SecMon Guy

In my previous blog post we have configured Auth0 as Identity Provider for Splunk using SAML protocol. Now it is time to configure Splunk.  As Splunk admin user, go to Settings / Authentication Methods. SAML is available as one of the external authentication methods. Select it. Click SAML Settings and the green button SAML configuration. Import IdP meta file. It is going to populate most of the fields for you. Still, there are a few settings that require manual adjustment. General Settings Entity ID : https://<your-splunk.com> - just enter your Splunk instance URL Advanced Settings Fully qualified domain name or IP of the load balancer : https://<your-splunk.com> - make sure this is correct; for instance you would like to have your FQDN here instead of container name Redirect port - load balancer port : 8000 - Splunk Web UI port       You need to also set up aliases for SAML attributes containing realName, mail and role. Alias Role alias : http://schem...

In order to remediate password fatigue problem, companies are implementing SSO solutions. This approach is not only beneficial for the user who can benefit by using single credentials for multiple applications but also significantly reduces administrative overhead (for instance, all the user privileges can be revoked just with a single click!).  In this short guide we are going to see how to integrate Splunk with and an Identity Provider (IdP) using SAML protocol. There are several big IAM companies which can act as an IdP, such as Okta , Ping Identity or Auth0 . I am going to use Auth0. As of today, this integration is not in the official Splunk documentation. I was able to find one blog post that discusses this scenario, however it is dated 06/2019 and seems incomplete/truncated.  This post focuses on IAM part, while the next one examines Splunk configurations. Glossary ACS URL      An Assertion Consumer Service URL is an endpoint that is going to process I...