ADFS 4.0 Step by Step Guide: Federating with Splunk Cloud

To integrate On-Premises SSO with Splunk Cloud, you need the following items:

• On-premises Active Directory
• On-premises ADFS 2016
• A Splunk Cloud tenant
• Splunk cloud Sign-on URL https://yourinstance.splunkcloud.com/saml/acs
• Splunk cloud Sign-on URL https://yourinstance.splunkcloud.com/saml/logout
• ADFS Sign-on URL https://sts.domain.com/adfs/services/trust
• ADFS Sign-Out URL  https://sts.domain.com/adfs/ls/?wa=wsignout1.0
• SAML Signing Certificate of Splunk (auto-populated from SP metadata)
• ADFS Token Signing Certificate (auto-populated from IdP metadata)

• An administrative account in your ADFS
• An administrative account in your Windows Active Directory

• An administrative account for your Splunk Cloud instance or tenant.

Step1: Create Security Groups

1. Sign into Domain Controller
2. Open Active Directory Users and Computers
3. Create two security groups named, SG-SplunkAdmin and SG-SplunkUsers

Step2: Download IdP (ADFS 2016) Metadata

1. Log into the ADFS 2016 server or an admin PC.
2. Open a browser and type metadata URL https://ADFSServer1.domain.com/federationmetadata/2007-06/federationmetadata.xml
3. Download and save the metadata as IdP metadata.

Step3: Download Splunk Metadata

1. Login to Splunk Cloud instance using administrator credentials.
2. Download metadata from your instance of Splunk Cloud or This can be obtained by, once logged into a session as an admin role user, entering the URL https://yourinstance.splunkcloud.com/saml/spmetadata into your browser’s URL field.
3. Download and save the metadata as SP metadata

Step4: Extract Splunk certificate from metadata

1. Open Splunk metadata XML file in a notepad, Search “X509Certificate” in the metadata. Copy the everything starting from XML tags from ‘<ds:X509Certificate>‘ to ‘</ds:X509Certificate>‘.
2. Open a new notepad and paste the content into the notepad. Place a row above the certificate with the text —–BEGIN CERTIFICATE—– and a row below the certificate with the text —–END CERTIFICATE—–
3. Save the notepad as a .cer
4. The file will look like this one but with more hexadecimal character

—–BEGIN CERTIFICATE—–

MIIEsjCCA5qgAwIBAgIQFofWiG3iMAaFIz2/Eb9llzANBgkqhkiG9w0BAQsFADCB

sjFuz4DliAc2UXu6Ya9tjSNbNKOVvKIxf/L157fo78S1JzLp955pxyvovrsMqufq

YBLqJop4

—–END CERTIFICATE—–

Step5: Create a Relying Party Trust

1. Log into the ADFS 2016 server and open the management console.
2. Right-click Service>Relying Party Trusts>Select Add Relying Party Trust from the top right corner of the window.
3. Click Claims aware>Click Start
4. Click Import Data about the relying party
5. Browse the location where you saved Splunk metadata, select metadata, and Click Next
6. Type the Display Name as SplunkRP, Click Next
7. Ensure I do not want to configure multi-factor authentication […] is chosen, and click Next
8. Permit all users to access this relying party.
9. Click Next and clear the Open the Claims when this finishes check box.
10. Close this page. The new relying party trust appears in the window.
11. Right-click on the relying party trust and select Properties.
12. On the properties, choose the Encryption tab, Remove the certificate encryption
13. Choose the Signature tab and make sure the Splunk Certificate was imported
14. Select to the Advanced tab and set the Secure hash algorithm to SHA-1.
15. Click into the Identifiers tab. The default Relying party identifier for Splunk came in from the metadata file as ‘splunkEntityId’. Remove Default one. Add new entity ID splunk-yourinstance
16. Under the Endpoints tab, make sure the Consumer Endpoints is https://yourinstance.splunkcloud.com/saml/acs  with a Post binding and index 0
17. Under the Endpoints tab, make sure the make sure the Logout Endpoints is https://yourinstance.splunkcloud.com/saml/logout with a Post binding
18. Click Apply, Click Ok.

