Security
Highlighted

Is it possible to use just one spmetadata.xml file in ADFS for all members of my search head cluster?

Motivator

We just added two new members to the cluster for a total of five search heads. The ADSF/SAML guy wants to know if I can use just one certificate for all of the nodes, but it looks to me like each node must have their own specific xml imported into ADFS.

Is there a way to use just one xml file for all of the nodes?

Highlighted

Re: Is it possible to use just one spmetadata.xml file in ADFS for all members of my search head cluster?

Builder

Are the 5 nodes configured as a search head cluster behind a load balancer? If so then yes, you only provide a single SP metadata file to ADFS.

View solution in original post

Highlighted

Re: Is it possible to use just one spmetadata.xml file in ADFS for all members of my search head cluster?

Motivator

Yes, they are in an SHC behind a load balancer.
The first three nodes all had to have their own xml imported to ADFS, because it was the only way to get it to work.

SH01 - captain; spmetadata imported
SH02 - spmetadata imported
SH03 - spmetadata imported
SH04 - newly added member
SH05 - newly added member

So, which spmetadata should we import to ADFS? Does it matter?

0 Karma
Highlighted

Re: Is it possible to use just one spmetadata.xml file in ADFS for all members of my search head cluster?

Builder

For example, the load balanced fqdn is https://splunkcluster.mydomain.ca. When a client navigates to this the LB will forward to any one of SH01-SH05. Your nodes will need to be configured to answer this. The ssl certs for saml on all the nodes must be the same (ie. for https://splunkcluster.mydomain.ca). The SAML configurations must be the same.

Post your authentication.conf from two different nodes.

0 Karma
Highlighted

Re: Is it possible to use just one spmetadata.xml file in ADFS for all members of my search head cluster?

Motivator

SH01

[mydomain.ds]
SSLEnabled = 0
anonymous_referrals = 1
bindDN = CN=splunkldap,OU=Hosting - Systems Analyst,OU=2K8Users,DC=mydomain,DC=ds
bindDNpassword = ***************************
charset = utf8
emailAttribute = mail
groupBaseDN = ou=2k8Users,dc=mydomain,dc=ds
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = mydomain.ds
nestedGroups = 0
network_timeout = 20
port = 389
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = ou=2k8Users,dc=mydomain,dc=ds
userNameAttribute = samaccountname

[roleMap_mydomain.ds]
<redacted :)>

[authentication]
authSettings = saml
authType = SAML

[userToRoleMap_SAML]
<redacted :)>

[saml]
allowSslCompression = true
attributeQueryRequestSigned = true
attributeQueryResponseSigned = true
attributeQueryTTL = 604800
caCertFile = C:\Splunk\etc\auth\server.pem
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH
entityId = SplunkSSO
fqdn = https://spectre.mydomain.com
idpSLOUrl = https://adfs.mydomain.com/adfs/ls/?wa=wsignout1.0
idpSSOUrl = https://adfs.mydomain.com/adfs/ls/
maxAttributeQueryQueueSize = 100
maxAttributeQueryThreads = 2
redirectAfterLogoutToUrl = http://www.splunk.com
redirectPort = 443
signAuthnRequest = true
signedAssertion = false
sslKeysfile = C:\Splunk\etc\auth\server.pem
sslKeysfilePassword = ***************************
sslVerifyServerCert = false
sslVersions = SSL3,TLS1.0,TLS1.1,TLS1.2

[authenticationResponseAttrMap_SAML]
mail = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
realName = http://schemas.xmlsoap.org/claims/CommonName
role = http://schemas.microsoft.com/ws/2008/06/identity/claims/role

[roleMap_SAML]
<redacted :)>

SH02

[mydomain.ds]
SSLEnabled = 0
anonymous_referrals = 1
bindDN = CN=splunkldap,OU=Hosting - Systems Analyst,OU=2K8Users,DC=mydomain,DC=ds
bindDNpassword = ***************************
charset = utf8
emailAttribute = mail
groupBaseDN = ou=2k8Users,dc=mydomain,dc=ds
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = mydomain.ds
nestedGroups = 0
network_timeout = 20
port = 389
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = ou=2k8Users,dc=mydomain,dc=ds
userNameAttribute = samaccountname

[roleMap_mydomain.ds]
<redacted :)>

[authentication]
authSettings = saml
authType = SAML

[userToRoleMap_SAML]
<redacted :)>

[saml]
allowSslCompression = true
attributeQueryRequestSigned = true
attributeQueryResponseSigned = true
attributeQueryTTL = 604800
caCertFile = C:\Splunk\etc\auth\server.pem
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH
entityId = SplunkSSO
fqdn = https://spectre.mydomain.com
idpSLOUrl = https://adfs.mydomain.com/adfs/ls/?wa=wsignout1.0
idpSSOUrl = https://adfs.mydomain.com/adfs/ls/
maxAttributeQueryQueueSize = 100
maxAttributeQueryThreads = 2
redirectAfterLogoutToUrl = http://www.splunk.com
redirectPort = 443
signAuthnRequest = true
signedAssertion = false
sslKeysfile = C:\Splunk\etc\auth\server.pem
sslKeysfilePassword = ***************************
sslVerifyServerCert = false
sslVersions = SSL3,TLS1.0,TLS1.1,TLS1.2

[authenticationResponseAttrMap_SAML]
mail = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
realName = http://schemas.xmlsoap.org/claims/CommonName
role = http://schemas.microsoft.com/ws/2008/06/identity/claims/role

[roleMap_SAML]
<redacted :)>
0 Karma
Highlighted

Re: Is it possible to use just one spmetadata.xml file in ADFS for all members of my search head cluster?

Builder

C:\Splunk\etc\auth\server.pem looks like the default cert auto-generated when you install splunk.

If so, you'll need to generate a cert for https://spectre.mydomain.com and use this instead on all the nodes. Afterwards, download the SP metadata on each of your nodes and confirm that they are the same.

0 Karma
Highlighted

Re: Is it possible to use just one spmetadata.xml file in ADFS for all members of my search head cluster?

Motivator

So, I think I need to do these steps:

  1. openssl genrsa -out spectre.mydomain.com.key 2048
  2. openssl req -new -x509 -key spectre.mydomain.com.key -out spectre.mydomain.com.cert -days 3650 -subj /CN=spectre.mydomain.com
  3. Place spectre.mydomain.com.key & spectre.mydomain.com.cert in C:\Splunk\etc\auth folder
  4. Import spectre.mydomain.com.cert into ADFS
  5. Update authentication.conf to caCertFile = C:\Splunk\etc\auth\spectre.mydomain.com.cert
  6. Restart search heads

Did I miss anything?

0 Karma
Highlighted

Re: Is it possible to use just one spmetadata.xml file in ADFS for all members of my search head cluster?

Builder

Backup your configs in case you need to back out. Before doing anything with ADFS, first compare the SP metadata between all your nodes to ensure they're the same.

0 Karma
Highlighted

Re: Is it possible to use just one spmetadata.xml file in ADFS for all members of my search head cluster?

Motivator

Well, spmetadata.xml does not match. (I only did the steps on the two newly added members just to play it safe.)

Should I also update these?
sslKeysfile = C:\Splunk\etc\auth\spectre.mydomain.com.key
sslKeysfilePassword = ***************************

0 Karma
Highlighted

Re: Is it possible to use just one spmetadata.xml file in ADFS for all members of my search head cluster?

Builder

What is the difference between the metadata files, just the certificates?

I have my certs in PEM format. It contains the public cert, private key, and root certificate in a single file. Take a look at your existing server.pem as an example.

0 Karma