I would suggest checking out our docs on "Securing Splunk Enterprise", https://docs.splunk.com/Documentation/Splunk/7.1.2/Security/WhatyoucansecurewithSplunk
Splunk Single Sign-on (SSO) lets you use a reverse proxy to handle Splunk authentication, meaning that once the user has logged into their proxy, they can seamlessly access Splunk Web (and presumably any other applications configured to your proxy).
The reverse proxy implementation of Splunk Enterprise SSO supports logging into Splunk Enterprise only through Splunk Web. Since the implementation relies on cookies to save authentication information, SSO cannot be used for CLI authentication to Splunk Enterprise. Invoking https://localhost:8089 (or the assigned management port) still requires independent authentication.
It has a detailed break down on how it works. Hopefully this will steer you to success. Let us know how it goes!!
... View more
@DalJeanis Thanks for your reply! To be honest, I am just starting to make myself familiar with the way how Splunk works and it might well be that I underestimate the challenges that are awaiting us. So far I mostly rely on the information researched by an intern before diving deeper into this topic, since the project which Splunk would be used for is not top priority so far.
Let me try to clarify what we try to achieve and which ideas we had so far:
We would like to offer data visualizations to several client companies (tenants) running one instance of Splunk Cloud (managed service) such that each tenant has only access to his own index and knowledge objects. Basically, each tenant should not be aware of the existence of other tenants in the Splunk service.
So far we had the idea of using a proxy server which handles authentication and maps users from our internal user database to users within Splunk - this way none of the users would have access to the actual Splunk credentials and could only access the Splunk UI through the proxy. On the long run we might try to also give some limited access to the REST API again rooting all requests through a proxy.
This of course can only work if the Splunk authorization tools only allow a user to access the index which is specified in the role definition of the role which is assigned to him and has no possibility to access any other indices whatsoever. Is this assumption wrong?
... View more