Security

Splunk 6.3 & SSO, SAML and Ping Federate

davidpaper
Contributor

I'm a seasoned Splunk admin, but don't know a whole lot about SAML or SSO. My company wants to enable Splunk to use Ping as the SAML provider. Can I get a "SAML with Splunk for Dummies" that applies to Splunk 6.3?

1 Solution

davidpaper
Contributor

There are a few disparate items to consider when enabling SAML with Splunk 6.3. One of the tell tale signs that one of the below steps isn't correct is the Splunk login screen displaying "No valid Splunk role is found in the local mapping or in the assertion."

To login to Splunk and bypass a mis-configured SSO for troubleshooting, change the login URL after the port to

/en-US/account/login?loginType=splunk

which will use the logins defined in $SPLUNK_HOME/etc/passwd.

To troubleshoot, it is highly suggested to download and install "SAML Tracer" browser extension so that you can capture the SAML Assertion during the session initiation. This will become more useful than you can possibly imagine.

  • SSL Certs

If there is no SSL certificate chain associated with the SSL cert, then configuration is straight forward in authentication.conf.

/opt/splunk/etc/system/local/authentication.conf idpCertPath = /opt/splunk/etc/system/local/mycert.pem

If there is a SSL certificate chain, it's a little more involved. Splunk does not have a configuration option to handle SSL certificate chains, but there is a work around. Both of these come from Splunk Dev (referenceable: https://answers.splunk.com/answers/408134/saml-assertion-signature-verification-failed-unabl.html)

For *NIX/Linux:

If your splunk is running on *ix or Mac or Linux,you can work around this by trusting the signing certificate on the host that it is running.
I have enumerated the steps below.
Basically we want to add certs as trusted certs.
Figure out what is the openssl directory being used by splunk. There could be two openssls one that we want to use and ship with splunk and another one that is used by os. We want to add the trusted certs to the version that we use with splunk.
1) ./bin/splunk cmd openssl version -d
this should display openssl version being used by splunk.
for example:
OPENSSLDIR: "/home/build/build-home/current-BETA/openssl"
again the above value may be different based on the PATH variable set it could also point to $SPLUNK_HOME/openssl

2) If directory above is not created then lets create it.
dir = OPENSSLDIR
if (!dir.exist()) { mkdir dir}

3) Trusted certs are stored within the certs folder of the openssl directory being used. Again lets create the certs folder if it does not exist.
dir = OPENSSLDIR/certs
if (!dir.exist()) { mkdir dir}

4) Create soft links to the certfiles with their hashes as their name followed by appending '.0'
ex:
ln -s /opt/splunk/etc/auth/idpCertInter.pem openssl x509 -hash -noout -in /opt/splunk/etc/auth/idpCertInter.pem.0
You may have to do this for all intermediate certs and root cert.
as a result of 4: You should have in certs directory softlinks with names such as '1c235147.0' , 'facacbc6.0’ and so on(hash values themselves might be different).
5) Restart splunk and test if it works.


For Windows, the procedure is a little different.

Navigate to the directory where splunk is installed
PS C:\Program Files\Splunk\bin>

---> here PS is the Powershell prompt <----
1)
PS C:\Program Files\Splunk\bin> .\splunk.exe cmd openssl version -d
OPENSSLDIR: "C:\wrangler-2.0\build-home\galaxy/ssl"

This gives the directory which we need to store certs under.

2) If directory above is not created then lets create it.
dir = OPENSSLDIR
if (!dir.exist()) { mkdir dir}

3) Trusted certs are stored within the certs folder of the openssl directory being used. Again lets create the certs folder if it does not exist.
dir = OPENSSLDIR/certs
if (!dir.exist()) { mkdir dir}

3.5) Find out the hashes of the certs this can be found by.
a)PS C:\Program Files\Splunk\bin> .\openssl.exe x509 -hash -noout -in 'C:\Users\Administrator\Desktop\root.pem.txt'
3221ee22
b)PS C:\Program Files\Splunk\bin> .\openssl.exe x509 -hash -noout -in 'C:\Users\Administrator\Desktop\intermediate.pem.txt'
93dafc43
c)PS C:\Program Files\Splunk\bin> .\openssl.exe x509 -hash -noout -in 'C:\Users\Administrator\Desktop\leaf.pem.txt'
44e5e200

You may see warnings like
WARNING: can't open config file: C:\wrangler-2.0\build-home\galaxy/ssl/openssl.cnf
Which are safe to ignore.

