Reporting

Why is the Splunk SAML SSO unable to open direct email link?

sivagct
Explorer

Hello,

Since we switched to SAML SSO, we are unable to open Splunk links directly from our email. Every time I click on a link, it redirects to the Idp and authenticating and then displays portalinsight search page instead of results of the query. The email link works if I am already signed in but that is rare. I don’t have Splunk open most of the time.

Any ideas how to prevent this in SAML SSO?

Thanks in Advance.

0 Karma

elliotproebstel
Champion

I know this isn't a perfect answer, but I've experienced the same behavior and find it best to keep a tab open in my browser with a Splunk session. Any subsequent emails that contain links to Splunk reports open just fine as long as I keep one tab open with a current session. I think it has to do with the header rewriting necessary to redirect to the SSO service, but I'm not an expert in that area.

0 Karma

sivagct
Explorer

yeah, that's the workaround and it works that way. However, I am not logged into Splunk all day and also session won't be active all the time. It's kind of inconvenience for the users to click twice to see the exact page.

0 Karma

p_gurav
Champion

did you check hostname passed in email ?

0 Karma

sivagct
Explorer

yes, the email link has the hostname. Ideally, it should authenticate with SSO and then direct to the results page. Instead it takes us to the default search. We need to click the email link again to view the results keeping the same session.

0 Karma

p_gurav
Champion

Can you verify hostname in alert_actions.conf and actual hostname of your splunk instance?

0 Karma

sivagct
Explorer

In the alert_actions.conf, we have the VIP name:port not the actual name of the searchhead server. We have three searchhead servers, it has the VIP name:port and splunk SSO works with the VIP.

0 Karma

p_gurav
Champion

Can you try to change to only hostname. Refer below:

hostname = <string>
     * Sets the hostname used in the web link (url) sent in alerts.
     * This value accepts two forms.
        * hostname
         examples: splunkserver, splunkserver.example.com
        * protocol://hostname:port
         examples: http://splunkserver:8000, https://splunkserver.example.com:443
     * When this value is a simple hostname, the protocol and port which
       are configured within splunk are used to construct the base of
       the url.
     * When this value begins with 'http://', it is used verbatim.  
       NOTE: This means the correct port must be specified if it is not
       the default port for http or https.
     * This is useful in cases when the Splunk server is not aware of
       how to construct an externally referencable url, such as SSO
       environments, other proxies, or when the Splunk server hostname
       is not generally resolvable.
     * Defaults to current hostname provided by the operating system, or if that fails "localhost".
     * When set to empty, default behavior is used.
0 Karma

sivagct
Explorer

We will make this change and test for the behavior. I will update you the status. Thanks for your help.

0 Karma

sivagct
Explorer

Hello,

Sorry it did not work, it is still the same. Whenever it does the SSO, it always redirect to the http:////en-US/app/portalinsight/search and we need to click the link again to see the results page.

0 Karma

sivagct
Explorer

Hi Gurav, Do you have any other suggestion to make it work?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...