Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Native SAML authentication with Shibboleth IdP

suarezry
Builder
‎05-17-2016 08:26 AM

I've been playing with our on-premise Splunk to try to get native SAML authentication working with our Shibboleth v3 Identity Provider. Most of the docs detail how to get this working using Splunk SSO with reverse proxy (eg. Apache).

I have finally gotten native SAML to work and will post the answer here. IMO, it's much simpler and cleaner that using the reverse proxy. Hopefully this will help others down the road...

Reply
1 Solution
Solved! Jump to solution
Solution

suarezry
Builder
‎04-28-2017 11:06 AM

Configuration on Splunk

$SPLUNK_HOME/etc/system/local/authentication.conf

[authentication]
authSettings = saml
authType = SAML

[rolemap_SAML]
admin = splunkadmin
power = splunkPowerUser

[saml]
allowSslCompression = true
caCertFile = /opt/splunk/etc/auth/mycerts/splunk-mgmtPort.crt
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH
entityId = https://mysplunk.myfqdn.ca
idpCertPath = idpCert.pem
idpSSOUrl = https://myidp.myfqdn.ca/idp/profile/SAML2/POST/SSO
redirectAfterLogoutToUrl = https://myidp.myfqdn.ca/idp/profile/Logout
redirectPort = 8000
signAuthnRequest = false
signedAssertion = true
sslKeysfile = /opt/splunk/etc/auth/mycerts/splunk-mgmtPort.crt
sslVerifyServerCert = false
sslVersions = SSL3,TLS1.0,TLS1.1,TLS1.2
defaultRoleIfMissing = none

[authenticationResponseAttrMap_SAML]
mail = urn:oid:0.9.2342.19200300.100.1.3
realName = urn:oid:2.5.4.3
role = urn:oid:2.5.4.12

The SP Metadata can be downloaded from https://mysplunk.myfqdn.ca:8000/saml/spmetadata. This needs to be provided to the Shibboleth IdP.

If you run into problems you can look at $SPLUNK_HOME/var/log/splunk/splunkd.log for SAML specific errors or warnings. The backdoor (to login with local username/password instead of SAML) is https://mysplunk.myfqdn.ca:8000/en-US/account/login?loginType=splunk

Configuration on the Shibboleth IdP

I had to create a new attribute for the nameid. I was able to reuse already existing attributes for role, email, and real name.

attribute-resolver.xml

    <!-- Splunk -->
    <resolver:AttributeDefinition xsi:type="ad:Simple" id="splunk-nameid" sourceAttributeID="uid">
        <resolver:Dependency ref="ldap"/>
        <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
    </resolver:AttributeDefinition>

attribute-filter.xml

    <!-- Splunk -->
    <afp:AttributeFilterPolicy id="releaseToSplunk">
        <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString"
         value="https://mysplunk.myfqdn.ca" />

        <afp:AttributeRule attributeID="splunk-nameid">
            <afp:PermitValueRule xsi:type="basic:ANY"/>
        </afp:AttributeRule>
        <afp:AttributeRule attributeID="shibAuthorized">
            <afp:PermitValueRule xsi:type="basic:ANY"/>
        </afp:AttributeRule>
        <afp:AttributeRule attributeID="mail">
            <afp:PermitValueRule xsi:type="basic:ANY"/>
        </afp:AttributeRule>
        <afp:AttributeRule attributeID="cn">
            <afp:PermitValueRule xsi:type="basic:ANY"/>
        </afp:AttributeRule>
    </afp:AttributeFilterPolicy>

relying-party.xml

        <!-- Splunk -->
        <bean parent="RelyingPartyByName" c:relyingPartyIds="https://mysplunk.myfqdn.ca">
            <property name="profileConfigurations">
                <list>
                    <bean parent="SAML2.SSO" p:encryptAssertions="false" />
                </list>
            </property>
        </bean>

metadata-providers.xml

<MetadataProvider id="splunk-srchHeadCluster" xsi:type="FilesystemMetadataProvider"
             xmlns="urn:mace:shibboleth:2.0:metadata"
             metadataFile="/opt/shibboleth-idp/metadata/splunk-srchHeadCluster.xml" />