4) Create soft links to the certfiles with their hashes as their name followed by appending '.0'

PS C:\wrangler-2.0\build-home\galaxy\ssl\certs> cmd /c mklink '3221ee22.0' 'C:\Users\Administrator\Desktop\root.pem.txt'
symbolic link created for 3221ee22.0 <<===>> C:\Users\Administrator\Desktop\root.pem.txt

PS C:\wrangler-2.0\build-home\galaxy\ssl\certs> cmd /c mklink '93dafc43.0' 'C:\Users\Administrator\Desktop\intermdiate.pem.txt'
symbolic link created for 93dafc43.0 <<===>> C:\Users\Administrator\Desktop\intermdiate.pem.txt

PS C:\wrangler-2.0\build-home\galaxy\ssl\certs> cmd /c mklink '44e5e200.0' 'C:\Users\Administrator\Desktop\leaf.pem.txt'
symbolic link created for 44e5e200.0 <<===>> C:\Users\Administrator\Desktop\leaf.pem.txt

After this your directory should look something like this.

PS C:\wrangler-2.0\build-home\galaxy\ssl\certs> ls
Directory: C:\wrangler-2.0\build-home\galaxy\ssl\certs

Mode LastWriteTime Length Name
-a--- 7/11/2016 3:47 PM 0 3221ee22.0
-a--- 7/11/2016 3:49 PM 0 44e5e200.0
-a--- 7/11/2016 3:48 PM 0 93dafc43.0

You may have to do this for all intermediate certs and root cert.
as a result of 4: You should have in certs directory softlinks with names such as '1c235147.0' , 'facacbc6.0’ and so on(hash values themselves might be different).

5) Restart splunk and test if it works.

  • Metadata exchange

In Splunk 6.3, Splunk can't provide the initial metadata to start the process. It must come from the Identity Provider ("idP" and in this case, Ping Federate). Once the idP provides the initial generic Metadata, this enables Splunk to begin the rest of the configuration. The Splunk docs (http://docs.splunk.com/Documentation/Splunk/6.3.3/Security/ConfigureSSOinSplunkWeb) cover the metadata configuration with Splunk quite well.

  • Assertion configuration specific: "DN format"

In this example, Ping is using LDAP.

See Attachment for well formatted example

The format needs to include the CN="group name" AND one or more "dc=" values that describe the local LDAP tree. The local LDAP/Ping administrator should be able to tell you what dc= values are correct.

  • Assertion configuration specific: Attribute names

Splunk expects there to be specific attribute names in the Assertion, and if they aren't there, in the exact matching string, it won't work.

Splunk needs three critical pieces of information in SAML authentication response to work well with SAML.
1) realName : This is the user name that gets populated in the UI.
2) mail: the email of the user.
3) role: this information is used to map user group names to splunk roles, an example would be "developer" -> "user" (SplunkRole), "domain admin"-> "admin" (SplunkRole). We create mappings for incoming group information to splunk roles via the SAML Group map(Green button next to SAML configuration on the UI)

See attachment for well formatted example.
link text

View solution in original post

davidpaper
Contributor

There are a few disparate items to consider when enabling SAML with Splunk 6.3. One of the tell tale signs that one of the below steps isn't correct is the Splunk login screen displaying "No valid Splunk role is found in the local mapping or in the assertion."

To login to Splunk and bypass a mis-configured SSO for troubleshooting, change the login URL after the port to

/en-US/account/login?loginType=splunk

which will use the logins defined in $SPLUNK_HOME/etc/passwd.

To troubleshoot, it is highly suggested to download and install "SAML Tracer" browser extension so that you can capture the SAML Assertion during the session initiation. This will become more useful than you can possibly imagine.

  • SSL Certs

If there is no SSL certificate chain associated with the SSL cert, then configuration is straight forward in authentication.conf.

/opt/splunk/etc/system/local/authentication.conf idpCertPath = /opt/splunk/etc/system/local/mycert.pem

If there is a SSL certificate chain, it's a little more involved. Splunk does not have a configuration option to handle SSL certificate chains, but there is a work around. Both of these come from Splunk Dev (referenceable: https://answers.splunk.com/answers/408134/saml-assertion-signature-verification-failed-unabl.html)

For *NIX/Linux:

If your splunk is running on *ix or Mac or Linux,you can work around this by trusting the signing certificate on the host that it is running.
I have enumerated the steps below.
Basically we want to add certs as trusted certs.
Figure out what is the openssl directory being used by splunk. There could be two openssls one that we want to use and ship with splunk and another one that is used by os. We want to add the trusted certs to the version that we use with splunk.
1) ./bin/splunk cmd openssl version -d
this should display openssl version being used by splunk.
for example:
OPENSSLDIR: "/home/build/build-home/current-BETA/openssl"
again the above value may be different based on the PATH variable set it could also point to $SPLUNK_HOME/openssl

2) If directory above is not created then lets create it.
dir = OPENSSLDIR
if (!dir.exist()) { mkdir dir}

3) Trusted certs are stored within the certs folder of the openssl directory being used. Again lets create the certs folder if it does not exist.
dir = OPENSSLDIR/certs
if (!dir.exist()) { mkdir dir}

4) Create soft links to the certfiles with their hashes as their name followed by appending '.0'
ex:
ln -s /opt/splunk/etc/auth/idpCertInter.pem openssl x509 -hash -noout -in /opt/splunk/etc/auth/idpCertInter.pem.0
You may have to do this for all intermediate certs and root cert.
as a result of 4: You should have in certs directory softlinks with names such as '1c235147.0' , 'facacbc6.0’ and so on(hash values themselves might be different).
5) Restart splunk and test if it works.