Step6: Add Claim Rule for the Relying Party

1. Log into the ADFS server and open the management console.
2. Right-click on the Splunk relying party trust and select Edit Claim Rules.
3. Click the Issuance Transform Rules tab.
4. Click Add Rules. Add a Rule Type the Name as Rule1
5. Ensure Send LDAP Attributes as Claims is selected, and click Next
6. Select the below details

Claim Rule Name =  Rule1

Attribute Store = Active Directory

LDAP Attribute	Outgoing Claim Type
Display-Name	realName
Token-Groups – Unqualified Names	Role
E-Mail-Addresses	mail

1. Click Finish. Click Apply
2. Click Add Rules. Add a Rule Type the Name as  Rule2
3. Ensure Transform an Incoming Claim is selected, and click Next
4. Select the below details

Claim Rule Name	Rule2
Incoming claim type	UPN
Incoming NameID format	Unspecified
Outgoing Claim Type	Name ID
Outgoing name ID format	Transient Identifier

1. Click Finish. Click Apply

Step7: Import Splunk Certificate into ADFS Server

1. Sign into ADFS Server, Open Command Prompt as an Administrator, type MMC.exe
2. Click File, Click Add/Remove Snap-in
3. Click Certificates, Click Computer Account
4. Right Click on Trusted People>All Tasks>Import Certificate
5. Browse the location of certificate and import
6. Close MMC.
7. Repeat these steps in all ADFS Servers in your farm.

Step8: Setup SigningCertificateRevocationCheck to None

Sign into primary ADFS, open PowerShell as an administrator, type the following and hit enter.

Set-ADFSRelyingPartyTrust -TargetName “SplunkRP” -SigningCertificateRevocationCheck None

Step9: Configure SplunkCloud in your instance

1. On the Splunk instance as an Admin user, choose Settings->Access Controls->Authentication Method.  Choose SAML then click on the ‘Configure Splunk to use SAML’ button.
   within the SAML Groups setup page in Splunk, click on the SAML Configuration button in the upper right corner.
2. The SAML Configuration popup window will appear. Click on Select File to import the XML Metadata file (or copy and paste the contents into the Metadata Contents textbox) and click Apply.
3. The following fields should be automatically populated by the metadata:
   Single Sign On (SSO) URL
   Single Log Out (SLO) URL
   idP’s Certificate file
   Sign AuthnRequest (checked)
   Sign SAML response (checked)
   Enter in the Entity ID as splunk-yourinstance as was used in ADFS RP Identifier property of the ADFS configuration.
4. Scroll down to the ‘Advanced Settings‘ section.
   Enter in the Fully Qualified Domain Name (FQDN) of the Splunk Cloud instance – ‘https://yourinstance.splunkcloud.com
   Enter a ‘0‘ (zero) for the Redirect port – load balancer’s port.
   Set the Attribute Alias Role to ‘http://schemas.microsoft.com/ws/2008/06/identity/claims/role’
   It may also be necessary to set an Attribute Alias for ‘Real Name’ and ‘Mail’ – but not all implementations require these settings. Click Save to Save the configuration:
5. The next step is set up the SAML groups. Within the Splunk ‘Settings->Access Controls->Authentication Method->SAML Settings‘ page, click the green “New Group” button
6. Enter a group name that associates with ADFS Active Directory passed group names, some examples follow

Group Name (Type this name on New Group Properties )	Splunk Role (Select from Available Roles)	Active Directory Security Group
SG-SplunkAdmin	Admin	SG-SplunkAdmin
SG-SplunkUsers	User	SG-SplunkUsers

1. Click Save.

Step10: Testing SSO

1. To test SSO, visit  https://yourinstance.splunkcloud.com/en-US/account/login?loginType=splunk  You will be redirected to ADFS STS Signing Page. Enter your on-premises email address and password as the credential.  You should be redirected back to Splunk Cloud.
2. Also test logging out of Splunk, you should be re-directed to the Splunk SAML logout page.