Security

Splunk SAML SSO MetadataExchange

Tsjunne
Engager

It is possible to setup ADFS to automatically refresh SAML metadata using an endpoint.
Splunk has such an endpoint accoring to the docs (/saml/spmetadata) , but it looks like it doesn't allow anonymous access.
Is there any way to exclude this path from authentication?
And the other way around, is it possible to have Splunk automatically refresh the IDP metadata?
This would enable the Splunk SSO setup to automatically refresh rollover certificates.

0 Karma
1 Solution

suarezry
Builder

For splunk, you could update the IdP config and/or certificates and then reload the authentication config:
https://answers.splunk.com/answers/129654/how-to-i-trigger-reload-of-authentication-configuration-pr...

To automatically retrieve /saml/spmetadata you would need to use REST API:
https://docs.splunk.com/Documentation/Splunk/6.5.2/RESTREF/RESTaccessExamples#admin.2FSAML-sp-metada...

View solution in original post

suarezry
Builder

For splunk, you could update the IdP config and/or certificates and then reload the authentication config:
https://answers.splunk.com/answers/129654/how-to-i-trigger-reload-of-authentication-configuration-pr...

To automatically retrieve /saml/spmetadata you would need to use REST API:
https://docs.splunk.com/Documentation/Splunk/6.5.2/RESTREF/RESTaccessExamples#admin.2FSAML-sp-metada...

Tsjunne
Engager

The whole point is to have an endpoint on each side that is accissible anonymously and be able to set up the application to poll the URL every once in a while to automatically refresh certificates. So the first link would assume that this is done manually and the second link passes authentication data. The /saml/spmetadata URL returns the metadata directly without the REST wrapper, so that would be more appropriate, but it also requires authentication.

0 Karma

suarezry
Builder

The whole point is to have an endpoint on each side that is accissible anonymously and be able to set up the application to poll the URL every once in a while to automatically refresh certificates.

I understand what you're looking for. To my knowledge that functionality doesn't exist. I'm giving you the next best option that I know of, unless someone else has a better suggestion.

So the first link would assume that this is done manually

You were asking for a way to update IdP metadata automatically. The question was pretty vague so my suggestion and link was a way to do this programmatically.

and the second link passes authentication data. The /saml/spmetadata URL returns the metadata directly without the REST wrapper, so that would be more appropriate, but it also requires authentication.

Again, that functionality doesn't exist. I'm suggesting a way for you to do this programmatically. Again, the implementation is up to you.

I'm curious, the splunk metadata does not change, why do you need a fresh copy?

0 Karma

Tsjunne
Engager

Well, the metadata also contains the certificate to verify the splunk signatures on the SAML requests. And this certificate has a limited lifetime. So if ADFS is able to fetch the new certificates on a schedule, there's no admin overhead to keep the two in sync.

But i guess that i could have the proxy handle the authorization for Splunk and then i'll have to write a custom scheduled task to fetch the meta data from ADFS, update the IDP certificate and reload the config like you suggested in the first link.

Thank for the pointer!

0 Karma

suarezry
Builder

Well, the metadata also contains the certificate to verify the splunk signatures on the SAML requests. And this certificate has a limited lifetime. So if ADFS is able to fetch the new certificates on a schedule, there's no admin overhead to keep the two in sync.

If you are referring to the splunk certificates then you simply generate third-party or self-signed certs with an extended lifetime like 3-5 years. It would save you the hassle. Does this work for you?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...