Security

Is it possible to use just one spmetadata.xml file in ADFS for all members of my search head cluster?

lycollicott
Motivator

We just added two new members to the cluster for a total of five search heads. The ADSF/SAML guy wants to know if I can use just one certificate for all of the nodes, but it looks to me like each node must have their own specific xml imported into ADFS.

Is there a way to use just one xml file for all of the nodes?

1 Solution

suarezry
Builder

Are the 5 nodes configured as a search head cluster behind a load balancer? If so then yes, you only provide a single SP metadata file to ADFS.

View solution in original post

suarezry
Builder

Are the 5 nodes configured as a search head cluster behind a load balancer? If so then yes, you only provide a single SP metadata file to ADFS.

lycollicott
Motivator

Yes, they are in an SHC behind a load balancer.
The first three nodes all had to have their own xml imported to ADFS, because it was the only way to get it to work.

SH01 - captain; spmetadata imported
SH02 - spmetadata imported
SH03 - spmetadata imported
SH04 - newly added member
SH05 - newly added member

So, which spmetadata should we import to ADFS? Does it matter?

0 Karma

suarezry
Builder

For example, the load balanced fqdn is https://splunkcluster.mydomain.ca. When a client navigates to this the LB will forward to any one of SH01-SH05. Your nodes will need to be configured to answer this. The ssl certs for saml on all the nodes must be the same (ie. for https://splunkcluster.mydomain.ca). The SAML configurations must be the same.

Post your authentication.conf from two different nodes.

0 Karma

lycollicott
Motivator

SH01

[mydomain.ds]
SSLEnabled = 0
anonymous_referrals = 1
bindDN = CN=splunkldap,OU=Hosting - Systems Analyst,OU=2K8Users,DC=mydomain,DC=ds
bindDNpassword = ***************************
charset = utf8
emailAttribute = mail
groupBaseDN = ou=2k8Users,dc=mydomain,dc=ds
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = mydomain.ds
nestedGroups = 0
network_timeout = 20
port = 389
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = ou=2k8Users,dc=mydomain,dc=ds
userNameAttribute = samaccountname

[roleMap_mydomain.ds]
<redacted :)>

[authentication]
authSettings = saml
authType = SAML

[userToRoleMap_SAML]
<redacted :)>

[saml]
allowSslCompression = true
attributeQueryRequestSigned = true
attributeQueryResponseSigned = true
attributeQueryTTL = 604800
caCertFile = C:\Splunk\etc\auth\server.pem
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH
entityId = SplunkSSO
fqdn = https://spectre.mydomain.com
idpSLOUrl = https://adfs.mydomain.com/adfs/ls/?wa=wsignout1.0
idpSSOUrl = https://adfs.mydomain.com/adfs/ls/
maxAttributeQueryQueueSize = 100
maxAttributeQueryThreads = 2
redirectAfterLogoutToUrl = http://www.splunk.com
redirectPort = 443
signAuthnRequest = true
signedAssertion = false
sslKeysfile = C:\Splunk\etc\auth\server.pem
sslKeysfilePassword = ***************************
sslVerifyServerCert = false
sslVersions = SSL3,TLS1.0,TLS1.1,TLS1.2

[authenticationResponseAttrMap_SAML]
mail = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
realName = http://schemas.xmlsoap.org/claims/CommonName
role = http://schemas.microsoft.com/ws/2008/06/identity/claims/role

[roleMap_SAML]
<redacted :)>

SH02

[mydomain.ds]
SSLEnabled = 0
anonymous_referrals = 1
bindDN = CN=splunkldap,OU=Hosting - Systems Analyst,OU=2K8Users,DC=mydomain,DC=ds
bindDNpassword = ***************************
charset = utf8
emailAttribute = mail
groupBaseDN = ou=2k8Users,dc=mydomain,dc=ds
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = mydomain.ds
nestedGroups = 0
network_timeout = 20
port = 389
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = ou=2k8Users,dc=mydomain,dc=ds
userNameAttribute = samaccountname

[roleMap_mydomain.ds]
<redacted :)>

[authentication]
authSettings = saml
authType = SAML

[userToRoleMap_SAML]
<redacted :)>

[saml]
allowSslCompression = true
attributeQueryRequestSigned = true
attributeQueryResponseSigned = true
attributeQueryTTL = 604800
caCertFile = C:\Splunk\etc\auth\server.pem
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH
entityId = SplunkSSO
fqdn = https://spectre.mydomain.com
idpSLOUrl = https://adfs.mydomain.com/adfs/ls/?wa=wsignout1.0
idpSSOUrl = https://adfs.mydomain.com/adfs/ls/
maxAttributeQueryQueueSize = 100
maxAttributeQueryThreads = 2
redirectAfterLogoutToUrl = http://www.splunk.com
redirectPort = 443
signAuthnRequest = true
signedAssertion = false
sslKeysfile = C:\Splunk\etc\auth\server.pem
sslKeysfilePassword = ***************************
sslVerifyServerCert = false
sslVersions = SSL3,TLS1.0,TLS1.1,TLS1.2

[authenticationResponseAttrMap_SAML]
mail = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
realName = http://schemas.xmlsoap.org/claims/CommonName
role = http://schemas.microsoft.com/ws/2008/06/identity/claims/role

[roleMap_SAML]
<redacted :)>
0 Karma

suarezry
Builder

C:\Splunk\etc\auth\server.pem looks like the default cert auto-generated when you install splunk.

If so, you'll need to generate a cert for https://spectre.mydomain.com and use this instead on all the nodes. Afterwards, download the SP metadata on each of your nodes and confirm that they are the same.

0 Karma

lycollicott
Motivator

So, I think I need to do these steps:

  1. openssl genrsa -out spectre.mydomain.com.key 2048
  2. openssl req -new -x509 -key spectre.mydomain.com.key -out spectre.mydomain.com.cert -days 3650 -subj /CN=spectre.mydomain.com
  3. Place spectre.mydomain.com.key & spectre.mydomain.com.cert in C:\Splunk\etc\auth folder
  4. Import spectre.mydomain.com.cert into ADFS
  5. Update authentication.conf to caCertFile = C:\Splunk\etc\auth\spectre.mydomain.com.cert
  6. Restart search heads

Did I miss anything?

0 Karma

suarezry
Builder

Backup your configs in case you need to back out. Before doing anything with ADFS, first compare the SP metadata between all your nodes to ensure they're the same.

0 Karma

lycollicott
Motivator

Well, spmetadata.xml does not match. (I only did the steps on the two newly added members just to play it safe.)

Should I also update these?
sslKeysfile = C:\Splunk\etc\auth\spectre.mydomain.com.key
sslKeysfilePassword = ***************************

0 Karma

suarezry
Builder

What is the difference between the metadata files, just the certificates?

I have my certs in PEM format. It contains the public cert, private key, and root certificate in a single file. Take a look at your existing server.pem as an example.

0 Karma

lycollicott
Motivator

It worked. I combined them into a pem and I also had to update sslKeysfile, but now I am all set.

Thanks.

0 Karma

ryangpeng
Explorer

Hi, I need to configure the similar thing with you.
I have a load balancer (VIP) and a search head cluster with 4 nodes.
Should I use the fqdn of the load balancer (VIP) or the fqdn of each search head to configure the fqdn in authentication.conf?

0 Karma

suarezry
Builder

You will need to use the fqdn of the VIP

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...