Overview
In this guide, we demonstrate the Splunk integration with the RCDevs Identity Provider through SAML.
Refer to Splunk documentation for SAML configuration on Splunk.
IdP configuration on Splunk
Login to the Splunk web page with your Slack administrator account. In the Settings
menu, under Users and Authentication
category, click to Authentication Methods
:
On the next page, enable SAML
as external authentication method and click on SAML Settings
:
We are now on the SAML configuration menu. Configure the following settings according to your IdP information:
The provided information in the previous screen can be retrieved from your SAML metadata page.
On my side, it is accessible through https://sso.rcdevsdocs.com/ws/saml URL.
Providing the following output:
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://sso.rcdevsdocs.com">
<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>MIIGfzCCBGegAwIBAgIRAM9/TyvDiZAahDgzYkWGRdIwDQYJKoZIhvcNAQELBQAwUjEXMBUGA1UEAwwOUkNEZXZzIERvY3MgQ0ExCzAJBgNVBAsMAkNBMR0wGwYDVQQKDBRSQ0RldnMgRG9jdW1lbnRhdGlvbjELMAkGA1UEBhMCTFUwHhcNMjQwNzE1MTM0OTA3WhcNMzQwNzEzMTM0OTA3WjBgMRswGQYDVQQDDBJXZWJBRE0gQ2VydGlmaWNhdGUxDzANBgNVBA0MBlNFUlZFUjEXMBUGA1UECgwOUkNEZXZzIFN1cHBvcnQxFzAVBgNVBGEMDlZBVExVLTAwMDAwMDAwMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1w3PR1Q+78jdD12g4Di3ljcthoZwvpQuwmuOm/+fBthQjrHR1UIY3HDkulCOYpBRiNNj6ED49eyF9jIeO/zVO5QXnzX4gmasZPd06ZYAD8pkDc7fnnxZD4aSHDKQcF1xwUnHESUCPzWR1Wy3t6ifwl85uRuC+QlskMv4t82LqeMQeSBdeBqNpADm9Hmg8AO5BK4Oz/NNooB46P5RYDEerY1D/qOfLkuzEDr2C2Z1rGvtG7+7EpaS+b9Ipnz/fT71QACPxJym98YWEp/1Fb/clC6QLKQuQ+AzheTVZyyeOhOYFxsoGEu+wDFAERXWWAr5sPnayDJiZdXbH+712ri35y9oFWOxZC1diATOS/MRc05bAzgAbyiQe1PrhDfwRiL4YF0EtLvuZJGBH031DZS3THdYSeONDhsImbNYFYLPpzRqb5iXssN+KBPAdCfYJ2IMfjAV4li0s1WSC40iZ5MAkwovE0HD++DVO2HHBJ9hYl6aqa35lGm/QSjkUYvw2xX3kvc3utPQcqUkYDWzF7tLIMpTzO6FtD1pR/FR6DKkqmx9NhLMdIi9eNGK4MG+MgKwCXhE1I6aJxVoRCbAihb0wgnR+Y38P4bJUYzvDCC4upE3DLc+ct5VJ/rtCo9UDyVQGsLDD9cDoywdr6feM/Pou+LpccVNAHul1FJ9CPKxyVECAwEAAaOCAUAwggE8MAsGA1UdDwQEAwIF4DATBgNVHSUEDDAKBggrBgEFBQcDATCBygYIKwYBBQUHAQEEgb0wgbowJgYIKwYBBQUHMAGGGmh0dHA6Ly8xOTIuMTY4LjQuMTYwL29jc3AvMCYGCCsGAQUFBzABhhpodHRwOi8vMTkyLjE2OC40LjE2MS9vY3NwLzAzBggrBgEFBQcwAoYnaHR0cDovLzE5Mi4xNjguNC4xNjAvY2FjZXJ0Lz9mb3JtYXQ9ZGVyMDMGCCsGAQUFBzAChidodHRwOi8vMTkyLjE2OC40LjE2MS9jYWNlcnQvP2Zvcm1hdD1kZXIwSwYDVR0fBEQwQjAfoB2gG4YZaHR0cDovLzE5Mi4xNjguNC4xNjAvY3JsLzAfoB2gG4YZaHR0cDovLzE5Mi4xNjguNC4xNjEvY3JsLzANBgkqhkiG9w0BAQsFAAOCAgEACy/zl7IPSaOn2wEZ66xQNxm9FW408jMrQS2Y6hFvfzRMNhbOh+ZwNFSgCijUJ4ASZVQeZIiYN8f/quH80Y7AJE3kcTpXvJE2LozDbUMsXe0GpkNuzDojbp3K2ZcgUitL0q/rDHPBXXExl1AEhPgpwN1I7ZyHPfZpU92XxcsoSrUi8AMmzoVwlna30RMkkCDDBsf+an1uxdrdwMQLeQddOFddAUI80NWvh0drnv1epkT34K+RpvEAU514a3suErDMIqp+h7BqTdPrdiRkIhTutgSsPquhGIDzv+WvGBzFGWPAfudQHE5jMn3lPgN3r75HrdNfMkVEv0jclpp3VhiUnwQzNQn2UzVe7LQh8ixjEg1kwtIQ8UuwX6LOZ7a51WuKkRfS1iw1yDCM1UmGNuoMGqI6bxwFbBZ1C3brgJKjXBciEpXrSpcJ+ulhDYYUrCmGnpg6xyJ6veWfT2tVExLcffv4edT0KCJuKsyTztLFtT9A9ihyV/lPBsVUtIipe2CaCXupP84812s0cgo6XkcAr99pvtPNLZg9aBLuVt7GmyJSQeLJ6z+QWlkKnsEh7HlSrV2RC/wsTYlTeTRZFmiNa1RGx4UsNyTf9Igp+EG4Nh/UBhGO1Jkn1dIRZyb/qgcF/DWCSdbwFIKxuaKA12KFJMFS4aMV1e0QLDhLfpZ1/10=</X509Certificate>
<!-- Cert Fingerprint (SHA1): 32774463a2e892150f46852b3fdcac7f5be924dc -->
<!-- Cert Fingerprint (SHA256): e0bd10584f5c3a554e279b9241619e8fdf9c3bfbe95c90da939f0342546e52ac -->
<!-- Cert Fingerprint (MD5): 639ed5b4241047c8382f897fc459a714 -->
</X509Data>
</KeyInfo>
</KeyDescriptor>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sso.rcdevsdocs.com/openid/index.php"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sso.rcdevsdocs.com/openid/index.php"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sso.rcdevsdocs.com/openid/index.php"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sso.rcdevsdocs.com/openid/index.php"/>
</IDPSSODescriptor>
</EntityDescriptor>
If you check the advanced setting, you will found out the following:
The NameID format
is configured to Persistent
, the redirection after logout is configured to https://www.splunk.com
