Security

Splunk SAML SSO MetadataExchange

Engager

It is possible to setup ADFS to automatically refresh SAML metadata using an endpoint.
Splunk has such an endpoint accoring to the docs (/saml/spmetadata) , but it looks like it doesn't allow anonymous access.
Is there any way to exclude this path from authentication?
And the other way around, is it possible to have Splunk automatically refresh the IDP metadata?
This would enable the Splunk SSO setup to automatically refresh rollover certificates.

0 Karma
1 Solution

Builder

For splunk, you could update the IdP config and/or certificates and then reload the authentication config:
https://answers.splunk.com/answers/129654/how-to-i-trigger-reload-of-authentication-configuration-pr...

To automatically retrieve /saml/spmetadata you would need to use REST API:
https://docs.splunk.com/Documentation/Splunk/6.5.2/RESTREF/RESTaccessExamples#admin.2FSAML-sp-metada...

View solution in original post

Builder

For splunk, you could update the IdP config and/or certificates and then reload the authentication config:
https://answers.splunk.com/answers/129654/how-to-i-trigger-reload-of-authentication-configuration-pr...

To automatically retrieve /saml/spmetadata you would need to use REST API:
https://docs.splunk.com/Documentation/Splunk/6.5.2/RESTREF/RESTaccessExamples#admin.2FSAML-sp-metada...

View solution in original post

Engager

The whole point is to have an endpoint on each side that is accissible anonymously and be able to set up the application to poll the URL every once in a while to automatically refresh certificates. So the first link would assume that this is done manually and the second link passes authentication data. The /saml/spmetadata URL returns the metadata directly without the REST wrapper, so that would be more appropriate, but it also requires authentication.

0 Karma

Builder

The whole point is to have an endpoint on each side that is accissible anonymously and be able to set up the application to poll the URL every once in a while to automatically refresh certificates.

I understand what you're looking for. To my knowledge that functionality doesn't exist. I'm giving you the next best option that I know of, unless someone else has a better suggestion.

So the first link would assume that this is done manually

You were asking for a way to update IdP metadata automatically. The question was pretty vague so my suggestion and link was a way to do this programmatically.

and the second link passes authentication data. The /saml/spmetadata URL returns the metadata directly without the REST wrapper, so that would be more appropriate, but it also requires authentication.

Again, that functionality doesn't exist. I'm suggesting a way for you to do this programmatically. Again, the implementation is up to you.

I'm curious, the splunk metadata does not change, why do you need a fresh copy?

0 Karma

Engager

Well, the metadata also contains the certificate to verify the splunk signatures on the SAML requests. And this certificate has a limited lifetime. So if ADFS is able to fetch the new certificates on a schedule, there's no admin overhead to keep the two in sync.

But i guess that i could have the proxy handle the authorization for Splunk and then i'll have to write a custom scheduled task to fetch the meta data from ADFS, update the IDP certificate and reload the config like you suggested in the first link.

Thank for the pointer!

0 Karma

Builder

Well, the metadata also contains the certificate to verify the splunk signatures on the SAML requests. And this certificate has a limited lifetime. So if ADFS is able to fetch the new certificates on a schedule, there's no admin overhead to keep the two in sync.

If you are referring to the splunk certificates then you simply generate third-party or self-signed certs with an extended lifetime like 3-5 years. It would save you the hassle. Does this work for you?

0 Karma