When configured for LDAP authentication, Splunk will "fall back" to splunk local accounts if the LDAP user isn't found. Is it possible to bypass SAML authentication to log in with a Splunk local account? I've tried a variety of things including statically pasting the link to
but no matter what, I'm directed to the ADFS AdP. Right now that's not working, so I need to make modifications and re-export the SAML metadata
but even that forces me to the IdP login page. I'm kinda stuck... I did manage to switch authentication.conf to Splunk local logins so I could log in as local admin, make the appropriate changes, and re-export the metadata, but there must (should) be a way to allow this...
Is there anyway to block this URI from being accessible. If for example the server is behind a loadbalancer? I've tried blocking the URI, but then it breaks SAML
Yes, it is in the docs:
enable_insecure_login = <boolean> * Whether or not the GET-based "/account/insecurelogin" REST endpoint is enabled. * Provides an alternate GET-based authentication mechanism. * If "true", the following url is available: http://localhost:8000/en-US/account/insecurelogin?loginType=splunk&username=noc&password=XXXXXXX * If "false", only the main /account/login endpoint is available * Default: false
Once you enable saml all splunk web endpoints are protected by the IdP. You might find something useful via the api on port 8089 however.