role in Splunk for every new AD group that you create and wish to have come into Splunk via SAML. There is not an automagic way of doing that otherwise.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...