No, there is not auth mechanism chaining currently supported, whereby you can fallback on another mechanism if the previous ones fail. ... View more

Hello Could you please see if The signing certificate that IdP uses has not expired, if it has please use a new certificate for signing and export new IdpMetadata and reimport that metadata into splunk. If you are using certificate chains, like root CA -> intermediate CA -> (any level of intermediate CAs) -> signing cert. Ensure that under folder $SPLUNK_HOME/etc/auth/idpCerts there is a folder called idpCertChain_1 and there are all the files of intermediate CAs and your signing certificate. Also ensure that under $SPLUNK_HOME/etc/auth/idpCerts there are no pem files directly under it. Let me know how it goes. Also if this does not solve your problem would it be possible to list the files and directories directly under $SPLUNK_HOME/etc/auth/idpCerts . You dont have to paste the contents of the file, just the file names themselves should be sufficient. ... View more

I would recommend a slightly roundabout way of doing this. 1) Configure splunk to use SAML for authentication. 2) Then on your IDP configure as many factors of authentication as you want/your IDP supports. The advantange of this method is that generally speaking IDP's can support multiple factors of auth, and splunk can support idp's so you potentially have a fairly large combination to pick from, you can just delegate the auth part to IDP, once user authenticates with IDP all splunk cares about is the assertion and it will log you in ... View more

Can you paste the relevant error logs you are seeing with confidential information redacted. ... View more

Okay there may be two problems here. (or 3) 1) Base64 decoding for the response is failing for some reason. 2) There could be some cert related issues. 3) Maybe the response is encrypted. To rule out 1 I would recommend, to disable signature verification on splunk's end. you already have a way to figure out 2, in your description. I would also suggest checking if the response is encrypted. We dont support encrypted responses. Let us know how it goes. ... View more

Have you tried using default 'catalina' sourcetype ? https://docs.splunk.com/Documentation/Splunk/6.5.0/Data/Listofpretrainedsourcetypes look for catalina ... View more

You may also want to look at this http://blogs.splunk.com/2016/09/01/configuring-okta-security-assertion-markup-language-saml-single-sign-on-sso-with-splunk-cloud/ it contains info on configuring okta side as well. ... View more

So if you are asking that can you selectively ask for second factor of authentication only for certain roles then the answer is NO. Once you pass whatever authentication mechanism is configured roles are assigned after that step. ... View more

Because we do not know what openssl you might have (or if have it). We also want to use an openssl version that we have tested with and meets our security policies. ... View more

This will not work for splunk self-service, the ECC certs that splunk uses are too strong, this is a known issue. However i would also suggest looking at the following post. http://stackoverflow.com/questions/31107851/how-to-fix-curl-35-cannot-communicate-securely-with-peer-no-common-encryptio Basically you specify the required cipher explicitly as an option. Now which one to specify, you figure this out by checking the ciphers on server. Okay I was able to fix this. So basically you understand that curl does not support even one of the ciphers that server is willing to negotiate. Note that the I was testing this on a ubuntu machine. curl that was present on my ubuntu machine was not using openssl. I think that the default curl that you get by doing sudo apt-get is not built with openssl. So I built curl following this post http://askubuntu.com/questions/764443/how-to-compile-curl-with-ssl-support After that I was able to make curl request. I also have a mac and I was able to make curl request successfully from there. I also had another colleague of mine who was not able to do so from mac. So I think a solution would be to build curl from source specifying an SSL library to build with ( this may depend on the os that you are using). Let me know how it goes. ... View more

Actually role can be any strings in 6.4 and onwards, they dont have to be of form ""cn=splunk_admin,dc=myorg,dc=int" "Domain Users" would still work. You are right about the attribute alias mapping though Alternatively you can look at the claim language generated for "role" in ADFS, copy it out and change the name from "http://..." to just role and add a custom claim. That should also work. ... View more

If you look at docker code for splunk driver: https://github.com/docker/docker/blob/master/daemon/logger/splunk/splunk.go#L569 it appends 'services/collector/event' to the configured url. So when you use browser append that path to splunk host. When you use splunk driver dont append that. ... View more

have you tried removing '/services/collector/event' from splunk-url, atleast that is what the error says? ... View more

Hey mvidal, Could you double check that the token that you have put in outputs.conf is indeed a valid one. That is, it has the same value which you got when you generated on indexer. Some key points to keep in mind. 1) Not all strings are valid tokens, they are GUID's. If it is not a valid token it will not be sent from the forwarder to indexer. 2) Your token stays in plain text because string '8-4-4-4-12' is not a valid guid, since it is not a valid token we dont even look at it from the perpective of using it or encrypting it. Technically you should not have to care about how tokens are generated by indexer. You should treat them as opaque objects from your side. ... View more

Your idpSSOUrl is incorrect. It should not have query parameter in it. Typically it will be something like https://someDomainName/someEndPoint ... View more

@barona, could you please post another question with this specific question, it will be nice if some one from splunk-cloud can authoritatively answer that. There are multiple types of cloud offerings and I am not sure what is the right bucket for this specific request. I can however confirm that we are working on resolving this issue. ... View more

Not sure, youll have to talk to someone in marketing probably. Or post a different question. ... View more

Okay this is not supported for splunk cloud trial, the problem is that splunk cloud trial uses ECDSA, which although being strong, is not very widely supported. Docker fails handshake because of that. What you can do is get a real cloud account and then ask for a different certificate. In addition to golang it also affects .NET. ... View more