Security

SAML integration on Search head cluster- Why are my SH's redirecting to a SH that is already down?

kartm2020
Communicator

Hi,
I have 3 SHs in a cluster. (XXX.XXX.XX.37,XXX.XXX.XX.38,XXX.XXX.XX.39). I have configured SAML with the Identity , Sign on URL as https://XXX.XXX.XX.37 in Azure SSO. I have followed the steps from splunk docs. Everything has been finished as per the doc. It is working also.
Issue:
1. If I am trying to access .38 SH it is redirecting to .37 and same for .39 as well.
2. Scenario: If .37 is DOWN, SAML is not working if i trying to login into .38 or .39. It is trying to redirect into .37 which is already DOWN.
3. I have gone through below document, but i couldn't understand it. Can you someone explain me the step by step procedure for integrating SAML in Search head cluster.

https://docs.splunk.com/Documentation/Splunk/7.3.1/Security/SAMLSHC

Labels (1)
0 Karma
1 Solution

kartm2020
Communicator

We have got the solution for this issue.
This is happened due to replication behavior in SH cluster environment. So we need to white-list the authentication.conf file in server.conf file like below.
3 different applications in Azure AD for 3 different SH's with different Endpoints should be the correct approach. Since authentication.conf is white-listed, the configuration wont be replicate on each search head.

~/SPLUNK_HOME/etc/system/local/server.conf

under [shclustering] stanza

check whether this Parameter is false or not in each SH.

conf_replication_include.authentication = false.

then go ahead and restart all the 3 SH's altogether. Not one by one it has to be restarted all the 3 SH's together.
Once restarted verify that the replication of Authentication.conf is stopped or not.
it was worked in our environment.

View solution in original post

0 Karma

kartm2020
Communicator

We have got the solution for this issue.
This is happened due to replication behavior in SH cluster environment. So we need to white-list the authentication.conf file in server.conf file like below.
3 different applications in Azure AD for 3 different SH's with different Endpoints should be the correct approach. Since authentication.conf is white-listed, the configuration wont be replicate on each search head.

~/SPLUNK_HOME/etc/system/local/server.conf

under [shclustering] stanza

check whether this Parameter is false or not in each SH.

conf_replication_include.authentication = false.

then go ahead and restart all the 3 SH's altogether. Not one by one it has to be restarted all the 3 SH's together.
Once restarted verify that the replication of Authentication.conf is stopped or not.
it was worked in our environment.

0 Karma

nekbote
Path Finder

Question : Did you have a load balancer sitting in front of the Search Héad Cluster? i am assuming end user of splunk hits a user friendly url and load balancer is directing them in a balanced way. If that is the case did you have to configure load balancer configs in SH instances

0 Karma

kartm2020
Communicator
0 Karma

kartm2020
Communicator

Can anyone help me on this scenario ?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...