To achieve secure single sign-on with the Splunk platform and Okta to secure your important Splunk data, the first step is to enable Okta. This article explains the process for doing so.
The following example uses Splunk Enterprise 8.2.1, but you can repeat most of the steps below for Splunk Cloud Platform. However, you must ensure that SAML is enabled on your Splunk Cloud Platform instance first. To enable it, contact Splunk Support.
- Go to your Okta admin portal, click Applications > Browse App Catalog, and search for “Splunk”.
- Click Add for Splunk Enterprise, then enter an application label and your Splunk site URL.
- Click Next. On the next screen, ignore the options for SAML 2.0 and click Done.
- In your Splunk instance, click Settings > Authentication Method. Select SAML and then click Configure Splunk to use SAML.
- A pop-up appears. Click Download File to download Splunk's SP metadata. When setting up SAML with any application, metadata needs to be exchanged between the identity provider (Okta) and the SP, or application (Splunk).
Keep this Splunk configuration page open. You will return to it several times during this process.
- Open this XML file in Notepad++ or another text editor.
- Copy and paste the x509 certificate (the string inside the XML tags) to a new text file, prepending and appending —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– as shown here.
- Save the file as splunk.cert.
Configuring Okta Single Logout (SLO)
- In Okta, select the Sign-On Options tab in the Splunk Enterprise integration.
- Configure the role setting. This defines what Okta groups a user is a member of and is passed to Splunk Enterprise with the SAML authentication request. The example below shows this set to “Matches Regex” and the value .* which means send anything. You can control what groups Splunk Enterprise actually uses later, so .* is normally fine to use.
- Select Enable Single Logout. Single Logout (SLO) is a feature that allows users to seamlessly and securely logout of Splunk Enterprise and Okta at the same time.
- Under Signature Certificate, upload your splunk.cert file.
Populating Splunk with Okta's metadata
- Click the Identity Provider Metadata link in the SAML 2.0 yellow setup box. This downloads a new XML file.
- In Splunk’s configuration page, upload this file by choosing Select File in the Metadata XML file field.
- Splunk auto-fills several fields for you. Make the following additional changes:
- Ensure that the “Single Log Out (SLO) URL” is set to Okta’s SLO endpoint.
- This URL is the same as the “Single Sign On (SSO) URL” but /sso/saml is replaced to /slo/saml
- Select the option to Sign AuthnRequest.
- Set Entity ID to <splunk-yourcompanyname>.
- Save the configuration.
- In Okta, add the same Entity ID under the Sign-on tab.
SAML setup is complete. The final step is to map your Okta groups to your Splunk roles.
Mapping Okta groups to Splunk roles
- In your Splunk deployment, after you save the SAML settings, you should be on the SAML Groups configuration page. Select New Group.
- Add group mappings. You can add multiple mappings and also map multiple Splunk roles to one Okta group. Assign a user to the app in Okta and test it out. This example sets the Okta group “myoktagroupname” to the Splunk admin role.
Users can now seamlessly login to a Splunk deployment from the Okta portal with their own Splunk accounts. Users no longer need to remember or use their Splunk passwords.
Note the following:
- Splunk roles are automatically mapped from the groups they are in within Okta.
- In the event something goes wrong, log in as a standard Splunk user by going to:
- SAML users in Splunk are added or updated at the time of login. A user’s email address and full name are also sent from Okta as SAML attributes and are stored in Splunk.
For more information, refer to Configure SSO with Okta as your identity provider in Splunk Docs.
Now that you have enabled the integration, it's time to get data in and enhance the reporting and auditing already available in the Okta platform. Learn how with Getting Okta data into the Splunk platform.
If you still need assistance with your Okta integration, UK-based Somerford Associates can help. Somerford Associates is an award winning Elite Partner with Splunk and the largest Partner Practice of Consultants in EMEA. We protect data, demonstrate that it is being managed effectively and derive greater value, by providing real-time insights to support effective decision making. With our specialist knowledge, skills, experience and strong reputation for enabling digital transformation at scale and at pace, we provide full delivery, including design, implementation, deployment and support. Find us on Splunk Partnerverse.