Engineering

SAML SSO Authentication for Splunk with G Suite

From early on, our team used ELK (Elasticsearch-Logstash-Kibana) for log management and analytics. ELK served us well, but as our business has grown we’ve found ourselves fighting to scale. We needed a more flexible, easy-to-manage solution, particularly for clustering, and it need to be on-premises.

Long story short, we chose Splunk. The specifics on why, and our learnings on migrating from ELK to Splunk, are a story for another day. For today, we’ll focus on our experience configuring Splunk Cluster SSO login via SAML with Google (G Suite) as the Identity Provider.

We struggled to find much helpful, implementation-specific documentation on the subject, and fought our way through largely via trial and error. We’re hoping you’ll find this step-by-step implementation guide useful in saving you time and effort.

Background

SAML, Security Assertion Markup Language, is an XML-based open standard for exchanging identity, authentication, authorization, and assertions data between different entities, generally between a service provider and an identity provider. With SAML you can support Single Sign On (SSO) to multiple systems. A large number of Enterprises and Service providers select this as protocol for exchanging identities. SAML removes dependency on platform and vendor as well as concerns of password and security, and provides a one-point authentication for service providers.

SAML authentication works on a trust-authentication basis between a Service Provider and an Identity Provider. The Service Provider trusts the Identity Provider origin with authenticating users and the Identity Provider generates security assertions for authenticated users for use by the Service Provider.

SAML is simple to use and secure.

  • A single user password/identity provider for multiple different systems
  • Avoids exposing passwords to service providers
  • Service providers never communicate with Identity Providers – no need for network connectivity between them
  • There is no token, session or user-related data stored at the Service Provider

The SAML authentication flow is as follows:

  1. User tries to connect to the Service Provider from a browser.
    Service Provider Connect
  2. Service Provider responds with a SAML response and Identity Provider url to redirect. Browser receives response and redirects to Identity Provider with SAML response.
    SAML Response
    Identity Provider Response
  3. The Identity Provider receives the redirected request, authenticates the user and generates a SAML response to the browser.
    Authenticated SAML Response
    Identity Provider Response 2
  4. The browser forwards the SAML response to the originating Service Provider. With attributes available user profile fields.
    SAML Response 2
    Service Provider Connect
  5. The Service Provider verifies the SAML request and logs the user in.
    Service Provider Verification

Configuring SAML SSO Authentication for Splunk with G Suite

Step 1: Create a Custom User Attribute in G Suite with an Attribute Name Role
Custom User Attribute

Step 2: Add a Custom SAML App in the G Suite Admin Panel

When adding an SAML application you will see a number of application types which Google supports, but Splunk isn’t one of them. So you have to create your own custom app, as described in the Google support docs.
Enabling SAML

In the next setup screen, we get information about the Google identity provider configuration: SSO URL and Entity ID and Certificate. We will need this information for Splunk to connect to G Suite.
Google IdP Information

Note the SSO URL and Entity ID, download the certification, and upload it to your Spunk home folder with the appropriate read permissions for Splunk.

In the next setup screen enter basic display information about your app.
Custom App Information

In the following setup screen enter the configuration information for your Service Provider.

The ACS (Assertion Consumer Service) URL is the url that will handle session management messages. It is typically at https://<yoursplunkdomain.com>/saml/acs.

For Entity ID you can add https://<yoursplunkdomain.com>.

Similarly, Start URL is your splunk web server domain, e.g. https://<yoursplunkdomain.com>.

Name ID : Subject to communicate between IDP and Service Provider

Service Provider Details

Then map attributes for user fields which will be exchanged between Splunk and G Suite, e.g. role, name, and email. You can modify these later if needed.
Attribute Mapping

Step 3: Configure Splunk to Use IDP (Identity Provider) Credentials

There are two ways to configure Splunk to use Google as the IDP.

Using the Splunk Web dashboard.

  1. Login to Splunk
  2. Go to Settings
  3. Go to access control in users and authentication
  4. Click on authentication method
  5. Select external method SAML and click on SAML settings
  6. Then SAML configuration in top right corner
  7. If you downloaded XML from Google, upload it in Metadata XML
  8. Otherwise you can manually enter:
  9. Save

Configure via configuration files:

  1. Edit or add a configuration file named authentication.conf at location
    $SPLUNK_HOME/etc/system/local/authentication.conf
    It will override the default parameters.
    Example:

    
    [authentication]
    authSettings = saml
    authType = SAML
    
    [saml]
    entityId = https://splunk.yourdomain.com
    fqdn = https://splunk.yourdomain.com
    idpCertPath = $SPLUNK_HOME/etc/auth/idpCert.pem
    idpSLOUrl = https://accounts.google.com/Logout?hl=en&continue=https://mail.google.com/mail
    idpSSOUrl = https://accounts.google.com/o/saml2/idp?id=xxxxxxxxxxx
    issuerId = https://accounts.google.com/o/saml2?idpid=xxxxxxxx
    redirectAfterLogoutToUrl = https://splunk.yourdomain.com
    redirectPort = 443
    replicateCertificates = false
    signAuthnRequest = true
    signedAssertion = true
    sloBinding = HTTPRedirect
    sslKeysfile = /opt/splunk/splunk/etc/auth/server.pem
    sslKeysfilePassword = asdhalsdkaslkdalsdhalshdlasdhl
    ssoBinding = HTTPRedirect
    
  2. Save
  3. Restart Splunk

Step 4: Select G Suite Users to Allow Access to Splunk

  1. Login to G Suite admin
  2. Select users
  3. Select user to give access to
  4. Select account
  5. Click on edit below Manage user attribute
  6. Enter role for that user
  7. Splunk supports multiple user roles. Should update as role what you want to give to that user. For example, roles are: user, admin, can_delete, power. Every role has an operation defined for it. Select what is relevant for that user.
  8. Update user

Now, that user should be able to login to Splunk using SSO.

That’s it! We hope you find this guide useful, and may the Force be with you.

8,000+

55 Billion

1 Billion

10 Billion