SAML is an XML standard that allows secure web domains to exchange user authentication and authorization data. It allows one online service provider to contact an identity service provider in order to authenticate users who are trying to access the secure content.
Splunk Enterprise supports the use of SAML authentication and authorization for Single Sign-On (SSO). SSO can be enabled in Splunk with the configuration settings provided by the Identity Provider (IdP).
SSO can be configured by Splunk Web or by modifying authentication.conf located at $SPLUNK_HOME\etc\system\default directly. At present, Splunk Enterprise supports the Ping Identity product from PingFederate® for SSO.
To configure SSO with SAML, the following is the requirement list:
An identity provider (at present, PingIdentity) is a tested identity provider, and others can also be integrated on similar lines.
Configuration that uses an on-premise search head.
A user with an admin role and
change_authenticationSplunk capability. This permission allows us to enable SAML and edit authentication settings on the Splunk search head.
We'll now learn how to set up SSO using SAML. Let's get acquainted with the steps of setting up SSO:
The following information will be required from IdP to configure Splunk in order to authenticate the user:
rolerealNamemail
The groups returned by IdP are mapped to Splunk roles. A single Splunk role can be assigned to multiple groups.
Let's configure SSO using SAML via Splunk Web. The following are the steps to configure SSO on Splunk Web:
Access Splunk Web by going to
localhost:8000from the deployment server machine or viaIPAaddress:PortNofrom a machine in the same network.Go to Settings | Access Controls | Authentication Method.
Choose SAML as the External Authentication Method and click on Configure Splunk to use SAML.
In the SAML Groups page, click on SAML Configuration.
Browse and select the XML file provided by the IdP provider and fill in all the details and click on Save.
If all the settings are correct, the SAML Groups page will be populated with all the users and groups where specific groups and Splunk roles can be assigned.
