- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- Authenticate to REST API through LDAP or SAML?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Authenticate to REST API through LDAP or SAML?
Hi,
Is there a way to authenticate to the API through LDAP or SAML? right now, the only way I can authenticate is by using a local static account that I have configured to have API access. However, our security policy prohibits the use of local unmanaged accounts. I have SAML authentication configured for web access, but when I try to use those same AD credentials to authenticate to the API it does not work.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
According to Splunk documentation, you can uses SAML with tokens:
"Create authentication tokens to use the REST APIs. Tokens are available for both native Splunk authentication and external authentication through either the LDAP or SAML schemes. To learn more about setting up authentication with tokens, see Set up authentication with tokens in the Securing Splunk Enterprise manual."
There are some SAML side requirements such as (per token doc): "Single Sign-On (SSO) schemes that use SAML. These schemes must either support Attribute Query Requests (AQR) or provide information through scripted authentication extensions."
Hope this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
LDAP works fine, but using SAML for the CLI or API doesn't appear to be supported. See the "Unable to authenticate SSO users for CLI commands" issue at:
http://docs.splunk.com/Documentation/Splunk/7.0.0/Security/TroubleshootSAMLSSO
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am facing the same issue here. We have SAML configured for the web access, but I am not able to use the same AD credential to authenticate to the API. I am getting "Login Failed" as the response from the API. I noted that on the Splunk Cloud documentation, it mentions that "You cannot use SAML authentication with the REST API. ", will this apply to Splunk Enterprise as well? Is this a production limitation or is there a different to configure SAML to get around the issue?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does your AD account have restrictions on which hosts it can login from? I find that I can only make accounts work via the API if they do not have restricted login hosts, or are restricted to the hosts running Splunk (if they are domain members).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am keen to see what you are doing to resolve this issue. Have you contacted Splunk support in regards to this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am facing the same issue here, I do notice Splunk mentioned this on the Splunk Cloud REST API documentation: "You cannot use SAML authentication with the REST API. ". Not sure if the same applies to Splunk Enterprise.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do not believe our accounts are restricted. I am checking with our AD admins but i am almost certain they are not.
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
