- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- SAML integration on Search head cluster- Why are m...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have 3 SHs in a cluster. (XXX.XXX.XX.37,XXX.XXX.XX.38,XXX.XXX.XX.39). I have configured SAML with the Identity , Sign on URL as https://XXX.XXX.XX.37 in Azure SSO. I have followed the steps from splunk docs. Everything has been finished as per the doc. It is working also.
Issue:
1. If I am trying to access .38 SH it is redirecting to .37 and same for .39 as well.
2. Scenario: If .37 is DOWN, SAML is not working if i trying to login into .38 or .39. It is trying to redirect into .37 which is already DOWN.
3. I have gone through below document, but i couldn't understand it. Can you someone explain me the step by step procedure for integrating SAML in Search head cluster.
https://docs.splunk.com/Documentation/Splunk/7.3.1/Security/SAMLSHC
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have got the solution for this issue.
This is happened due to replication behavior in SH cluster environment. So we need to white-list the authentication.conf file in server.conf file like below.
3 different applications in Azure AD for 3 different SH's with different Endpoints should be the correct approach. Since authentication.conf is white-listed, the configuration wont be replicate on each search head.
~/SPLUNK_HOME/etc/system/local/server.conf
under [shclustering] stanza
check whether this Parameter is false or not in each SH.
conf_replication_include.authentication = false.
then go ahead and restart all the 3 SH's altogether. Not one by one it has to be restarted all the 3 SH's together.
Once restarted verify that the replication of Authentication.conf is stopped or not.
it was worked in our environment.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have got the solution for this issue.
This is happened due to replication behavior in SH cluster environment. So we need to white-list the authentication.conf file in server.conf file like below.
3 different applications in Azure AD for 3 different SH's with different Endpoints should be the correct approach. Since authentication.conf is white-listed, the configuration wont be replicate on each search head.
~/SPLUNK_HOME/etc/system/local/server.conf
under [shclustering] stanza
check whether this Parameter is false or not in each SH.
conf_replication_include.authentication = false.
then go ahead and restart all the 3 SH's altogether. Not one by one it has to be restarted all the 3 SH's together.
Once restarted verify that the replication of Authentication.conf is stopped or not.
it was worked in our environment.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Question : Did you have a load balancer sitting in front of the Search Héad Cluster? i am assuming end user of splunk hits a user friendly url and load balancer is directing them in a balanced way. If that is the case did you have to configure load balancer configs in SH instances
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can anyone help me on this scenario ?
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
