We just added two new members to the cluster for a total of five search heads. The ADSF/SAML guy wants to know if I can use just one certificate for all of the nodes, but it looks to me like each node must have their own specific xml imported into ADFS.
Is there a way to use just one xml file for all of the nodes?
Are the 5 nodes configured as a search head cluster behind a load balancer? If so then yes, you only provide a single SP metadata file to ADFS.
Are the 5 nodes configured as a search head cluster behind a load balancer? If so then yes, you only provide a single SP metadata file to ADFS.
Yes, they are in an SHC behind a load balancer.
The first three nodes all had to have their own xml imported to ADFS, because it was the only way to get it to work.
SH01 - captain; spmetadata imported
SH02 - spmetadata imported
SH03 - spmetadata imported
SH04 - newly added member
SH05 - newly added member
So, which spmetadata should we import to ADFS? Does it matter?
For example, the load balanced fqdn is https://splunkcluster.mydomain.ca. When a client navigates to this the LB will forward to any one of SH01-SH05. Your nodes will need to be configured to answer this. The ssl certs for saml on all the nodes must be the same (ie. for https://splunkcluster.mydomain.ca). The SAML configurations must be the same.
Post your authentication.conf from two different nodes.
SH01
[mydomain.ds]
SSLEnabled = 0
anonymous_referrals = 1
bindDN = CN=splunkldap,OU=Hosting - Systems Analyst,OU=2K8Users,DC=mydomain,DC=ds
bindDNpassword = ***************************
charset = utf8
emailAttribute = mail
groupBaseDN = ou=2k8Users,dc=mydomain,dc=ds
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = mydomain.ds
nestedGroups = 0
network_timeout = 20
port = 389
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = ou=2k8Users,dc=mydomain,dc=ds
userNameAttribute = samaccountname
[roleMap_mydomain.ds]
<redacted :)>
[authentication]
authSettings = saml
authType = SAML
[userToRoleMap_SAML]
<redacted :)>
[saml]
allowSslCompression = true
attributeQueryRequestSigned = true
attributeQueryResponseSigned = true
attributeQueryTTL = 604800
caCertFile = C:\Splunk\etc\auth\server.pem
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH
entityId = SplunkSSO
fqdn = https://spectre.mydomain.com
idpSLOUrl = https://adfs.mydomain.com/adfs/ls/?wa=wsignout1.0
idpSSOUrl = https://adfs.mydomain.com/adfs/ls/
maxAttributeQueryQueueSize = 100
maxAttributeQueryThreads = 2
redirectAfterLogoutToUrl = http://www.splunk.com
redirectPort = 443
signAuthnRequest = true
signedAssertion = false
sslKeysfile = C:\Splunk\etc\auth\server.pem
sslKeysfilePassword = ***************************
sslVerifyServerCert = false
sslVersions = SSL3,TLS1.0,TLS1.1,TLS1.2
[authenticationResponseAttrMap_SAML]
mail = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
realName = http://schemas.xmlsoap.org/claims/CommonName
role = http://schemas.microsoft.com/ws/2008/06/identity/claims/role
[roleMap_SAML]
<redacted :)>
SH02
[mydomain.ds]
SSLEnabled = 0
anonymous_referrals = 1
bindDN = CN=splunkldap,OU=Hosting - Systems Analyst,OU=2K8Users,DC=mydomain,DC=ds
bindDNpassword = ***************************
charset = utf8
emailAttribute = mail
groupBaseDN = ou=2k8Users,dc=mydomain,dc=ds
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = mydomain.ds
nestedGroups = 0
network_timeout = 20
port = 389
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = ou=2k8Users,dc=mydomain,dc=ds
userNameAttribute = samaccountname
[roleMap_mydomain.ds]
<redacted :)>
[authentication]
authSettings = saml
authType = SAML
[userToRoleMap_SAML]
<redacted :)>
[saml]
allowSslCompression = true
attributeQueryRequestSigned = true
attributeQueryResponseSigned = true
attributeQueryTTL = 604800
caCertFile = C:\Splunk\etc\auth\server.pem
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH
entityId = SplunkSSO
fqdn = https://spectre.mydomain.com
idpSLOUrl = https://adfs.mydomain.com/adfs/ls/?wa=wsignout1.0
idpSSOUrl = https://adfs.mydomain.com/adfs/ls/
maxAttributeQueryQueueSize = 100
maxAttributeQueryThreads = 2
redirectAfterLogoutToUrl = http://www.splunk.com
redirectPort = 443
signAuthnRequest = true
signedAssertion = false
sslKeysfile = C:\Splunk\etc\auth\server.pem
sslKeysfilePassword = ***************************
sslVerifyServerCert = false
sslVersions = SSL3,TLS1.0,TLS1.1,TLS1.2
[authenticationResponseAttrMap_SAML]
mail = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
realName = http://schemas.xmlsoap.org/claims/CommonName
role = http://schemas.microsoft.com/ws/2008/06/identity/claims/role
[roleMap_SAML]
<redacted :)>
C:\Splunk\etc\auth\server.pem looks like the default cert auto-generated when you install splunk.
If so, you'll need to generate a cert for https://spectre.mydomain.com and use this instead on all the nodes. Afterwards, download the SP metadata on each of your nodes and confirm that they are the same.
So, I think I need to do these steps:
openssl genrsa -out spectre.mydomain.com.key 2048
openssl req -new -x509 -key spectre.mydomain.com.key -out spectre.mydomain.com.cert -days 3650 -subj /CN=spectre.mydomain.com
caCertFile = C:\Splunk\etc\auth\spectre.mydomain.com.cert
Did I miss anything?
Backup your configs in case you need to back out. Before doing anything with ADFS, first compare the SP metadata between all your nodes to ensure they're the same.
Well, spmetadata.xml does not match. (I only did the steps on the two newly added members just to play it safe.)
Should I also update these?
sslKeysfile = C:\Splunk\etc\auth\spectre.mydomain.com.key
sslKeysfilePassword = ***************************
What is the difference between the metadata files, just the certificates?
I have my certs in PEM format. It contains the public cert, private key, and root certificate in a single file. Take a look at your existing server.pem as an example.
It worked. I combined them into a pem and I also had to update sslKeysfile, but now I am all set.
Thanks.
Hi, I need to configure the similar thing with you.
I have a load balancer (VIP) and a search head cluster with 4 nodes.
Should I use the fqdn of the load balancer (VIP) or the fqdn of each search head to configure the fqdn in authentication.conf?
You will need to use the fqdn of the VIP