- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- Splunk SAML SSO MetadataExchange
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is possible to setup ADFS to automatically refresh SAML metadata using an endpoint.
Splunk has such an endpoint accoring to the docs (/saml/spmetadata) , but it looks like it doesn't allow anonymous access.
Is there any way to exclude this path from authentication?
And the other way around, is it possible to have Splunk automatically refresh the IDP metadata?
This would enable the Splunk SSO setup to automatically refresh rollover certificates.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For splunk, you could update the IdP config and/or certificates and then reload the authentication config:
https://answers.splunk.com/answers/129654/how-to-i-trigger-reload-of-authentication-configuration-pr...
To automatically retrieve /saml/spmetadata you would need to use REST API:
https://docs.splunk.com/Documentation/Splunk/6.5.2/RESTREF/RESTaccessExamples#admin.2FSAML-sp-metada...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For splunk, you could update the IdP config and/or certificates and then reload the authentication config:
https://answers.splunk.com/answers/129654/how-to-i-trigger-reload-of-authentication-configuration-pr...
To automatically retrieve /saml/spmetadata you would need to use REST API:
https://docs.splunk.com/Documentation/Splunk/6.5.2/RESTREF/RESTaccessExamples#admin.2FSAML-sp-metada...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The whole point is to have an endpoint on each side that is accissible anonymously and be able to set up the application to poll the URL every once in a while to automatically refresh certificates. So the first link would assume that this is done manually and the second link passes authentication data. The /saml/spmetadata URL returns the metadata directly without the REST wrapper, so that would be more appropriate, but it also requires authentication.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The whole point is to have an endpoint on each side that is accissible anonymously and be able to set up the application to poll the URL every once in a while to automatically refresh certificates.
I understand what you're looking for. To my knowledge that functionality doesn't exist. I'm giving you the next best option that I know of, unless someone else has a better suggestion.
So the first link would assume that this is done manually
You were asking for a way to update IdP metadata automatically. The question was pretty vague so my suggestion and link was a way to do this programmatically.
and the second link passes authentication data. The /saml/spmetadata URL returns the metadata directly without the REST wrapper, so that would be more appropriate, but it also requires authentication.
Again, that functionality doesn't exist. I'm suggesting a way for you to do this programmatically. Again, the implementation is up to you.
I'm curious, the splunk metadata does not change, why do you need a fresh copy?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, the metadata also contains the certificate to verify the splunk signatures on the SAML requests. And this certificate has a limited lifetime. So if ADFS is able to fetch the new certificates on a schedule, there's no admin overhead to keep the two in sync.
But i guess that i could have the proxy handle the authorization for Splunk and then i'll have to write a custom scheduled task to fetch the meta data from ADFS, update the IDP certificate and reload the config like you suggested in the first link.
Thank for the pointer!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, the metadata also contains the certificate to verify the splunk signatures on the SAML requests. And this certificate has a limited lifetime. So if ADFS is able to fetch the new certificates on a schedule, there's no admin overhead to keep the two in sync.
If you are referring to the splunk certificates then you simply generate third-party or self-signed certs with an extended lifetime like 3-5 years. It would save you the hassle. Does this work for you?
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
