Security
Highlighted

SAML integration on Search head cluster

Communicator

Hi,
I have 3 SHs in a cluster. (XXX.XXX.XX.37,XXX.XXX.XX.38,XXX.XXX.XX.39). I have configured SAML with the Identity , Sign on URL as https://XXX.XXX.XX.37 in Azure SSO. I have followed the steps from splunk docs. Everything has been finished as per the doc. It is working also.
Issue:
1. If I am trying to access .38 SH it is redirecting to .37 and same for .39 as well.
2. Scenario: If .37 is DOWN, SAML is not working if i trying to login into .38 or .39. It is trying to redirect into .37 which is already DOWN.
3. I have gone through below document, but i couldn't understand it. Can you someone explain me the step by step procedure for integrating SAML in Search head cluster.

https://docs.splunk.com/Documentation/Splunk/7.3.1/Security/SAMLSHC

0 Karma
Highlighted

Re: SAML integration on Search head cluster

Communicator
0 Karma
Highlighted

Re: SAML integration on Search head cluster

Communicator

Can anyone help me on this scenario ?

0 Karma
Highlighted

Re: SAML integration on Search head cluster

Communicator

We have got the solution for this issue.
This is happened due to replication behavior in SH cluster environment. So we need to white-list the authentication.conf file in server.conf file like below.
3 different applications in Azure AD for 3 different SH's with different Endpoints should be the correct approach. Since authentication.conf is white-listed, the configuration wont be replicate on each search head.

~/SPLUNK_HOME/etc/system/local/server.conf

under [shclustering] stanza

check whether this Parameter is false or not in each SH.

confreplicationinclude.authentication = false.

then go ahead and restart all the 3 SH's altogether. Not one by one it has to be restarted all the 3 SH's together.
Once restarted verify that the replication of Authentication.conf is stopped or not.
it was worked in our environment.

View solution in original post

0 Karma