Overview

In this guide, we demonstrate the Splunk integration with the RCDevs Identity Provider through SAML.
Refer to Splunk documentation for SAML configuration on Splunk.

IdP configuration on Splunk

Login to the Splunk web page with your Slack administrator account. In the Settings menu, under Users and Authentication category, click to Authentication Methods:

saml

On the next page, enable SAML as external authentication method and click on SAML Settings:

saml

We are now on the SAML configuration menu. Configure the following settings according to your IdP information:

saml

The provided information in the previous screen can be retrieved from your SAML metadata page.
On my side, it is accessible through https://sso.rcdevsdocs.com/ws/saml URL.

Providing the following output:

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://sso.rcdevsdocs.com">
<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>MIIGfzCCBGegAwIBAgIRAM9/TyvDiZAahDgzYkWGRdIwDQYJKoZIhvcNAQELBQAwUjEXMBUGA1UEAwwOUkNEZXZzIERvY3MgQ0ExCzAJBgNVBAsMAkNBMR0wGwYDVQQKDBRSQ0RldnMgRG9jdW1lbnRhdGlvbjELMAkGA1UEBhMCTFUwHhcNMjQwNzE1MTM0OTA3WhcNMzQwNzEzMTM0OTA3WjBgMRswGQYDVQQDDBJXZWJBRE0gQ2VydGlmaWNhdGUxDzANBgNVBA0MBlNFUlZFUjEXMBUGA1UECgwOUkNEZXZzIFN1cHBvcnQxFzAVBgNVBGEMDlZBVExVLTAwMDAwMDAwMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1w3PR1Q+78jdD12g4Di3ljcthoZwvpQuwmuOm/+fBthQjrHR1UIY3HDkulCOYpBRiNNj6ED49eyF9jIeO/zVO5QXnzX4gmasZPd06ZYAD8pkDc7fnnxZD4aSHDKQcF1xwUnHESUCPzWR1Wy3t6ifwl85uRuC+QlskMv4t82LqeMQeSBdeBqNpADm9Hmg8AO5BK4Oz/NNooB46P5RYDEerY1D/qOfLkuzEDr2C2Z1rGvtG7+7EpaS+b9Ipnz/fT71QACPxJym98YWEp/1Fb/clC6QLKQuQ+AzheTVZyyeOhOYFxsoGEu+wDFAERXWWAr5sPnayDJiZdXbH+712ri35y9oFWOxZC1diATOS/MRc05bAzgAbyiQe1PrhDfwRiL4YF0EtLvuZJGBH031DZS3THdYSeONDhsImbNYFYLPpzRqb5iXssN+KBPAdCfYJ2IMfjAV4li0s1WSC40iZ5MAkwovE0HD++DVO2HHBJ9hYl6aqa35lGm/QSjkUYvw2xX3kvc3utPQcqUkYDWzF7tLIMpTzO6FtD1pR/FR6DKkqmx9NhLMdIi9eNGK4MG+MgKwCXhE1I6aJxVoRCbAihb0wgnR+Y38P4bJUYzvDCC4upE3DLc+ct5VJ/rtCo9UDyVQGsLDD9cDoywdr6feM/Pou+LpccVNAHul1FJ9CPKxyVECAwEAAaOCAUAwggE8MAsGA1UdDwQEAwIF4DATBgNVHSUEDDAKBggrBgEFBQcDATCBygYIKwYBBQUHAQEEgb0wgbowJgYIKwYBBQUHMAGGGmh0dHA6Ly8xOTIuMTY4LjQuMTYwL29jc3AvMCYGCCsGAQUFBzABhhpodHRwOi8vMTkyLjE2OC40LjE2MS9vY3NwLzAzBggrBgEFBQcwAoYnaHR0cDovLzE5Mi4xNjguNC4xNjAvY2FjZXJ0Lz9mb3JtYXQ9ZGVyMDMGCCsGAQUFBzAChidodHRwOi8vMTkyLjE2OC40LjE2MS9jYWNlcnQvP2Zvcm1hdD1kZXIwSwYDVR0fBEQwQjAfoB2gG4YZaHR0cDovLzE5Mi4xNjguNC4xNjAvY3JsLzAfoB2gG4YZaHR0cDovLzE5Mi4xNjguNC4xNjEvY3JsLzANBgkqhkiG9w0BAQsFAAOCAgEACy/zl7IPSaOn2wEZ66xQNxm9FW408jMrQS2Y6hFvfzRMNhbOh+ZwNFSgCijUJ4ASZVQeZIiYN8f/quH80Y7AJE3kcTpXvJE2LozDbUMsXe0GpkNuzDojbp3K2ZcgUitL0q/rDHPBXXExl1AEhPgpwN1I7ZyHPfZpU92XxcsoSrUi8AMmzoVwlna30RMkkCDDBsf+an1uxdrdwMQLeQddOFddAUI80NWvh0drnv1epkT34K+RpvEAU514a3suErDMIqp+h7BqTdPrdiRkIhTutgSsPquhGIDzv+WvGBzFGWPAfudQHE5jMn3lPgN3r75HrdNfMkVEv0jclpp3VhiUnwQzNQn2UzVe7LQh8ixjEg1kwtIQ8UuwX6LOZ7a51WuKkRfS1iw1yDCM1UmGNuoMGqI6bxwFbBZ1C3brgJKjXBciEpXrSpcJ+ulhDYYUrCmGnpg6xyJ6veWfT2tVExLcffv4edT0KCJuKsyTztLFtT9A9ihyV/lPBsVUtIipe2CaCXupP84812s0cgo6XkcAr99pvtPNLZg9aBLuVt7GmyJSQeLJ6z+QWlkKnsEh7HlSrV2RC/wsTYlTeTRZFmiNa1RGx4UsNyTf9Igp+EG4Nh/UBhGO1Jkn1dIRZyb/qgcF/DWCSdbwFIKxuaKA12KFJMFS4aMV1e0QLDhLfpZ1/10=</X509Certificate>
<!--  Cert Fingerprint (SHA1): 32774463a2e892150f46852b3fdcac7f5be924dc  -->
<!--  Cert Fingerprint (SHA256): e0bd10584f5c3a554e279b9241619e8fdf9c3bfbe95c90da939f0342546e52ac  -->
<!--  Cert Fingerprint (MD5): 639ed5b4241047c8382f897fc459a714  -->
</X509Data>
</KeyInfo>
</KeyDescriptor>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sso.rcdevsdocs.com/openid/index.php"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sso.rcdevsdocs.com/openid/index.php"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sso.rcdevsdocs.com/openid/index.php"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sso.rcdevsdocs.com/openid/index.php"/>
</IDPSSODescriptor>
</EntityDescriptor>

