Deployment Architecture

SAML SSO on search head cluster behind load balancer

sivagct
Explorer

I have been trying to configure SAML SSO for the search head clusters running behind the LB. Our setup is Splunk WIP (wide IP Port 80) --> two VIPs in each DC which has Splunk search head servers under then listening on port 8000.It is working fine with LDAP settings.

  • We are able to get SSO working by generating the metadata from the individual search head server listening on port 8000. However Load Balancing is not working since it always redirects to the same server where we generated the metadata. How we have generate a saml metadata file such that SAML SSO works with Wide IP? like how it is working with LDAP.
  • I tried changing the saml/acs URL to the WIP but it doesn't work.

Does anyone come across this situation? any ideas how to deal with this>

Thanks in Advance,

sivagct
Explorer

We do not have SSL cert for our splunk instance. However, I have SSL cert of the federation URL copied under each search head server under this path $SPLUNK_HOME/etc/auth/idpCerts/

Below is the saml configuration from authentication.conf

[saml]
allowSslCompression = true
attributeQueryRequestSigned = false
attributeQueryResponseSigned = false
attributeQueryTTL = 3600
entityId = WebPortalSplunk
fqdn = http://webportalsplunk
idpSSOUrl = https://federationuat.client.bcorp.com/idp/startSSO.ping?PartnerSpId=WebPortalSplunk
maxAttributeQueryQueueSize = 100
maxAttributeQueryThreads = 2
redirectPort = 8000
signAuthnRequest = false
signedAssertion = false
sslVerifyServerCert = false
sslVersions = SSL3,TLS1.0,TLS1.1,TLS1.2

Thanks

0 Karma

suarezry
Builder

Is your WIP http://webportalsplunk? Can you post the metadata that is generated from this config?

Is this from the searchHead that works with SAML but does not work with Load Balancing? Is your LB F5? Do you have a session persistence on your WIP to ensure that the same client is directed to the same search head? (I'm not sure if session persistence is actually required on the load balancer,this is just what we have configured in our working environment.)

0 Karma

sivagct
Explorer

Yes, if I generate the metadata from the pool members behind the VIP, SAMLworks.
Yes, our LB is F5. I think persistence is enabled. As of now, it works with LDAP perfectly. If you send me your email I can send the metadata file directly. I am not able to upload it here or use other file sharing tools.

0 Karma

suarezry
Builder

Thanks, can you post the metadata generated from this config?

0 Karma

sivagct
Explorer

Sorry, I can't access http://pastebin.com as this is blocked in our proxy.

0 Karma

sivagct
Explorer

Can you share your LB setup? because I am not able to generate the metadata with my setup http:///saml/spmetadata I am able to generate using http://:8000/saml/spmetadata

0 Karma

suarezry
Builder
ltm pool /myPartition/traf_splunk_https_pool {
    description "Splunk Clustered Search Head Pool"
    load-balancing-mode predictive-member
    members {
        /myPartition/splunk1_node:8000 {
            address 192.168.0.11
        }
        /myPartition/splunk2_node:8000 {
            address 192.168.0.12
        }
        /myPartition/splunk3_node:8000 {
            address 192.168.0.13
        }
    }
    monitor /myPartition/https_splunk_8000 
}

ltm virtual /myPartition/traf_splunk_https_vs {
    description "Splunk Clustered Search Head"
    destination /myPartition/192.168.12.12:443
    ip-protocol tcp
    mask 255.255.255.255
    persist {
        /myPartition/splunk_sourceaddr-persistence-profile {
            default yes
        }
    }
    pool /myPartition/traf_splunk_https_pool
    profiles {
        /Common/tcp { }
    }
    rules {
        /myPartition/restrictToInternal_irule
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-address enabled
    translate-port enabled
}
0 Karma

sivagct
Explorer

Thanks. our setup is below how different from yours?
Wide IP
| \
DC1 VIP DC2 VIP
| \
apache proxy1 apache proxy2
| \
Splunksvr1:8000 Splunksvr2:8000

0 Karma

suarezry
Builder

What's the purpose of your apache proxy? Why not connect to the splunk servers directly?

0 Karma

suarezry
Builder

SAML does work on a search head cluster provided you use the same SSL certs across your search heads and that the metadata on each search head is the same. The metadata is based on your $SPLUNK_HOME/etc/system/local/authentication.conf settings.

If you are having problems with this then post your authentication.conf and I can help.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...