Security

When can we expect splunk to support 2Factor Authentication for "Siteminder"

When can we expect splunk to support 2Factor Authentication for "Siteminder" using SAML....

Is it going to be in 6.4.x?? or 6.5?

0 Karma

Influencer

With all such feature requests, no one at Splunk, nor on this site (where you add customers and partners to the mix) is going to be able to give you a firm estimate like this. Even if you're able to talk to a developer involved with SAML SSO directly, things happen and timelines slip, so there's really no guarantee of features being added to the product.

If you have an enhancement like this that you really feel like you must have, you should log a P4 enhancement request on your support contract to ask for the feature and explaining your business need for it, as well as work with your account team to put in a good word for you. In the ideal case this gives data that would help the engineering team make their decisions as what to work on next. (Again no guarantees however, as the engineering folks are of course balancing requests from all customers, including bug fixes of various shapes and sizes, not to mention R&D for features to move the platform forward)

That all said, Splunk introduced direct support for SAML in 6.3 with Ping Identity as a supported identity provider, and expanded the list in 6.4 adding Okta, Azure AD, and ADFS. Therefore the track record says that they seem to be pretty good onboarding popular identity providers. I would suspect that there would be a few more come 6.5 (again no guarantees that your preferred one makes the cut). From what I know of SAML integration with Splunk, they rely on a particular part of the SAML spec which identity providers tend to not implement or implement improperly (namely the one that lets Splunk check your authorizations when you are not logged in for kicking off saved searches correctly), so taking identity providers and making them supported is a rather involved process with a lot of research and testing required.

Now... with all that said, if you can connect Splunk to LDAP (or another external scripted authentication source) for a user store and authorization mapping, and you can setup a reverse proxy to handle the SSO authentication in front of Splunk, you may be able to meet some of your use case with the basic Splunk SSO functionality that has been part of the platform for years (even back to Splunk 4 and before). Looking at older answers on this site, someone did exactly this with Siteminder and in the Splunk 5 days: https://answers.splunk.com/answers/92719/enabling-sso-in-splunk-using-siteminder.html

Splunk even added a fix to Splunk to work around a bug in Siteminder with 6.2.6 apparently: https://answers.splunk.com/answers/246479/after-configuring-splunk-sso-with-siteminder-for-m.html

You may also be interested in the updated docs for Splunk SSO with a reverse proxy as well: http://docs.splunk.com/Documentation/Splunk/6.4.2/Security/HowSplunkSSOworks

Influencer

Stumbling back across this 3 years later... CA Siteminder is documented as a supported IdP, not sure when that happened: https://docs.splunk.com/Documentation/Splunk/7.2.5/Security/ConfigureSSOinCA

0 Karma