Skip to main content

Splunk Enterprise SAML integration

Multi-factor authentication (MFA) is an extra layer of security used when logging into websites or apps to authenticate users through more than one required security and validation procedure that only you know or have access to.

Security Assertion Markup Language (SAML) is a protocol for authenticating to web applications. SAML allows federated apps and organizations to communicate and trust one another’s users.

Acceptto™, as a SAML provider, improves the user login experience for Splunk Enterprise users with its smart and convenient single sign-on (SSO) MFA.


  • Acceptto account with a configured Identity Provider and LDAP Agent.

    For more information, see the LDAP Agent deployment guide.

  • A Splunk Enterprise user account with administrative access.

  • User account with administrative privileges for the Acceptto eGuardian dashboard.

Splunk Enterprise configuration

In this section, you will configure Splunk Enterprise as a service provider.

  1. Download the SAML metadata and certificate for your organization from Acceptto.

    Metadata download:<myorganization>/saml/download/metadata

    View metadata:<myorganization>/saml/metadata

    Certificate download:<myorganization>/saml/download/cert

  2. Log in to your Splunk Enterprise portal as an administrator.

    For example,

    Note: For added security, change the protocol in the instance URL from HTTP to HTTPS.

  3. In the top navigation bar, select the Settings tab and click Authentication Methods.

    Splunk admin portal
  4. Select the SAML option and click SAML Settings.

    Select SAML option
  5. On the SAML Configuration page, do the following:

    • SP Metadata File - Download the Splunk metadata for the SAML Service Provider Configuration in Acceptto.

    • Metadata XML File - Upload the Acceptto metadata file downloaded in Step 1.

    SAML configuration- metadata
  6. Click Apply.

    Some fields in the General Settings section will automatically populate with Information from the uploaded Acceptto metadata.

  7. In the General Settings section, set the following configurations:

    • Entity ID - Set to your Splunk URL or a unique name. For example, SplunkEntity.

    • Sign AuthnRequest - Select the check box.

    SAML general settings
  8. In the Alias section, set Role alias to a unique value.

    For example, Role.

    Note: The Role alias value must match the Name value that you set for Attribute Assertion during the SAML Service Provider Configuration in Acceptto.

    Add role alias
  9. In the Advanced Settings section, set the following configurations:

    • Name Id Format - Select Email Address.

    • Fully qualified domain name or IP of the load balancer field - Set to https://0.

    SAML advanced settings
  10. Click Save.

  11. In the top navigation bar, select the Settings tab and click Authentication Methods.

  12. Select SAML Settings.

  13. In the Create New SAML Group section, set the following configurations:

    • Group Name - Set to a unique name. The name for this group must match the Group Name of Splunk users in your Active Directory.

    • Splunk Roles - Select one or more of the roles in the Available item(s) column.

    Note: An error in configuring SAML could result in users and admins being locked out of Splunk Enterprise. If you are locked out, use the following link to access the local login and revert back to None for authentication:

    Create new SAML group

Acceptto SAML configuration as an Identity Provider (IdP)

In this section, you will add an application for Splunk Enterprise and set the SAML configuration settings. This will be the Identity Provider (IdP) side of the configuration.

  1. Log in to the Acceptto Dashboard with an administrative account and go to Applications.

  2. Click Create New Application.

    Create new application
  3. In the New Application form, on the General tab, set the following configurations:

    • Name – Set the name of the application. This is the name to display for push notifications, in the Admin panel, Application portal, and audit logs.

      For example, Splunk Enterprise.

    • Type – Set to SAML Service Provider.

    • Out of Band Methods – Select the allowed methods end users can choose to approve MFA requests.

      For example, It'sMe app (push notifications), SMS, or Security Key.

    • Message for MFA Requests – (Optional) Type a message displayed to end users when sending an MFA request via push notification, SMS, or email.

    Add Splunk Enterprise
  4. Select the SAML Service Provider Configuration tab, and set the following configurations:

    • Issuer or Entity ID - Enter the same EntityID set during Splunk Enterprise configuration.

      For example,

    • Sign in URL - This login URL is the same as your Splunk Enterprise URL.

      For example,

    • NameID Format – Set to Email Address.

    • Name Identifier – Set to Email.

    • ACS URL - Enter the ACS URL provided in the Splunk metadata file.

      The URL should follow this format:

    • Single Logout URL - Enter the Single Logout URL provided in the Splunk metadata file.

      The URL should follow this format:

    • Algorithm - Set to RSA-SHA256.

    Splunk SP configuration
  5. Go to the Add New Attribute Assertion section and set the following configurations:

    Attribute 1:

    Note: The Name value must match the Role alias value set during Splunk Enterprise configuration.

    • Friendly Name - Set to Role.

    • Name - Set to Role.

    • Value - Set to MemberOf.

    • Name Format - Leave unspecified.

    Attribute 2:

    • Friendly Name - Set to Email.

    • Name - Set to emailaddress.

    • Value - Set to mail.

    • Name Format - Leave unspecified.

    Add New Attribute Assertion
  6. Click Save.

Test your application integration

  1. Go to your Splunk Enterprise URL.

  2. You will be redirected to the Acceptto SSO page.

    SSO login
  3. After successful authentication, select your preferred MFA method to approve access to the Splunk Enterprise application.

    Select MFA method
  4. Finally, you will be redirected to your Splunk Enterprise dashboard.

    Successful Splunk integration


If you have questions or need assistance, contact SecureAuth Support.


Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.


All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the SecureAuth Corporation.