I have been trying to configure SAML SSO for the search head clusters running behind the LB. Our setup is Splunk WIP (wide IP Port 80) --> two VIPs in each DC which has Splunk search head servers under then listening on port 8000.It is working fine with LDAP settings.
Does anyone come across this situation? any ideas how to deal with this>
Thanks in Advance,
We do not have SSL cert for our splunk instance. However, I have SSL cert of the federation URL copied under each search head server under this path $SPLUNK_HOME/etc/auth/idpCerts/
Below is the saml configuration from authentication.conf
[saml]
allowSslCompression = true
attributeQueryRequestSigned = false
attributeQueryResponseSigned = false
attributeQueryTTL = 3600
entityId = WebPortalSplunk
fqdn = http://webportalsplunk
idpSSOUrl = https://federationuat.client.bcorp.com/idp/startSSO.ping?PartnerSpId=WebPortalSplunk
maxAttributeQueryQueueSize = 100
maxAttributeQueryThreads = 2
redirectPort = 8000
signAuthnRequest = false
signedAssertion = false
sslVerifyServerCert = false
sslVersions = SSL3,TLS1.0,TLS1.1,TLS1.2
Thanks
Is your WIP http://webportalsplunk? Can you post the metadata that is generated from this config?
Is this from the searchHead that works with SAML but does not work with Load Balancing? Is your LB F5? Do you have a session persistence on your WIP to ensure that the same client is directed to the same search head? (I'm not sure if session persistence is actually required on the load balancer,this is just what we have configured in our working environment.)
Yes, if I generate the metadata from the pool members behind the VIP, SAMLworks.
Yes, our LB is F5. I think persistence is enabled. As of now, it works with LDAP perfectly. If you send me your email I can send the metadata file directly. I am not able to upload it here or use other file sharing tools.
Thanks, can you post the metadata generated from this config?
Sorry, I can't access http://pastebin.com as this is blocked in our proxy.
Can you share your LB setup? because I am not able to generate the metadata with my setup http:///saml/spmetadata I am able to generate using http://:8000/saml/spmetadata
ltm pool /myPartition/traf_splunk_https_pool {
description "Splunk Clustered Search Head Pool"
load-balancing-mode predictive-member
members {
/myPartition/splunk1_node:8000 {
address 192.168.0.11
}
/myPartition/splunk2_node:8000 {
address 192.168.0.12
}
/myPartition/splunk3_node:8000 {
address 192.168.0.13
}
}
monitor /myPartition/https_splunk_8000
}
ltm virtual /myPartition/traf_splunk_https_vs {
description "Splunk Clustered Search Head"
destination /myPartition/192.168.12.12:443
ip-protocol tcp
mask 255.255.255.255
persist {
/myPartition/splunk_sourceaddr-persistence-profile {
default yes
}
}
pool /myPartition/traf_splunk_https_pool
profiles {
/Common/tcp { }
}
rules {
/myPartition/restrictToInternal_irule
}
source 0.0.0.0/0
source-address-translation {
type automap
}
translate-address enabled
translate-port enabled
}
Thanks. our setup is below how different from yours?
Wide IP
| \
DC1 VIP DC2 VIP
| \
apache proxy1 apache proxy2
| \
Splunksvr1:8000 Splunksvr2:8000
What's the purpose of your apache proxy? Why not connect to the splunk servers directly?
SAML does work on a search head cluster provided you use the same SSL certs across your search heads and that the metadata on each search head is the same. The metadata is based on your $SPLUNK_HOME/etc/system/local/authentication.conf settings.
If you are having problems with this then post your authentication.conf and I can help.