View solution in original post

Reply
Solved! Jump to solution
Solution

suarezry
Builder
‎04-28-2017 11:06 AM

Configuration on Splunk

$SPLUNK_HOME/etc/system/local/authentication.conf

[authentication]
authSettings = saml
authType = SAML

[rolemap_SAML]
admin = splunkadmin
power = splunkPowerUser

[saml]
allowSslCompression = true
caCertFile = /opt/splunk/etc/auth/mycerts/splunk-mgmtPort.crt
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH
entityId = https://mysplunk.myfqdn.ca
idpCertPath = idpCert.pem
idpSSOUrl = https://myidp.myfqdn.ca/idp/profile/SAML2/POST/SSO
redirectAfterLogoutToUrl = https://myidp.myfqdn.ca/idp/profile/Logout
redirectPort = 8000
signAuthnRequest = false
signedAssertion = true
sslKeysfile = /opt/splunk/etc/auth/mycerts/splunk-mgmtPort.crt
sslVerifyServerCert = false
sslVersions = SSL3,TLS1.0,TLS1.1,TLS1.2
defaultRoleIfMissing = none

[authenticationResponseAttrMap_SAML]
mail = urn:oid:0.9.2342.19200300.100.1.3
realName = urn:oid:2.5.4.3
role = urn:oid:2.5.4.12

The SP Metadata can be downloaded from https://mysplunk.myfqdn.ca:8000/saml/spmetadata. This needs to be provided to the Shibboleth IdP.

If you run into problems you can look at $SPLUNK_HOME/var/log/splunk/splunkd.log for SAML specific errors or warnings. The backdoor (to login with local username/password instead of SAML) is https://mysplunk.myfqdn.ca:8000/en-US/account/login?loginType=splunk

Configuration on the Shibboleth IdP

I had to create a new attribute for the nameid. I was able to reuse already existing attributes for role, email, and real name.

attribute-resolver.xml

    <!-- Splunk -->
    <resolver:AttributeDefinition xsi:type="ad:Simple" id="splunk-nameid" sourceAttributeID="uid">
        <resolver:Dependency ref="ldap"/>
        <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
    </resolver:AttributeDefinition>

attribute-filter.xml

    <!-- Splunk -->
    <afp:AttributeFilterPolicy id="releaseToSplunk">
        <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString"
         value="https://mysplunk.myfqdn.ca" />

        <afp:AttributeRule attributeID="splunk-nameid">
            <afp:PermitValueRule xsi:type="basic:ANY"/>
        </afp:AttributeRule>
        <afp:AttributeRule attributeID="shibAuthorized">
            <afp:PermitValueRule xsi:type="basic:ANY"/>
        </afp:AttributeRule>
        <afp:AttributeRule attributeID="mail">
            <afp:PermitValueRule xsi:type="basic:ANY"/>
        </afp:AttributeRule>
        <afp:AttributeRule attributeID="cn">
            <afp:PermitValueRule xsi:type="basic:ANY"/>
        </afp:AttributeRule>
    </afp:AttributeFilterPolicy>

relying-party.xml

        <!-- Splunk -->
        <bean parent="RelyingPartyByName" c:relyingPartyIds="https://mysplunk.myfqdn.ca">
            <property name="profileConfigurations">
                <list>
                    <bean parent="SAML2.SSO" p:encryptAssertions="false" />
                </list>
            </property>
        </bean>

metadata-providers.xml

<MetadataProvider id="splunk-srchHeadCluster" xsi:type="FilesystemMetadataProvider"
             xmlns="urn:mace:shibboleth:2.0:metadata"
             metadataFile="/opt/shibboleth-idp/metadata/splunk-srchHeadCluster.xml" />
Reply
Get Updates on the Splunk Community!

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!

The Splunk Community Dashboard Challenge is still happening, and it's not too late to enter for the week of ...

Join Us at the Builder Bar at .conf24 – Empowering Innovation and Collaboration

What is the Builder Bar? The Builder Bar is more than just a place; it's a hub of creativity, collaboration, ...

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...