Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- Native SAML authentication with Shibboleth IdP
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've been playing with our on-premise Splunk to try to get native SAML authentication working with our Shibboleth v3 Identity Provider. Most of the docs detail how to get this working using Splunk SSO with reverse proxy (eg. Apache).
I have finally gotten native SAML to work and will post the answer here. IMO, it's much simpler and cleaner that using the reverse proxy. Hopefully this will help others down the road...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Configuration on Splunk
$SPLUNK_HOME/etc/system/local/authentication.conf
[authentication]
authSettings = saml
authType = SAML
[rolemap_SAML]
admin = splunkadmin
power = splunkPowerUser
[saml]
allowSslCompression = true
caCertFile = /opt/splunk/etc/auth/mycerts/splunk-mgmtPort.crt
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH
entityId = https://mysplunk.myfqdn.ca
idpCertPath = idpCert.pem
idpSSOUrl = https://myidp.myfqdn.ca/idp/profile/SAML2/POST/SSO
redirectAfterLogoutToUrl = https://myidp.myfqdn.ca/idp/profile/Logout
redirectPort = 8000
signAuthnRequest = false
signedAssertion = true
sslKeysfile = /opt/splunk/etc/auth/mycerts/splunk-mgmtPort.crt
sslVerifyServerCert = false
sslVersions = SSL3,TLS1.0,TLS1.1,TLS1.2
defaultRoleIfMissing = none
[authenticationResponseAttrMap_SAML]
mail = urn:oid:0.9.2342.19200300.100.1.3
realName = urn:oid:2.5.4.3
role = urn:oid:2.5.4.12
The SP Metadata can be downloaded from https://mysplunk.myfqdn.ca:8000/saml/spmetadata. This needs to be provided to the Shibboleth IdP.
If you run into problems you can look at $SPLUNK_HOME/var/log/splunk/splunkd.log for SAML specific errors or warnings. The backdoor (to login with local username/password instead of SAML) is https://mysplunk.myfqdn.ca:8000/en-US/account/login?loginType=splunk
Configuration on the Shibboleth IdP
I had to create a new attribute for the nameid. I was able to reuse already existing attributes for role, email, and real name.
attribute-resolver.xml
<!-- Splunk -->
<resolver:AttributeDefinition xsi:type="ad:Simple" id="splunk-nameid" sourceAttributeID="uid">
<resolver:Dependency ref="ldap"/>
<resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
</resolver:AttributeDefinition>
attribute-filter.xml
<!-- Splunk -->
<afp:AttributeFilterPolicy id="releaseToSplunk">
<afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString"
value="https://mysplunk.myfqdn.ca" />
<afp:AttributeRule attributeID="splunk-nameid">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="shibAuthorized">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="mail">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="cn">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
relying-party.xml
<!-- Splunk -->
<bean parent="RelyingPartyByName" c:relyingPartyIds="https://mysplunk.myfqdn.ca">
<property name="profileConfigurations">
<list>
<bean parent="SAML2.SSO" p:encryptAssertions="false" />
</list>
</property>
</bean>
metadata-providers.xml
<MetadataProvider id="splunk-srchHeadCluster" xsi:type="FilesystemMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata"
metadataFile="/opt/shibboleth-idp/metadata/splunk-srchHeadCluster.xml" />
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Configuration on Splunk
$SPLUNK_HOME/etc/system/local/authentication.conf
[authentication]
authSettings = saml
authType = SAML
[rolemap_SAML]
admin = splunkadmin
power = splunkPowerUser
[saml]
allowSslCompression = true
caCertFile = /opt/splunk/etc/auth/mycerts/splunk-mgmtPort.crt
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH
entityId = https://mysplunk.myfqdn.ca
idpCertPath = idpCert.pem
idpSSOUrl = https://myidp.myfqdn.ca/idp/profile/SAML2/POST/SSO
redirectAfterLogoutToUrl = https://myidp.myfqdn.ca/idp/profile/Logout
redirectPort = 8000
signAuthnRequest = false
signedAssertion = true
sslKeysfile = /opt/splunk/etc/auth/mycerts/splunk-mgmtPort.crt
sslVerifyServerCert = false
sslVersions = SSL3,TLS1.0,TLS1.1,TLS1.2
defaultRoleIfMissing = none
[authenticationResponseAttrMap_SAML]
mail = urn:oid:0.9.2342.19200300.100.1.3
realName = urn:oid:2.5.4.3
role = urn:oid:2.5.4.12
The SP Metadata can be downloaded from https://mysplunk.myfqdn.ca:8000/saml/spmetadata. This needs to be provided to the Shibboleth IdP.
If you run into problems you can look at $SPLUNK_HOME/var/log/splunk/splunkd.log for SAML specific errors or warnings. The backdoor (to login with local username/password instead of SAML) is https://mysplunk.myfqdn.ca:8000/en-US/account/login?loginType=splunk
Configuration on the Shibboleth IdP
I had to create a new attribute for the nameid. I was able to reuse already existing attributes for role, email, and real name.
attribute-resolver.xml
<!-- Splunk -->
<resolver:AttributeDefinition xsi:type="ad:Simple" id="splunk-nameid" sourceAttributeID="uid">
<resolver:Dependency ref="ldap"/>
<resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
</resolver:AttributeDefinition>
attribute-filter.xml
<!-- Splunk -->
<afp:AttributeFilterPolicy id="releaseToSplunk">
<afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString"
value="https://mysplunk.myfqdn.ca" />
<afp:AttributeRule attributeID="splunk-nameid">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="shibAuthorized">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="mail">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="cn">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
relying-party.xml
<!-- Splunk -->
<bean parent="RelyingPartyByName" c:relyingPartyIds="https://mysplunk.myfqdn.ca">
<property name="profileConfigurations">
<list>
<bean parent="SAML2.SSO" p:encryptAssertions="false" />
</list>
</property>
</bean>
metadata-providers.xml
<MetadataProvider id="splunk-srchHeadCluster" xsi:type="FilesystemMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata"
metadataFile="/opt/shibboleth-idp/metadata/splunk-srchHeadCluster.xml" />
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
