I am investigating the feasibility of using SAML 2 for Splunk to achieve both single sign-on (SSO) and role-based access control (RBAC).
Splunk has a number of ways for user authentication:
For user access authorization:
Splunk does not seem to allow both SSO and RBAC simultaneously: The only mechanism for SSO is running Splunk web behind a proxy server. But in that case, it still relies on internally stored user information or LDAP group mappings to assign roles to an authenticated user, if this post in the Splunk Answers still holds true. Even if that changes, fronting every Splunk web service with a proxy creates an administrative challenge when you have many Splunk search heads running on both Linux and Windows, for example. Unless, of course, one uses something like Novel NetIQ or Citrix NetScaler. But those mechanisms introduce complexities of their own.
Scripted authentication would offer a way to implement both SSO and RBAC simultaneously if Splunk passes along HTTP request headers to the script. But that does not seem to be the case from reading the documentation.
Is that about right? Thanks for any comments.
I think this might answer your question.
With SAML in Splunk, there is an 'undocumented' feature when it comes to the group->role mapping.
IF you have a group in your AD (or LDAP) that a comes across in the SAML assertion 'role' attribute, AND you have an exactly the same named role in Splunk, Splunk will associate that use to that role automatically without having to have a group->role mapping explicitly set in the SAML configuration (authentication.conf).
For instance, if you have an AD group named 'acme-splunk-users' and you had a custom Splunk role created named 'acme-splunk-users' then any user with that group would automatically map to that Splunk role without the explicit mapping created in the SAML configuration.
Now - that being said - it would still be a two step process. You would need to create a new custom role in Splunk for every new AD group that you create and wish to have come into Splunk via SAML. There is not an automagic way of doing that otherwise.
I manage to use saml to map everyone in my company to one AD with user role so every time that a new user come with have the saml auth. with a role that cant do anything, just point them to a portal that will use splunk api to create and add/remove roles with that user(ldap) on splunk and if that ldap exist in splunk it will take precedence over saml when he logs with the roles that he requested.