Securing Splunk with Single Sign On & SAML



Similar documents
U S E R D O C U M E N TA T I O N ( A L E P H I N O

About Me. Software Architect with ShapeBlue Specialise in. 3 rd party integrations and features in CloudStack

Egnyte Single Sign-On (SSO) Installation for OneLogin

Guide to Web Hosting in CIS. Contents. Information for website administrators. ITEE IT Support

Single Sign On (SSO) Implementation Manual. For Connect 5 & MyConnect Sites

SAML-Based SSO Solution

Perceptive Experience Single Sign-On Solutions

Software Design Document SAMLv2 IDP Proxying

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

SAML Security Option White Paper

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx

To set up Egnyte so employees can log in using SSO, follow the steps below to configure VMware Horizon and Egnyte to work with each other.

CentraSite SSO with Trusted Reverse Proxy

Agenda. How to configure

IBM TRIRIGA Application Platform Version 3 Release 4.1. Single Sign-On Setup User Guide

Egnyte Single Sign-On (SSO) Installation for Okta

Release Notes Date: September 2013

Zendesk SSO with Cloud Secure using MobileIron MDM Server and Okta

Using SAML for Single Sign-On in the SOA Software Platform

Identity Federation: Bridging the Identity Gap. Michael Koyfman, Senior Global Security Solutions Architect

Getting Started with AD/LDAP SSO

Copyright: WhosOnLocation Limited

SAML-Based SSO Solution

SAML 2.0 SSO Deployment with Okta

SAML 2.0 Configurations at SAP NetWeaver AS ABAP and Microsoft ADFS

Apache LDAP Configuration

External Identity and Authentication Providers For Apache HTTP Server

SAML Single-Sign-On (SSO)

Deploying RSA ClearTrust with the FirePass controller

PingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1

Authentication Methods

HP Software as a Service

SVN Authentication and Authorization

1. Introduction. Authors. Abstract. Quang Vu DANG (IFI) Olivier BERGER (GET/INT) Christian BAC (GET/INT) Benoît HAMET (phpgroupware)

HP Software as a Service. Federated SSO Guide

DEPLOYMENT GUIDE. SAML 2.0 Single Sign-on (SSO) Deployment Guide with Ping Identity

SalesForce SSO with Active Directory Federated Services (ADFS) v2.0 Authenticating Users Using SecurAccess Server by SecurEnvoy

Configuring EPM System for SAML2-based Federation Services SSO

AA enabling a closed source legacy application

Oracle9i Application Server: Options for Running Active Server Pages. An Oracle White Paper July 2001

TIB 2.0 Administration Functions Overview

WebNow Single Sign-On Solutions

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

Splunk Enterprise in the Cloud Vision and Roadmap

Logout Support on SP and Application

Introducing Shibboleth

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

Enabling SAML for Dynamic Identity Federation Management

OIOSAML 2.0 Toolkits Test results May 2009

Configuring Single Sign-on from the VMware Identity Manager Service to ServiceNow

Flexible Identity Federation

Shibboleth SP Simple Installation Guide For LINUX

IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

SSO Plugin. Case study: Integrating with Ping Federate. J System Solutions. Version 4.0

SAML Authentication Quick Start Guide

Passwords are for Chumps

Flexible Identity Federation

HOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services

Alfresco Share SAML. 2. Assert user is an IDP user (solution for the Security concern mentioned in v1.0)

Single Sign-On for the UQ Web

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

HP ALM. Software Version: External Authentication Configuration Guide

Setup Guide Access Manager 3.2 SP3

DocuSign Single Sign On Implementation Guide Published: March 17, 2016

Configuring Parature Self-Service Portal

SAML Authentication with BlackShield Cloud

What's new in httpd 2.2?

Single sign-on websites with Apache httpd: Integrating with Active Directory for authentication and authorization

DualShield SAML & SSO. Integration Guide. Copyright 2011 Deepnet Security Limited. Copyright 2011, Deepnet Security. All Rights Reserved.

AAI for Mobile Apps How mobile Apps can use SAML Authentication and Attributes. Lukas Hämmerle

Authentication and Single Sign On

IntroducJon to Splunk Cloud & Case Study: MindTouch. Praveen Rangnath Splunk César López- Natarén MindTouch Aaron Fulkerson MindTouch

An overview of configuring WebEx for single sign-on. To configure the WebEx application for single-sign on from the cloud service (an overview)

FERMILAB CENTRAL WEB HOSTING SINGLE SIGN ON (SSO) ON CWS LINUX WITH SAML AND MOD_AUTH_MELLON

How to create a SP and a IDP which are visible across tenant space via Config files in IS

Active Directory Integration. Documentation. v1.02. making your facilities work for you!

Safewhere*Identify 3.4. Release Notes

Get Cloud Ready: Secure Access to Google Apps and Other SaaS Applications

INUVIKA OPEN VIRTUAL DESKTOP ENTERPRISE

Security Assertion Markup Language (SAML) Site Manager Setup

PARTNER INTEGRATION GUIDE. Edition 1.0

PingFederate. Windows Live Cloud Identity Connector. User Guide. Version 1.0

Shibboleth Identity Provider (IdP) Sebastian Rieger

Department Service Integration with e-pramaan

Using Shibboleth for Single Sign- On

2 Downloading Access Manager 3.1 SP4 IR1

Computer Systems Security 2013/2014. Single Sign-On. Bruno Maia Pedro Borges

External and Federated Identities on the Web

Configuring Single Sign-On for Documentum Applications with RSA Access Manager Product Suite. Abstract

Novell Access Manager

Spring Security SAML module

IBM WebSphere Application Server

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines

Operating Level Agreement for NYU Login Service

PHP Integration Kit. Version User Guide

Single Sign On Integration Guide. Document version:

