Skip to main content
Splunk Lantern

Google: Workspace configuration as a SAML IdP with Splunk Cloud Platform

 

This article provides step-by-step guidance on configuring Google Workspace as a SAML IdP with Splunk Cloud Platform.

You'll need to complete several main steps to do this:

  1. Create a custom attribute in the Google Workspace directory
  2. Create a custom Splunk SAML application
  3. Enable the application
  4. Grant user access to the application
  5. Configure the Splunk SAML settings

Data required

Google: Workspace

Create a custom attribute in the Google Workspace directory

First, you'll need to create a custom attribute to manage the Splunk user role in the Google Workspace directory.

  1. Click Directory, then Users, More Options, and then Manage custom attributes.

clipboard_e913b8d2b6508f7367dccd8423dff90e7.png

2. In the next screen, click Add Custom Attribute.

clipboard_eee61b5649dd09a3f455abf2e02abc4d5.png

3. Configure the new custom attribute with the following parameters:

  • Category
    • splunk
  • Description
    • splunk
  • Custom fields
    • Name
      • role
    • Info type
      • Text
    • Visibility
      • Visible to user and admin
    • No. of values
      • Multi-value

This screenshot shows an example:

Add Custom Fields

Create a custom Splunk SAML application

Next, you will need to create a custom Splunk SAML application.

1. Click Apps, then Web and mobile apps, Add app, and then Add custom SAML app.

clipboard_e75603374c9f7055e8f45afe55b6ac34e.png

2. In the App details screen, enter an application name and description. You can also upload an icon for the application. Click Continue to proceed.

clipboard_ea66b4ff793d1e85b3c5d3319ee7bf48e.png

3. You can download the IdP metadata file on the next screen. Click Download Metadata and save this to a download folder. You will need this file when setting up the Splunk portion of the SAML configuration. You might want to also take a screenshot of the SSO URL, entity ID and certificate below the Download Metadata button for reference.

clipboard_ec12f83a9854ea33d1287851b2a7706d4.png

4. On the Service provider details screen, information about the Splunk Cloud Platform instance must be configured. Use the following values, substituting the actual URL of your Splunk Cloud Platform instance.

  • ACS URL
    • https://YOUR-INSTANCE.splunkcloud.com/saml/acs
  • Entity ID
    • https://YOUR-INSTANCE.splunkcloud.com/
  • Start URL
    • https://YOUR-INSTANCE.splunkcloud.com/

See the following screenshot for an example. Click Continue when you have entered this information.

clipboard_e613f0d251f3de2dfd425a8db0a5bb704.png

5. The last screen allows attribute mappings to be configured. This will control what user attributes are sent to Splunk during the SAML authentication flow. Click Add mapping to start adding attributes.

clipboard_e5794d3b8090df1d0b2886610475cff5f.png

6. Add the following attribute mappings. These are case-sensitive.

Google Directory Attributes App Attributes
First name Name
Primary email Email
role role

The screenshot below shows an example set of mappings. Click Finish when you are done.

clipboard_e9f3d8c1ac0d1e09a9d5aec252b25e440.png

Enable the application

After configuring Splunk as a SAML application, a summary screen is displayed. Under User Access, you can see that the application is marked as "OFF for everyone."

clipboard_ef9d0361d56169156d4ac87a199783a0f.png

1. Click on the words OFF for everyone. The next screen allows enabling the SAML application across the organization. Click the ON for everyone radio button and Save to proceed.

clipboard_ebe427a11042c9ca4bc29a40a4b1a5b85.png

Grant users access to application

The final Google configuration step is to configure a user role.

1. Click on Directory, then Users. Next, click a username. You will be taken to a user summary page. Click User details under User information. This will take you to a new page where you can set the Splunk role.

clipboard_eae9ca91997a7b06649446d1725159b7c.png

2. Scroll down until you see the role attribute. In the example screenshot below, the role has been set to "user". This role must map to a local role on the Splunk Cloud Platform instance.

clipboard_e00c4398b615b6971321bdd432cf014e7.png

Configure Splunk SAML settings

Once the Google Workspace portion has been configured, you are ready to configure the Splunk SAML settings.

1. Log in to Splunk as an administrator.

2. Click Settings, then Users and Authentication and then Authentication Methods. Choose the SAML radio button next to External. Click the SAML Settings link to proceed to the Identity Provider setup screen.

clipboard_e2ba9d2937835a3e34a769c563cea4418.png

3. On the SAML Configuration screen, click Select File next to Metadata XML File. Find the GoogleIDPMetadata.xml file that you previously downloaded when setting up the Splunk SAML application in the Google configuration steps.

This should complete most of the required fields. Other fields that you should set are:

  • Entity ID
    • https://YOUR-INSTANCE.splunkcloud.com/
  • Fully qualified domain name or IP of the load balancer
    • https://YOUR-INSTANCE.splunkcloud.com/
  • Redirect port - load balancer port
    • 443
  • Redirect to URL after logout

The following screenshot shows an example of this:

Splunk SAML Configuration

4. Click Save to exit.

Testing

You are now ready to test. Open an Incognito browser and browse to your Splunk Cloud Platform instance. You should be redirected to Google for authentication. Once authenticated, you are redirected back to the Splunk Cloud instance as part of the normal SAML assertion flow.

An error in configuring SAML could result in users and admins being locked out of Splunk Cloud. Use this link to access the local login and revert back to None for external authentication if you are locked out during the configuration process:

https://{name}.splunkcloud.com/en-US/account/login?loginType=splunk [replace {name} with your account name]

Next steps

The following links might be helpful to implement this configuration advice: