Security

Is it possible to use just one spmetadata.xml file in ADFS for all members of my search head cluster?

Motivator

We just added two new members to the cluster for a total of five search heads. The ADSF/SAML guy wants to know if I can use just one certificate for all of the nodes, but it looks to me like each node must have their own specific xml imported into ADFS.

Is there a way to use just one xml file for all of the nodes?

1 Solution

Builder

Are the 5 nodes configured as a search head cluster behind a load balancer? If so then yes, you only provide a single SP metadata file to ADFS.

View solution in original post

Builder

Are the 5 nodes configured as a search head cluster behind a load balancer? If so then yes, you only provide a single SP metadata file to ADFS.

View solution in original post

Motivator

Yes, they are in an SHC behind a load balancer.
The first three nodes all had to have their own xml imported to ADFS, because it was the only way to get it to work.

SH01 - captain; spmetadata imported
SH02 - spmetadata imported
SH03 - spmetadata imported
SH04 - newly added member
SH05 - newly added member

So, which spmetadata should we import to ADFS? Does it matter?

0 Karma

Builder

For example, the load balanced fqdn is https://splunkcluster.mydomain.ca. When a client navigates to this the LB will forward to any one of SH01-SH05. Your nodes will need to be configured to answer this. The ssl certs for saml on all the nodes must be the same (ie. for https://splunkcluster.mydomain.ca). The SAML configurations must be the same.

Post your authentication.conf from two different nodes.

0 Karma

Motivator

SH01

[mydomain.ds]
SSLEnabled = 0
anonymous_referrals = 1
bindDN = CN=splunkldap,OU=Hosting - Systems Analyst,OU=2K8Users,DC=mydomain,DC=ds
bindDNpassword = ***************************
charset = utf8
emailAttribute = mail
groupBaseDN = ou=2k8Users,dc=mydomain,dc=ds
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = mydomain.ds
nestedGroups = 0
network_timeout = 20
port = 389
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = ou=2k8Users,dc=mydomain,dc=ds
userNameAttribute = samaccountname

[roleMap_mydomain.ds]
<redacted :)>

[authentication]
authSettings = saml
authType = SAML

[userToRoleMap_SAML]
<redacted :)>

[saml]
allowSslCompression = true
attributeQueryRequestSigned = true
attributeQueryResponseSigned = true
attributeQueryTTL = 604800
caCertFile = C:\Splunk\etc\auth\server.pem
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH
entityId = SplunkSSO
fqdn = https://spectre.mydomain.com
idpSLOUrl = https://adfs.mydomain.com/adfs/ls/?wa=wsignout1.0
idpSSOUrl = https://adfs.mydomain.com/adfs/ls/
maxAttributeQueryQueueSize = 100
maxAttributeQueryThreads = 2
redirectAfterLogoutToUrl = http://www.splunk.com
redirectPort = 443
signAuthnRequest = true
signedAssertion = false
sslKeysfile = C:\Splunk\etc\auth\server.pem
sslKeysfilePassword = ***************************
sslVerifyServerCert = false
sslVersions = SSL3,TLS1.0,TLS1.1,TLS1.2

[authenticationResponseAttrMap_SAML]
mail = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
realName = http://schemas.xmlsoap.org/claims/CommonName
role = http://schemas.microsoft.com/ws/2008/06/identity/claims/role

[roleMap_SAML]
<redacted :)>

SH02

[mydomain.ds]
SSLEnabled = 0
anonymous_referrals = 1
bindDN = CN=splunkldap,OU=Hosting - Systems Analyst,OU=2K8Users,DC=mydomain,DC=ds
bindDNpassword = ***************************
charset = utf8
emailAttribute = mail
groupBaseDN = ou=2k8Users,dc=mydomain,dc=ds
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = mydomain.ds
nestedGroups = 0
network_timeout = 20
port = 389
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = ou=2k8Users,dc=mydomain,dc=ds
userNameAttribute = samaccountname

[roleMap_mydomain.ds]
<redacted :)>

[authentication]
authSettings = saml
authType = SAML

[userToRoleMap_SAML]
<redacted :)>

[saml]
allowSslCompression = true
attributeQueryRequestSigned = true
attributeQueryResponseSigned = true
attributeQueryTTL = 604800
caCertFile = C:\Splunk\etc\auth\server.pem
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH
entityId = SplunkSSO
fqdn = https://spectre.mydomain.com
idpSLOUrl = https://adfs.mydomain.com/adfs/ls/?wa=wsignout1.0
idpSSOUrl = https://adfs.mydomain.com/adfs/ls/
maxAttributeQueryQueueSize = 100
maxAttributeQueryThreads = 2
redirectAfterLogoutToUrl = http://www.splunk.com
redirectPort = 443
signAuthnRequest = true
signedAssertion = false
sslKeysfile = C:\Splunk\etc\auth\server.pem
sslKeysfilePassword = ***************************
sslVerifyServerCert = false
sslVersions = SSL3,TLS1.0,TLS1.1,TLS1.2

[authenticationResponseAttrMap_SAML]
mail = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
realName = http://schemas.xmlsoap.org/claims/CommonName
role = http://schemas.microsoft.com/ws/2008/06/identity/claims/role

[roleMap_SAML]
<redacted :)>
0 Karma

Builder

C:\Splunk\etc\auth\server.pem looks like the default cert auto-generated when you install splunk.

If so, you'll need to generate a cert for https://spectre.mydomain.com and use this instead on all the nodes. Afterwards, download the SP metadata on each of your nodes and confirm that they are the same.

0 Karma

Motivator

So, I think I need to do these steps:

  1. openssl genrsa -out spectre.mydomain.com.key 2048
  2. openssl req -new -x509 -key spectre.mydomain.com.key -out spectre.mydomain.com.cert -days 3650 -subj /CN=spectre.mydomain.com
  3. Place spectre.mydomain.com.key & spectre.mydomain.com.cert in C:\Splunk\etc\auth folder
  4. Import spectre.mydomain.com.cert into ADFS
  5. Update authentication.conf to caCertFile = C:\Splunk\etc\auth\spectre.mydomain.com.cert
  6. Restart search heads

Did I miss anything?

0 Karma

Builder

Backup your configs in case you need to back out. Before doing anything with ADFS, first compare the SP metadata between all your nodes to ensure they're the same.

0 Karma

Motivator

Well, spmetadata.xml does not match. (I only did the steps on the two newly added members just to play it safe.)

Should I also update these?
sslKeysfile = C:\Splunk\etc\auth\spectre.mydomain.com.key
sslKeysfilePassword = ***************************

0 Karma

Builder

What is the difference between the metadata files, just the certificates?

I have my certs in PEM format. It contains the public cert, private key, and root certificate in a single file. Take a look at your existing server.pem as an example.

0 Karma

Motivator

It worked. I combined them into a pem and I also had to update sslKeysfile, but now I am all set.

Thanks.

0 Karma

Explorer

Hi, I need to configure the similar thing with you.
I have a load balancer (VIP) and a search head cluster with 4 nodes.
Should I use the fqdn of the load balancer (VIP) or the fqdn of each search head to configure the fqdn in authentication.conf?

0 Karma

Builder

You will need to use the fqdn of the VIP

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!