For Windows, the procedure is a little different.

Navigate to the directory where splunk is installed
PS C:\Program Files\Splunk\bin>

---> here PS is the Powershell prompt <----
1)
PS C:\Program Files\Splunk\bin> .\splunk.exe cmd openssl version -d
OPENSSLDIR: "C:\wrangler-2.0\build-home\galaxy/ssl"

This gives the directory which we need to store certs under.

2) If directory above is not created then lets create it.
dir = OPENSSLDIR
if (!dir.exist()) { mkdir dir}

3) Trusted certs are stored within the certs folder of the openssl directory being used. Again lets create the certs folder if it does not exist.
dir = OPENSSLDIR/certs
if (!dir.exist()) { mkdir dir}

3.5) Find out the hashes of the certs this can be found by.
a)PS C:\Program Files\Splunk\bin> .\openssl.exe x509 -hash -noout -in 'C:\Users\Administrator\Desktop\root.pem.txt'
3221ee22
b)PS C:\Program Files\Splunk\bin> .\openssl.exe x509 -hash -noout -in 'C:\Users\Administrator\Desktop\intermediate.pem.txt'
93dafc43
c)PS C:\Program Files\Splunk\bin> .\openssl.exe x509 -hash -noout -in 'C:\Users\Administrator\Desktop\leaf.pem.txt'
44e5e200

You may see warnings like
WARNING: can't open config file: C:\wrangler-2.0\build-home\galaxy/ssl/openssl.cnf
Which are safe to ignore.

4) Create soft links to the certfiles with their hashes as their name followed by appending '.0'

PS C:\wrangler-2.0\build-home\galaxy\ssl\certs> cmd /c mklink '3221ee22.0' 'C:\Users\Administrator\Desktop\root.pem.txt'
symbolic link created for 3221ee22.0 <<===>> C:\Users\Administrator\Desktop\root.pem.txt

PS C:\wrangler-2.0\build-home\galaxy\ssl\certs> cmd /c mklink '93dafc43.0' 'C:\Users\Administrator\Desktop\intermdiate.pem.txt'
symbolic link created for 93dafc43.0 <<===>> C:\Users\Administrator\Desktop\intermdiate.pem.txt

PS C:\wrangler-2.0\build-home\galaxy\ssl\certs> cmd /c mklink '44e5e200.0' 'C:\Users\Administrator\Desktop\leaf.pem.txt'
symbolic link created for 44e5e200.0 <<===>> C:\Users\Administrator\Desktop\leaf.pem.txt

After this your directory should look something like this.

PS C:\wrangler-2.0\build-home\galaxy\ssl\certs> ls
Directory: C:\wrangler-2.0\build-home\galaxy\ssl\certs

Mode LastWriteTime Length Name
-a--- 7/11/2016 3:47 PM 0 3221ee22.0
-a--- 7/11/2016 3:49 PM 0 44e5e200.0
-a--- 7/11/2016 3:48 PM 0 93dafc43.0

You may have to do this for all intermediate certs and root cert.
as a result of 4: You should have in certs directory softlinks with names such as '1c235147.0' , 'facacbc6.0’ and so on(hash values themselves might be different).

5) Restart splunk and test if it works.

  • Metadata exchange

In Splunk 6.3, Splunk can't provide the initial metadata to start the process. It must come from the Identity Provider ("idP" and in this case, Ping Federate). Once the idP provides the initial generic Metadata, this enables Splunk to begin the rest of the configuration. The Splunk docs (http://docs.splunk.com/Documentation/Splunk/6.3.3/Security/ConfigureSSOinSplunkWeb) cover the metadata configuration with Splunk quite well.

  • Assertion configuration specific: "DN format"

In this example, Ping is using LDAP.

See Attachment for well formatted example

The format needs to include the CN="group name" AND one or more "dc=" values that describe the local LDAP tree. The local LDAP/Ping administrator should be able to tell you what dc= values are correct.

  • Assertion configuration specific: Attribute names

Splunk expects there to be specific attribute names in the Assertion, and if they aren't there, in the exact matching string, it won't work.

Splunk needs three critical pieces of information in SAML authentication response to work well with SAML.
1) realName : This is the user name that gets populated in the UI.
2) mail: the email of the user.
3) role: this information is used to map user group names to splunk roles, an example would be "developer" -> "user" (SplunkRole), "domain admin"-> "admin" (SplunkRole). We create mappings for incoming group information to splunk roles via the SAML Group map(Green button next to SAML configuration on the UI)

See attachment for well formatted example.
link text

davidpaper
Contributor

As of 6.5, the UI allows for entry of all parts of the cert chain (root, intermediates, leaf), so no more filesystem soft links to get this to work.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...