, and the Binding method for SSO and SLO is set to HTTP Post
.
SAML configuration on Splunk is done.
We now have to create SAML groups and associate the desired roles. Here, we created 2 groups with different roles mapped. We will need to return these group values later in the SAML Assertion in order to provide privileges to authenticated users on the Splunk portal.
Splunk Configuration on the IdP
The Splunk configuration on the IdP consists of creating a client policy and configuring the required settings for the SP. We also need to return the group values expected by Splunk in order to map roles once the user is authenticated and redirected to the Splunk portal.
In this example, the roles are configured at the user level.
Client policies
Let's create a Client Policy
for Splunk. Login on WebADM Administrator portal, click on Admin
tab, click on Client Policies
and then Add Client
button. Name your client policy and optionally provide a description.
Click on the Proceed
and Create Object
buttons.
You are now entering the policy configurator. Configure the Default Domain
, a Friendly Name
(optional), and set the Client Name Aliases
with the Fully Qualified Domain Name or IP
configured on Splunk side.
On my side it is https://prd-p-h9h24.splunkcloud.com/
.
Scroll down to Default Application Settings
, click on the Enforced Settings
checkbox and click Edit
button. In Applications box
, select OpenID & SAML Provider
.
In the configuration, the Return Attributes
setting is configured with the value role=title
. This means that the title
attribute on the user's account will contain the SAML group value expected by Splunk to map roles and permissions once the user is authenticated on the Splunk portal. In this example, we use the title
attribute, but you can use another attribute if needed.
The SAML assertion will, for example, contain role=admin
or role=engineering
according to what is configured in the title
attribute for each account.
Scroll down a little bit, we have few more settings on the same page to configure.
We enabled the Sign Entire SAML Response
and Encrypt SAML Response
settings, configured the Client Certificate
used by Splunk, the Assertion Consumer Service URL
, and the Logout Consumer Service URL
. Adapt these values to your specific configuration.
The SAML configuration is finished, you can also configure authentication settings by accessing the MFA Authentication server
in Applications box
.
You can now continue with the role mapping.
Roles mapping
We now need to configure the role mapping by setting the title
attribute on user accounts. As explained earlier, the title
attribute will contain the Splunk group value. This can be done from the WebADM Administrator portal if you have the necessary permissions to manage the attribute you choose (in this case, the title
attribute) or from your LDAP management console.
In this example, the Admin
group in Splunk will be associated with my Administrator account, and the Engineering
group in Splunk will be associated with my John Doe account.
I select my Administrator account from WebADM. On Add Attribute
line, I select Title
. Click then on Add
button:
On the next screen you are prompted to provide the value. Put the desired group value of Splunk and click Proceed
:
The Splunk group/role (Admin) is now configured on my Administrator user:
I repeated the operation for my John Doe account:
The Splunk group/role (Engineering) is now configured on my John Doe user:
The role mapping is complete.
Role mapping can not be configured at the group level.
If you have a large number of users and role mappings to perform, you can use the LDAP Search tool from WebADM Administrator portal accessible from the Seach
tab, to list users from a specific OU or group and perform batch actions on the results to set or add an LDAP attribute.
Here is an example:
Click on the Continue
button, and the attribute and its value will be added to the LDAP search results.