If you check the advanced setting, you will found out the following:

saml

The NameID format is configured to Persistent, the redirection after logout is configured to https://www.splunk.com, and the Binding method for SSO and SLO is set to HTTP Post.

SAML configuration on Splunk is done.

We now have to create SAML groups and associate the desired roles. Here, we created 2 groups with different roles mapped. We will need to return these group values later in the SAML Assertion in order to provide privileges to authenticated users on the Splunk portal.

saml

Splunk Configuration on the IdP

The Splunk configuration on the IdP consists of creating a client policy and configuring the required settings for the SP. We also need to return the group values expected by Splunk in order to map roles once the user is authenticated and redirected to the Splunk portal.
In this example, the roles are configured at the user level.

Client policies

Let's create a Client Policy for Splunk. Login on WebADM Administrator portal, click on Admin tab, click on Client Policies and then Add Client button. Name your client policy and optionally provide a description.

saml

Click on the Proceed and Create Object buttons.

You are now entering the policy configurator. Configure the Default Domain, a Friendly Name (optional), and set the Client Name Aliases with the Fully Qualified Domain Name or IP configured on Splunk side.
On my side it is https://prd-p-h9h24.splunkcloud.com/.

saml

Scroll down to Default Application Settings, click on the Enforced Settings checkbox and click Edit button. In Applications box, select OpenID & SAML Provider.

saml

In the configuration, the Return Attributes setting is configured with the value role=title. This means that the title attribute on the user's account will contain the SAML group value expected by Splunk to map roles and permissions once the user is authenticated on the Splunk portal. In this example, we use the title attribute, but you can use another attribute if needed.
The SAML assertion will, for example, contain role=admin or role=engineering according to what is configured in the title attribute for each account.

Scroll down a little bit, we have few more settings on the same page to configure.

saml

We enabled the Sign Entire SAML Response and Encrypt SAML Response settings, configured the Client Certificate used by Splunk, the Assertion Consumer Service URL, and the Logout Consumer Service URL. Adapt these values to your specific configuration.

The SAML configuration is finished, you can also configure authentication settings by accessing the MFA Authentication server in Applications box.

You can now continue with the role mapping.

Roles mapping

We now need to configure the role mapping by setting the title attribute on user accounts. As explained earlier, the title attribute will contain the Splunk group value. This can be done from the WebADM Administrator portal if you have the necessary permissions to manage the attribute you choose (in this case, the title attribute) or from your LDAP management console.

In this example, the Admin group in Splunk will be associated with my Administrator account, and the Engineering group in Splunk will be associated with my John Doe account.

I select my Administrator account from WebADM. On Add Attribute line, I select Title. Click then on Add button:

saml

On the next screen you are prompted to provide the value. Put the desired group value of Splunk and click Proceed:

saml

The Splunk group/role (Admin) is now configured on my Administrator user:

saml

I repeated the operation for my John Doe account:

saml

The Splunk group/role (Engineering) is now configured on my John Doe user:

saml

The role mapping is complete.

Role mapping can not be configured at the group level.
If you have a large number of users and role mappings to perform, you can use the LDAP Search tool from WebADM Administrator portal accessible from the Seach tab, to list users from a specific OU or group and perform batch actions on the results to set or add an LDAP attribute.

Here is an example:

saml
saml
saml

Click on the Continue button, and the attribute and its value will be added to the LDAP search results.