Integrate Splunk

Splunk software allows you to search, monitor, and analyze machine data (see https://www.splunk.com). You can protect access to Splunk by integrating Splunk with Identity as a Service. Once integrated, users can use single sign-on to log in to their Splunk account through Identity as a Service.

Note: This integration was tested using Identity as a Service version 5.14 and Splunk version 8.1.1. Other versions of Splunk may require integration and configuration steps that differ from those documented in this procedure. For other versions of Splunk, this integration guide may be used as an initial approach for integrating Splunk. In the event of other issues, contact support@entrust.com for assistance.

To integrate Splunk with Identity as a Service, you must do the following:

Step 1: Download the metadata from Splunk

1. Log in to your Splunk account as an administrator.

2. Click Settings > Authentication Methods.

3. If the Choose Default Dashboard dialog box appears, click Save and then click Settings > Authentication Methods again. The Authentication Methods page appears.

4. Click the SAML radiobutton.

5. Click Configure Splunk to use SAML. The SAML Configuration dialog box appears.

6. Click Download File to download the SP Metadata File. The SP Metadata file downloads.

Step 2: Add Splunk to Identity as a Service

Add Splunk as an application to Identity as a Service

1. Log into your Identity as a Service administrator account.

2. Click > Security > Applications. The Applications Lists page appears.

3. Click Add. The Select an Application Template page appears.

4. Do one of the following:

● Select SAML Cloud Integrations from the search drop-down list and scroll to find the application you want to add to IDaaS.

- or -

● In the Search bar, enter a search option to filter for the application you want to add to IDaaS.

5. Click Splunk. The Add Splunk page appears.

6. Enter an Application Name.

7. Enter an Application Description.

8. Optional. Add a custom application logo.

a. Click next to Application Logo. The Upload Logo dialog box appears.

b. Click to select an image file to upload.

c. Browse to select your file and click Open. The Upload Logo dialog box reappears showing your selected image.

d. If required, resize your image.

e. Click OK.

9. Select the Authentication Flow that appears to users during login.

10. Click Next. The General page appears.

11. Click to the Upload Metadata XML and browse to the location of the metadata file you downloaded in Step 1: Download the metadata from Splunk. The Metadata Configuration dialog box appears.

a. If required, click Merge with existing values to merge new values with existing values for Alternative Assertion Consumer Services URLs and SAML attribute names.

b. Click Save.

Attention: Note the Service Provider Entity ID (Issuer). You need this in Step 5: Configure Splunk for Identity as a Service authentication.

12. Optional. Enter the SAML Username Parameter Name used to identity the user ID being requested for authentication. The user ID can then be passed as a parameter, for example, Username=jdoe. Alternately, if the SAML username is NameID, the SAML Request XML NameID element value is used to the identify the IDaaS userID.

13. Enter the SAML Session Timeout to the time when the SAML Assertion times out. The maximum is 720 minutes.

14. Enter the Max Authentication Age (seconds) to set the maximum amount of time that can elapse before a user is required to reauthenticate during a new login attempt. This applies for both SP-initiated and IDP-initiated login. Set this field to -1 to disable this feature.

15. From the SAML NameID Attribute drop-down list, select UserID.

16. From the SAML NameID Encoding Format drop-down list, select Unspecified.

17. From the SAML Signing Certificate the drop-down list, select the signing certificate.

18. From the SAML NameID Encoding Format drop-down list, select SHA256.

19. Deselect Sign Complete SAML Response.

20. Deselect Enable Go Back Button if you do not want users to be able to go back to the Splunk login page to log in.

21. Select Show Default Assertion Consumer URL Service in the My Profile. When selected, the Default Assertion Consumer URL appears in a user's My Profile page in addition to relay states and Alternative Assertion Consumer URLs.

22. Optional. Add Alternative Assertion Consumer Service URLs, as follows:

a. Click Add.

b. Enter a Name.

c. Enter a URL Value.

d. Select Show in My Profile to display the Alternative Consumer Service URL in a user's My profile page.

e. Optional. Add an Application Logo.

f. Click Add.

g. Repeat these steps to add more Alternative Assertion Consumer Service URLs.

23. Add a SAML Attribute for Groups, as follows:

a. Under SAML Attributes, click Add. The SAML Attributes dialog box appears.

b. In the Name field, enter SPGroups.

Attention: Note the Name. You need this in Step 5: Configure Splunk for Identity as a Service authentication.

c. Click Add next to Value(s).

d. Type [ and select [Groups] to include a user's groups every time the user authenticates to Splunk.

24. Click Submit.

Step 3: Add a resource rule

Step 4: Download the metadata file from Identity as a Service

Download the Metadata file from Identity as a Service

1. In Identity as a Service, click > Security > Applications. The Applications List page appears.

2. Do one of the following:

● Click next to the application you are integrating with Identity as a Service.

–or–

● Click next to the application you are integrating with Identity as a Service and select SAML IDP Metadata.

The SAML Application Metadata dialog box appears.

3. Select the certificate to include in the SAML IDP Metadata file from the drop-down list.

4. If applicable, Select the domain to include in the SAML IDP Metadata file from the drop-down list.

5. Enter the Lifetime, in days, for the SAML IDP Metadata file. The value must be between 2 and 730.

6. Do one of the following, as required:

a. Copy the Public Endpoint to paste into your SAML application being used Identity Provider authentication.

b. Click Download.

Note: If you are using multiple domains, you must download each domain's metadata file separately because the values in the metadata file vary for each domain.

Step 5: Configure Splunk for Identity as a Service authentication

Configure Splunk for Identity as a Service authentication

1. Log in to your Splunk account as an administrator.

2. Click Settings > Authentication Methods.

3. If the Choose Default Dashboard dialog box appears, click Save and then click Settings > Authentication Methods again. The Authentication Methods page appears.

4. Click the SAML radiobutton.

5. Click Configure Splunk to use SAML. The SAML Configuration dialog box appears.

6. Click Select File to upload the Metadata XML File you downloaded in Step 4: Download the metadata file from Identity as a Service.

7. Browse to select the Identity as a Service metadata file and click Open. The file Uploads to your Splunk SAML configuration.

8. Scroll to Advance Settings, click the Name Id Format field and select Unspecified from the pop-up menu.

9. Scroll to SSO Binding and select HTTP Redirect.

10. For the Signature Algorithm, select SHA256.

11. Scroll up to Alias and click to expand and then do the following:

a. In the Role alias field, enter SPGroups. This is the groups SAML Attribute you created in Step 2: Add Splunk to Identity as a Service.

12. Scroll to the Entity ID field and enter the Service Provider Entity ID (Issuer) you copied in Step 2: Add Splunk to Identity as a Service.

13. Select Sign AuthnRequest.

14. Click Save. The SAML Groups page appears.

15. Click New Group. The Create New SAML Group dialog box appears.

16. In the Group Name field, enter splunkusers.

17. In the Splunk Roles list, select user.

18. Click Save.