To integrate On-Premises SSO with Splunk Cloud, you need the following items:
- On-premises Active Directory
- On-premises ADFS 2016
- A Splunk Cloud tenant
- Splunk cloud Sign-on URL https://yourinstance.splunkcloud.com/saml/acs
- Splunk cloud Sign-on URL https://yourinstance.splunkcloud.com/saml/logout
- ADFS Sign-on URL https://sts.domain.com/adfs/services/trust
- ADFS Sign-Out URL https://sts.domain.com/adfs/ls/?wa=wsignout1.0
- SAML Signing Certificate of Splunk (auto-populated from SP metadata)
- ADFS Token Signing Certificate (auto-populated from IdP metadata)
- An administrative account in your ADFS
- An administrative account in your Windows Active Directory
- An administrative account for your Splunk Cloud instance or tenant.
Step1: Create Security Groups
- Sign into Domain Controller
- Open Active Directory Users and Computers
- Create two security groups named, SG-SplunkAdmin and SG-SplunkUsers
Step2: Download IdP (ADFS 2016) Metadata
- Log into the ADFS 2016 server or an admin PC.
- Open a browser and type metadata URL https://ADFSServer1.domain.com/federationmetadata/2007-06/federationmetadata.xml
- Download and save the metadata as IdP metadata.
Step3: Download Splunk Metadata
- Login to Splunk Cloud instance using administrator credentials.
- Download metadata from your instance of Splunk Cloud or This can be obtained by, once logged into a session as an admin role user, entering the URL https://yourinstance.splunkcloud.com/saml/spmetadata into your browser’s URL field.
- Download and save the metadata as SP metadata
Step4: Extract Splunk certificate from metadata
- Open Splunk metadata XML file in a notepad, Search “X509Certificate” in the metadata. Copy the everything starting from XML tags from ‘<ds:X509Certificate>‘ to ‘</ds:X509Certificate>‘.
- Open a new notepad and paste the content into the notepad. Place a row above the certificate with the text —–BEGIN CERTIFICATE—– and a row below the certificate with the text —–END CERTIFICATE—–
- Save the notepad as a .cer
- The file will look like this one but with more hexadecimal character
Step5: Create a Relying Party Trust
- Log into the ADFS 2016 server and open the management console.
- Right-click Service>Relying Party Trusts>Select Add Relying Party Trust from the top right corner of the window.
- Click Claims aware>Click Start
- Click Import Data about the relying party
- Browse the location where you saved Splunk metadata, select metadata, and Click Next
- Type the Display Name as SplunkRP, Click Next
- Ensure I do not want to configure multi-factor authentication […] is chosen, and click Next
- Permit all users to access this relying party.
- Click Next and clear the Open the Claims when this finishes check box.
- Close this page. The new relying party trust appears in the window.
- Right-click on the relying party trust and select Properties.
- On the properties, choose the Encryption tab, Remove the certificate encryption
- Choose the Signature tab and make sure the Splunk Certificate was imported
- Select to the Advanced tab and set the Secure hash algorithm to SHA-1.
- Click into the Identifiers tab. The default Relying party identifier for Splunk came in from the metadata file as ‘splunkEntityId’. Remove Default one. Add new entity ID splunk-yourinstance
- Under the Endpoints tab, make sure the Consumer Endpoints is https://yourinstance.splunkcloud.com/saml/acs with a Post binding and index 0
- Under the Endpoints tab, make sure the make sure the Logout Endpoints is https://yourinstance.splunkcloud.com/saml/logout with a Post binding
- Click Apply, Click Ok.
Step6: Add Claim Rule for the Relying Party
- Log into the ADFS server and open the management console.
- Right-click on the Splunk relying party trust and select Edit Claim Rules.
- Click the Issuance Transform Rules tab.
- Click Add Rules. Add a Rule Type the Name as Rule1
- Ensure Send LDAP Attributes as Claims is selected, and click Next
- Select the below details
Claim Rule Name = Rule1
Attribute Store = Active Directory
|LDAP Attribute||Outgoing Claim Type|
|Token-Groups – Unqualified Names||Role|
- Click Finish. Click Apply
- Click Add Rules. Add a Rule Type the Name as Rule2
- Ensure Transform an Incoming Claim is selected, and click Next
- Select the below details
|Claim Rule Name||Rule2
|Incoming claim type||UPN
|Incoming NameID format||Unspecified|
|Outgoing Claim Type||Name ID|
|Outgoing name ID format||Transient Identifier|
- Click Finish. Click Apply
Step7: Import Splunk Certificate into ADFS Server
- Sign into ADFS Server, Open Command Prompt as an Administrator, type MMC.exe
- Click File, Click Add/Remove Snap-in
- Click Certificates, Click Computer Account
- Right Click on Trusted People>All Tasks>Import Certificate
- Browse the location of certificate and import
- Close MMC.
- Repeat these steps in all ADFS Servers in your farm.
Step8: Setup SigningCertificateRevocationCheck to None
Sign into primary ADFS, open PowerShell as an administrator, type the following and hit enter.
Set-ADFSRelyingPartyTrust -TargetName “SplunkRP” -SigningCertificateRevocationCheck None
Step9: Configure SplunkCloud in your instance
- On the Splunk instance as an Admin user, choose Settings->Access Controls->Authentication Method. Choose SAML then click on the ‘Configure Splunk to use SAML’ button.
within the SAML Groups setup page in Splunk, click on the SAML Configuration button in the upper right corner.
- The SAML Configuration popup window will appear. Click on Select File to import the XML Metadata file (or copy and paste the contents into the Metadata Contents textbox) and click Apply.
- The following fields should be automatically populated by the metadata:
Single Sign On (SSO) URL
Single Log Out (SLO) URL
idP’s Certificate file
Sign AuthnRequest (checked)
Sign SAML response (checked)
Enter in the Entity ID as splunk-yourinstance as was used in ADFS RP Identifier property of the ADFS configuration.
- Scroll down to the ‘Advanced Settings‘ section.
Enter in the Fully Qualified Domain Name (FQDN) of the Splunk Cloud instance – ‘https://yourinstance.splunkcloud.com
Enter a ‘0‘ (zero) for the Redirect port – load balancer’s port.
Set the Attribute Alias Role to ‘http://schemas.microsoft.com/ws/2008/06/identity/claims/role’
It may also be necessary to set an Attribute Alias for ‘Real Name’ and ‘Mail’ – but not all implementations require these settings. Click Save to Save the configuration:
- The next step is set up the SAML groups. Within the Splunk ‘Settings->Access Controls->Authentication Method->SAML Settings‘ page, click the green “New Group” button
- Enter a group name that associates with ADFS Active Directory passed group names, some examples follow
|Group Name (Type this name on New Group Properties )||Splunk Role (Select from Available Roles)||Active Directory Security Group|
- Click Save.
Step10: Testing SSO
- To test SSO, visit https://yourinstance.splunkcloud.com/en-US/account/login?loginType=splunk You will be redirected to ADFS STS Signing Page. Enter your on-premises email address and password as the credential. You should be redirected back to Splunk Cloud.
- Also test logging out of Splunk, you should be re-directed to the Splunk SAML logout page.