Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk SAML SSO MetadataExchange

Tsjunne
Engager
‎04-03-2017 08:43 AM

It is possible to setup ADFS to automatically refresh SAML metadata using an endpoint.
Splunk has such an endpoint accoring to the docs (/saml/spmetadata) , but it looks like it doesn't allow anonymous access.
Is there any way to exclude this path from authentication?
And the other way around, is it possible to have Splunk automatically refresh the IDP metadata?
This would enable the Splunk SSO setup to automatically refresh rollover certificates.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

suarezry
Builder
‎04-04-2017 08:42 AM

For splunk, you could update the IdP config and/or certificates and then reload the authentication config:
https://answers.splunk.com/answers/129654/how-to-i-trigger-reload-of-authentication-configuration-pr...

To automatically retrieve /saml/spmetadata you would need to use REST API:
https://docs.splunk.com/Documentation/Splunk/6.5.2/RESTREF/RESTaccessExamples#admin.2FSAML-sp-metada...

View solution in original post

Reply
Solved! Jump to solution
Solution

suarezry
Builder
‎04-04-2017 08:42 AM

For splunk, you could update the IdP config and/or certificates and then reload the authentication config:
https://answers.splunk.com/answers/129654/how-to-i-trigger-reload-of-authentication-configuration-pr...

To automatically retrieve /saml/spmetadata you would need to use REST API:
https://docs.splunk.com/Documentation/Splunk/6.5.2/RESTREF/RESTaccessExamples#admin.2FSAML-sp-metada...

Reply
Solved! Jump to solution

Tsjunne
Engager
‎04-04-2017 09:12 AM

The whole point is to have an endpoint on each side that is accissible anonymously and be able to set up the application to poll the URL every once in a while to automatically refresh certificates. So the first link would assume that this is done manually and the second link passes authentication data. The /saml/spmetadata URL returns the metadata directly without the REST wrapper, so that would be more appropriate, but it also requires authentication.

0 Karma
Reply
Solved! Jump to solution

suarezry
Builder
‎04-04-2017 11:01 AM

The whole point is to have an endpoint on each side that is accissible anonymously and be able to set up the application to poll the URL every once in a while to automatically refresh certificates.

I understand what you're looking for. To my knowledge that functionality doesn't exist. I'm giving you the next best option that I know of, unless someone else has a better suggestion.

So the first link would assume that this is done manually

You were asking for a way to update IdP metadata automatically. The question was pretty vague so my suggestion and link was a way to do this programmatically.

and the second link passes authentication data. The /saml/spmetadata URL returns the metadata directly without the REST wrapper, so that would be more appropriate, but it also requires authentication.

Again, that functionality doesn't exist. I'm suggesting a way for you to do this programmatically. Again, the implementation is up to you.

I'm curious, the splunk metadata does not change, why do you need a fresh copy?

0 Karma
Reply
Solved! Jump to solution

Tsjunne
Engager
‎04-04-2017 11:26 AM

Well, the metadata also contains the certificate to verify the splunk signatures on the SAML requests. And this certificate has a limited lifetime. So if ADFS is able to fetch the new certificates on a schedule, there's no admin overhead to keep the two in sync.

But i guess that i could have the proxy handle the authorization for Splunk and then i'll have to write a custom scheduled task to fetch the meta data from ADFS, update the IDP certificate and reload the config like you suggested in the first link.

Thank for the pointer!

0 Karma
Reply
Solved! Jump to solution

suarezry
Builder
‎04-04-2017 01:21 PM

Well, the metadata also contains the certificate to verify the splunk signatures on the SAML requests. And this certificate has a limited lifetime. So if ADFS is able to fetch the new certificates on a schedule, there's no admin overhead to keep the two in sync.

If you are referring to the splunk certificates then you simply generate third-party or self-signed certs with an extended lifetime like 3-5 years. It would save you the hassle. Does this work for you?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...