Security

SAML integration on Search head cluster

Communicator

Hi,
I have 3 SHs in a cluster. (XXX.XXX.XX.37,XXX.XXX.XX.38,XXX.XXX.XX.39). I have configured SAML with the Identity , Sign on URL as https://XXX.XXX.XX.37 in Azure SSO. I have followed the steps from splunk docs. Everything has been finished as per the doc. It is working also.
Issue:
1. If I am trying to access .38 SH it is redirecting to .37 and same for .39 as well.
2. Scenario: If .37 is DOWN, SAML is not working if i trying to login into .38 or .39. It is trying to redirect into .37 which is already DOWN.
3. I have gone through below document, but i couldn't understand it. Can you someone explain me the step by step procedure for integrating SAML in Search head cluster.

https://docs.splunk.com/Documentation/Splunk/7.3.1/Security/SAMLSHC

0 Karma
1 Solution

Communicator

We have got the solution for this issue.
This is happened due to replication behavior in SH cluster environment. So we need to white-list the authentication.conf file in server.conf file like below.
3 different applications in Azure AD for 3 different SH's with different Endpoints should be the correct approach. Since authentication.conf is white-listed, the configuration wont be replicate on each search head.

~/SPLUNK_HOME/etc/system/local/server.conf

under [shclustering] stanza

check whether this Parameter is false or not in each SH.

confreplicationinclude.authentication = false.

then go ahead and restart all the 3 SH's altogether. Not one by one it has to be restarted all the 3 SH's together.
Once restarted verify that the replication of Authentication.conf is stopped or not.
it was worked in our environment.

View solution in original post

0 Karma

Communicator

We have got the solution for this issue.
This is happened due to replication behavior in SH cluster environment. So we need to white-list the authentication.conf file in server.conf file like below.
3 different applications in Azure AD for 3 different SH's with different Endpoints should be the correct approach. Since authentication.conf is white-listed, the configuration wont be replicate on each search head.

~/SPLUNK_HOME/etc/system/local/server.conf

under [shclustering] stanza

check whether this Parameter is false or not in each SH.

confreplicationinclude.authentication = false.

then go ahead and restart all the 3 SH's altogether. Not one by one it has to be restarted all the 3 SH's together.
Once restarted verify that the replication of Authentication.conf is stopped or not.
it was worked in our environment.

View solution in original post

0 Karma

Communicator
0 Karma

Communicator

Can anyone help me on this scenario ?

0 Karma