Secure SSO with TLS certificates on Splunk Enterprise
Use Transport Layer Security (TLS) certificates to secure single sign-on (SSO) operations on Splunk Enterprise. Starting in version 10.4.0, Splunk Enterprise supports version 1.3 of the TLS protocol for SSO connections.
On Splunk Enterprise, you can use certificates to secure single sign-on operations with Transport Layer Security (TLS) certificates. Splunk Cloud Platform already secures communications end-to-end between your browser and the instance.
The following settings from the [authenticationSAML] stanza of the authentication.conf configuration file let Splunk Enterprise perform TLS verification between the Splunk Enterprise instance and the Simple Object Access Protocol (SOAP) instance that provides the AttributeQuery service. Other authentication methods such as Duo MFA and RSA MFA use separate stanzas in authentication.conf, each with their own sslVersions settings.
| Setting name | Setting type | Description |
|---|---|---|
sslVersions |
comma-separated list | The TLS protocol versions that the Splunk Enterprise instance is to support for SSO connections. Supported values are "tls1.2" and "tls1.3". The default at version 10.4.0 and higher is tls1.2,tls1.3. SSLv2 and SSLv3 are always turned off. TLS 1.0 and TLS 1.1 are turned off by default in version 10.4.0 and higher. |
sslVersionsForClient |
comma-separated list | The TLS protocol versions that Splunk Enterprise uses for outbound SSO connections — for example, when acting as a SAML service provider making requests to an IdP. Supported values are "tls1.2" and "tls1.3". The default at version 10.4.0 and higher is tls1.2,tls1.3. |
sslCommonNameToCheck |
string | Splunk Enterprise limits most outbound HTTPS connections to hosts that use a certificate with this common name. The sslVerifyServerCert setting must have a value of "true" for this setting to have an effect. |
sslAltNameToCheck |
comma-separated list | Splunk Enterprise can verify certificates with a Subject Alternative Name that matches any of the alternate names in this list. The sslVerifyServerCert setting must have a value of "true" for this setting to have an effect. |
ecdhCurveName |
string | The name of the Elliptic Curve Diffie-Hellman (ECDH) curve that Splunk Enterprise is to use for negotiation for ECDH keys in TLS 1.2 connections. This setting does not apply to TLS 1.3 connections. In TLS 1.3, key exchange groups are configured using the groups setting in the [tls1.3] stanza of the server.conf configuration file. |
serverCert |
string | The location of the server certificate file. |
sslPassword |
string | The password for the server certificate. |
caCertFile |
string | The public key of the authority that signs the certificates. |
sslVerifyServerCert |
Boolean | Whether or not Splunk Enterprise verifies the common name and the alternate name of a certificate and considers the certificate valid if either name matches. |
blacklistedAutoMappedRoles |
comma-separated list | A list of Splunk roles that you do not want Splunk Enterprise to auto-map if they arrive in the response from the IdP. |
blacklistedUsers |
comma-separated list | A list of user names that Splunk must reject from the IDP response. |
nameIdFormat |
string | If supported by the IdP, the format of the Subject returned in the SAML Assertion that Splunk Enterprise specifies when it makes a SAML authentication request. |
ssoBinding |
string | The binding Splunk Enterprise is to use when it makes a service-provider-initiated SAML request. The binding must match the one configured on the IdP. |
sloBinding |
string | The binding Splunk Enterprise is to use when it makes a logout request or sends a logout response. The binding must match the one configured on the IdP. |
signatureAlgorithm |
string | The signature algorithm to use for a service-provider-initiated SAML request. The signedAuthnRequest setting must have a value of "true" for this setting to have an effect. The algorithm applies to both the HTTP POST and redirect binding. |
inboundSignatureAlgorithm |
semicolon-separated list | A list of signature algorithms that the Splunk platform accepts in SAML responses. This setting affects both HTTP POST and HTTP Redirect bindings. |
replicateCertificates |
Boolean | Whether or not Splunk Enterprise must replicate IdP certificate files manually across instance nodes. If not turned on, you must replicate certificate files manually or verification of SAML-signed assertions fails. |
Note: For TLS 1.3 connections, configure TLS 1.3-specific settings such as cipher suites and key exchange groups using the
[tls1.3] stanza in the server.conf configuration file. See Configure TLS protocol version support for secure connections between Splunk platform instances for details.