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

CA Nimsoft Service Desk

Transcription:

Copyright 2015 Splunk Inc. Securing Splunk with Single Sign On & SAML Nachiket Mistry Sr. So=ware Engineer, Splunk Rama Gopalan Sr. So=ware Engineer, Splunk

Disclaimer During the course of this presentajon, we may make forward looking statements regarding future events or the expected performance of the company. We caujon you that such statements reflect our current expectajons and esjmates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward- looking statements, please review our filings with the SEC. The forward- looking statements made in the this presentajon are being made as of the Jme and date of its live presentajon. If reviewed a=er its live presentajon, this presentajon may not contain current or accurate informajon. We do not assume any obligajon to update any forward looking statements we may make. In addijon, any informajon about our roadmap outlines our general product direcjon and is subject to change at any Jme without nojce. It is for informajonal purposes only and shall not, be incorporated into any contract or other commitment. Splunk undertakes no obligajon either to develop the features or funcjonality described or to include any such feature or funcjonality in a future release. 2

Through 2016, Federated Single Sign- On Will Be the Predominant SSO Technology, Needed by 80 Percent of Enterprises. - Gartner 3

Sr. So=ware Engineer 5+ Years with Splunk rgopalan@splunk.com Rama Gopalan 4

Sr. So=ware Engineer 3+ Years with Splunk 5 Major Releases 50+ Maintenance Releases nmistry@splunk.com Nachiket Mistry 5

Agenda Why Single Sign On (SSO) Splunk SSO Splunk SSO with SAML 6

Wikipedia on Single Sign On 7

8

Why Single Sign On (SSO) Reduce administrajon Time savings for users Increase user adopjon Increased security 9

Configuring Splunk SSO 4 Step Process 10

Configuring SSO in Splunk 11

Configuring SSO in Splunk 12

Configuring SSO in Splunk 13

Configuring SSO in Splunk 14

1: Configuring LDAP 15

Configuring LDAP 16

Configuring LDAP 17

Configuring LDAP 18

Configuring LDAP 19

Configuring LDAP $ cat etc/system/local/authentication.conf [authentication] authsettings = OpenLDAP authtype = LDAP [OpenLDAP] host = myldaphost.splunk.com nestedgroups = 0 port = 389 binddn = cn=manager,dc=openldap,dc=splunk,dc=com... 20

Authorizing LDAP Users 21

Authorizing LDAP Users 22

Authorizing LDAP Users 23

Authorizing LDAP Users 24

Configuring LDAP $ cat etc/system/local/authentication.conf... [rolemap_openldap] admin = Static Help Admin;Static Sustaining Admin user = Nested Group 25

2: Configuring Reverse Proxy 26

Configuring Apache as Reverse Proxy $ sudo a2enmod proxy_http... ProxyRequests off ProxyPass / http://mysplunkhost:8000/ ProxyPassReverse / http://mysplunkhost:8000/... 27

3: Reverse Proxy Handles AuthenJcaJon 28

Apache & LDAP $ sudo a2enmod authnz_ldap ldap... AuthType Basic AuthBasicProvider ldap AuthName OpenLDAP AuthLDAPURL ldap://myldaphost.splunk.com:389/ou=people,dc=splunk,dc=com AuthLDAPBindDN "cn=manager,dc=openldap,dc=splunk,dc=com" AuthLDAPBindPassword password" require valid-user... 29

Finally: Enable SSO 30

Set the User Name Header $ sudo a2enmod rewrite... RewriteEngine on RewriteRule.* - [E=RU:%{REMOTE_USER}] RequestHeader set REMOTE_USER %{RU}e... 31

Enable SSO in Splunk $ cat etc/system/local/server.conf [general] trustedip = 127.0.0.1 $ cat etc/system/local/web.conf [settings] trustedip = 127.0.0.1,10.162.255.123 32

33

TroubleshooJng SSO /debug/sso 34

TroubleshooJng SSO 35

Splunk SSO with SAML 36

SAML 2.0 Security AsserJon Markup Language XML based standard for browser based SSO MulJple protocols and bindings IDP - IdenJty Provider - Trusted Authority, SP - Service Provider IDPs out there Ping IdenJty, Okta, OneLogin, Azure 37

Why SAML? Security q CredenJals are not stored locally q Standard for Single Sign On MulJ- Factor authenjcajon 38

Splunk and SSO - pre- SAML - with SAML [authenjcajon] authsepngs = saml_sepngs authtype = SAML

Configure Splunk

Export SP Metadata 41

The Login Process 42

Splunk(SP) User/Browser Ping IdenJty(IDP) 1.User accesses Splunk resource 2. Redirected to the IDP - AuthnRequest 3. IDP prompts the user for credenjals 5. IDP redirects back to Splunk, sends a SAML asserjon 5b. Session cookie of Ping 4. User enters credenjals 6. Splunk checks the role avribute in the asserjon and checks the role mapping 7. SUCCESS User logged in

Configure the IDP (Ping IdenJty) IDP inijated SSO, SP injated SSO, SP inijated SLO Avribute Query Request Supported Signed request/response Upload Splunk s cerjficate OR Import Splunk s metadata

Configure Ping for SSO 45

Avributes in the SAML asserjon 46

Why Avribute Query? When saved searches need to run Splunk uses the avribute query url using basic auth and queries the IDP IDP returns avributes - mainly AD group informajon Splunk uses the role mapping and creates a session for the user

Set up SHC with SAML Configure all search heads with SAML AddiJonal sepngs if there is a proxy or load balancer Single logout - search heads share a Ping session index

Q & A

THANK YOU

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information