Security

SAML integration on Search head cluster- Why are my SH's redirecting to a SH that is already down?

kartm2020
Communicator

Hi,
I have 3 SHs in a cluster. (XXX.XXX.XX.37,XXX.XXX.XX.38,XXX.XXX.XX.39). I have configured SAML with the Identity , Sign on URL as https://XXX.XXX.XX.37 in Azure SSO. I have followed the steps from splunk docs. Everything has been finished as per the doc. It is working also.
Issue:
1. If I am trying to access .38 SH it is redirecting to .37 and same for .39 as well.
2. Scenario: If .37 is DOWN, SAML is not working if i trying to login into .38 or .39. It is trying to redirect into .37 which is already DOWN.
3. I have gone through below document, but i couldn't understand it. Can you someone explain me the step by step procedure for integrating SAML in Search head cluster.

https://docs.splunk.com/Documentation/Splunk/7.3.1/Security/SAMLSHC

Labels (1)
0 Karma
1 Solution

kartm2020
Communicator

We have got the solution for this issue.
This is happened due to replication behavior in SH cluster environment. So we need to white-list the authentication.conf file in server.conf file like below.
3 different applications in Azure AD for 3 different SH's with different Endpoints should be the correct approach. Since authentication.conf is white-listed, the configuration wont be replicate on each search head.

~/SPLUNK_HOME/etc/system/local/server.conf

under [shclustering] stanza

check whether this Parameter is false or not in each SH.

conf_replication_include.authentication = false.

then go ahead and restart all the 3 SH's altogether. Not one by one it has to be restarted all the 3 SH's together.
Once restarted verify that the replication of Authentication.conf is stopped or not.
it was worked in our environment.

View solution in original post

0 Karma

kartm2020
Communicator

We have got the solution for this issue.
This is happened due to replication behavior in SH cluster environment. So we need to white-list the authentication.conf file in server.conf file like below.
3 different applications in Azure AD for 3 different SH's with different Endpoints should be the correct approach. Since authentication.conf is white-listed, the configuration wont be replicate on each search head.

~/SPLUNK_HOME/etc/system/local/server.conf

under [shclustering] stanza

check whether this Parameter is false or not in each SH.

conf_replication_include.authentication = false.

then go ahead and restart all the 3 SH's altogether. Not one by one it has to be restarted all the 3 SH's together.
Once restarted verify that the replication of Authentication.conf is stopped or not.
it was worked in our environment.

0 Karma

nekbote
Path Finder

Question : Did you have a load balancer sitting in front of the Search Héad Cluster? i am assuming end user of splunk hits a user friendly url and load balancer is directing them in a balanced way. If that is the case did you have to configure load balancer configs in SH instances

0 Karma

kartm2020
Communicator
0 Karma

kartm2020
Communicator

Can anyone help me on this scenario ?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...