Missing Logout option - Enterprise license, LDAP A...

ndoerfler · ‎10-27-2020

Currently using LDAP authentication, enterprise license for splunk version 7.3.3

I know there was a similar issue in previous versions when SSO was used, and again if you were on a free license.

to meet CCI-002364, a logout message needs to be recorded. but there is no logout option. Could this be do to CAC authentication? Does anyone know if there's a workaround? Or why the logout option does not exist for users?

alonsocaio · ‎10-27-2020

Hi @ndoerfler,

As mentioned in this question Logging Out of Splunk, you could change the URL to logout as workaround:

<SPLUNK_HOSTNAME>/en-US/account/logout

I have tested with SAML/SSO and It seems to work.

ndoerfler · ‎10-28-2020

That would work for myself, and I could do that. But unfortunately not all users or customers that access will be as willing and end up closing the window itself which doesn't give me the logout notification. What we really need is that logout option to show. Or a technical reason as to why it doesn't show. If an auditor were to ask about the CCI, we currently don't have an answer for it.

isoutamo · ‎10-28-2020

Hi

Unfortunately splunk didn't record logout or time-out to logs unless you don't do explicit logout from gui.

Here is more about this on previous answer: https://community.splunk.com/t5/Archive/How-to-calculate-Splunk-session-for-a-user/m-p/482711

You could try to ask that they add this somehow to audit events in https://ideas.splunk.com, but as it's quite hard to define "logout/timeout" with exact time, this could be hard to get there.

r. Ismo

Missing Logout option - Enterprise license, LDAP Authentication

LDAP

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!