Splunk Cloud SAML integration
Multi-factor authentication (MFA) is an extra layer of security used when logging into websites or apps to authenticate users through more than one required security and validation procedure that only you know or have access to.
Security Assertion Markup Language (SAML) is a protocol for authenticating to web applications. SAML allows federated apps and organizations to communicate and trust one another’s users.
Acceptto™, as a SAML provider, improves the user login experience for Splunk Cloud users with smart and convenient single sign-on (SSO) MFA.
Prerequisites
Acceptto account with a configured Identity Provider and LDAP Agent.
For more information, see the LDAP Agent deployment guide.
Splunk Cloud user account with administrative access
User account with administrative privileges for the Acceptto eGuardian dashboard.
Splunk Cloud configuration
In this section, you'll configure Splunk Cloud as a service provider.
Download the SAML metadata and certificate for your organization from Acceptto.
Metadata download:
https://sso.acceptto.com/<myorganization>/saml/download/metadata
View metadata:
https://sso.acceptto.com/<myorganization>/saml/metadata
Certificate download:
https://sso.acceptto.com/<myorganization>/saml/download/cert
Log in to your Splunk Cloud portal as an administrator at
https://<yourtenant>.splunkcloud.com
In the top navigation bar, select the Settings tab and click Authentication Methods.
Select the SAML option and click SAML Settings.
On the SAML Configuration page, do the following:
SP Metadata File - Download the Splunk metadata for the SAML Service Provider Configuration in Acceptto.
Metadata XML File - Upload the Acceptto metadata file downloaded in Step 1.
Click Apply.
Some fields in the General Settings section will automatically populate with Information from the uploaded Acceptto metadata.
In the General Settings section, set the following configurations:
Entity ID - Set to your Splunk URL or a unique name. For example, SplunkEntity.
Sign AuthnRequest - Select the check box.
In the Alias section, set Role alias to a unique value.
For example, Role.
Note: The Role alias value must match the Name value that you set for Attribute Assertion during the SAML Service Provider Configuration in Acceptto.
In the Advanced Settings section, set the following configurations:
Name Id Format - Select Email Address.
Fully qualified domain name or IP of the load balancer field - Set to https://0.
Click Save.
In the top navigation bar, select the Settings tab and click Authentication Methods.
Select SAML Settings.
In the Create New SAML Group section, set the following configurations:
Group Name - Set to a unique name. The name for this group must match the Group Name of Splunk users in your Active Directory.
Splunk Roles - Select one or more of the roles in the Available item(s) column.
Note: An error in configuring SAML could result in users and admins being locked out of Splunk Enterprise. If you are locked out, use the following link to access the local login and revert back to None for authentication:
https://splunk.example.com:8000/en-US/account/login?loginType=splunk
.
Acceptto SAML configuration as an Identity Provider (IdP)
In this section, you will add an application for Splunk Cloud and set the SAML configuration settings. This will be the Identity Provider (IdP) side of the configuration.
Log in to the Acceptto Dashboard with an administrative account and go to Applications.
Click Create New Application.
In the New Application form, on the General tab, set the following configurations:
Name – Set the name of the application. This is the name to display for push notifications, in the Admin panel, Application portal, and audit logs.
For example, Splunk Cloud.
Type – Set to SAML Service Provider.
Out of Band Methods – Select the allowed methods end users can choose to approve MFA requests.
For example, It'sMe app (push notifications), SMS, or Security Key.
Message for MFA Requests – (Optional) Type a message displayed to end users when sending an MFA request via push notification, SMS, or email.
Select the SAML Service Provider Configuration tab, and set the following configurations:
Issuer or Entity ID - Enter the same EntityID set during Splunk Cloud configuration.
For example,
https://<yourtenant>.splunkcloud.com
.Sign in URL - This login URL is the same as your Splunk Cloud URL.
For example,
https://<yourtenant>.splunkcloud.com
.NameID Format – Set to Email Address.
Name Identifier – Set to Email.
ACS URL - Enter the ACS URL provided in the Splunk metadata file.
The URL should follow this format:
https://<yourtenant>.splunkcloud.com/saml/acs
.Single Logout URL - Enter the Single Logout URL provided in the Splunk metadata file.
The URL should follow this format:
https://<yourtenant>.splunkcloud.com/saml/logout
.Algorithm - Set to RSA-SHA256.
Go to the Add New Attribute Assertion section and set the following configurations:
Attribute 1:
Note: The Name value must match the Role alias value set during Splunk Cloud configuration.
Friendly Name - Set to Role.
Name - Set to Role.
Value - Set to MemberOf.
Name Format - Leave unspecified.
Attribute 2:
Friendly Name - Set to Email.
Name - Set to emailaddress.
Value - Set to mail.
Name Format - Leave unspecified.
Click Save.
Test your application integration
Go to your Splunk Cloud URL.
You will be redirected to the Acceptto SSO page.
After successful authentication, select your preferred MFA method to approve access to the Splunk Cloud application.
Finally, you will be redirected to your Splunk Cloud dashboard.
Support
If you have questions or need assistance, contact SecureAuth Support.
Sales
Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.
Disclaimer
All product names, trademarks, and registered trademarks are the property of their respective owners.
All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the SecureAuth Corporation.