Splunk authentication through VeridiumID

This is an example with a splunk running in a docker.

1. Open a docker

docker pull splunk/splunk:latest
docker run -d -p 8000:8000 -e SPLUNK_START_ARGS='--accept-license' -e SPLUNK_PASSWORD='TestPassword!-1' splunk/splunk:latest

2. Connect to splunk on http://localhost:8000 with admin and TestPassword!-1.

3. Go in splunk Settings → Authentication Methods → SAML → Configure Splunk to use Saml and:

   1. SAML Configuration

      1. Download file for later use in veridium.

      2. Select file → upload veridium metadata.

      3. On EntityID set the Entity ID taken from splunk Metadata.

      4. Choose in Advanced Settings Persistent and set the FQDN of LB. See printscreen 1.

   2. Add group mapping between LDAP groups and local Roles. See printscreen 2.

4. Login to websecadmin and do the followings:

   1. define a new attribute called role - small letters - very important (taken from splunk documentation). → Settings → Identity Provider→ Configuration → subject Derived Attributes → Add subject derived Attribute → Printscreen 3.

      1. internal mapping should be $.identityData.memberOf

   2. enable the attribute in Settings → Identity Provider → SAML → Attributes → Enable for role.

   3. Download the metadata if not already done → Settings → Identity Provider → Download Internal Metadata.

   4. Create a new application → Applications → Add Saml app. See printscreen 4 for more details.

   5. if necessary, please also enable single Logout, by going to Settings → Identity Provider → Configuration → Enalbe Single Logout.

After this, the login and logout in Splunk should be functional.

Prinstscreen 1:

Printscreen 2:

Printscreen 3:

Printscreen 4: