Splunk, Auth0 and SAML SSO - part 1: IdP configuration

In order to remediate password fatigue problem, companies are implementing SSO solutions. This approach is not only beneficial for the user who can benefit by using single credentials for multiple applications but also significantly reduces administrative overhead (for instance, all the user privileges can be revoked just with a single click!). 

In this short guide we are going to see how to integrate Splunk with and an Identity Provider (IdP) using SAML protocol. There are several big IAM companies which can act as an IdP, such as Okta, Ping Identity or Auth0. I am going to use Auth0. As of today, this integration is not in the official Splunk documentation. I was able to find one blog post that discusses this scenario, however it is dated 06/2019 and seems incomplete/truncated. 

This post focuses on IAM part, while the next one examines Splunk configurations.

Glossary

ACS URL    An Assertion Consumer Service URL is an endpoint that is going to process IdP response (SAML assertion)
IAM    Identity & Access Management solutions are used to manage user identities and control access to the enterprise resources
IdP    IAM subsystem responsible for identity; also often understood as the company that provides this function as a service
Principal    A user or an application (service account) trying to authenticate.
SAML    Security Assertion Markup Language is an open authentication exchange standard.
SAML assertion    Information about the principal provided by IdP; also known as SAML response
SSO    Single Sign-on; an authentication scheme that allows a user to log in with a single set of credentials to multiple applications/systems

Setting up Auth0 as IdP

Creating a new app

  1. From the main Auth0 dashboard select Applications and click Create Application button.  
  2. Enter app name (such as "Splunk") and select Regular Web Applications as application type.

Configuring your app

  1. Click on your new app to see the details. Go to Addons tab. There is SAML2 WEB APP addon available.


  2. Click to enable the addon and enter your ACS URL: https://your-splunk/saml/acs


  3. On Usage tab click Download to get the XML file with Identity Provider Metadata. We are going to use it later to configure Splunk.


  4. Don't forget to add your ACS URL to Allowed Callback URLs! This setting is present on Settings tab, under Application URIs section.


Creating users

Go to User Management and choose Users. Click Create User. Provide an e-mail address and a password. Note: this has to be a valid address, as you are going to get a verification e-mail.

Creating roles

 Go to User Management and choose Roles. Click Create Role. You just need to provide name and description for the role. Any role name is fine, we are going to map these names to Splunk roles later.

Assigning roles to users

The last step of the user setup is to assign roles to users. This can be accomplished from User Management / Users dashboard. Use [...] button next to the user entry and select Assign roles from the menu. 

Returning role list in SAML token

By default, Auth0 does not provide information about user roles in the SAML assertion, yet they are required by Splunk. Fortunately, there is an easy way to add it. As per this blog post, go to Auth Pipeline / Rules and click Create. Use the code below. It will add rolez attribute containing user roles. For more details check the original post. 

function (user, context, callback) {
  // Get the user roles from the Authorization context
  const assignedRoles = (context.authorization || {}).roles;
  // Update the user object.
  user.rolez = assignedRoles;
  callback(null, user, context);
}

That's it! In the second part of this guide we are going to explore Splunk settings.

Comments

Post a Comment

Popular posts from this blog

Splunk: Authentication with Discord? Wht not! (OAuth 2.0)

Image
As some of you may already know, thanks to OAuth standard (which stands for Open Authorization) we don't need a separate account for every single website. It allows us to share information about our Google account with a third party, such as our name and e-mail address. On many sites we are free to use that "Login with Google/Facebook/other" button to sign up and/or login. Thanks to OAuth we don't have to give our password to the app/website. Upon login we are redirected to the OAuth provider site to login there (for instance to our Google account). And now the best part - if we are already logged on the provider site, this is likely to result in instant login on a third party site (sometimes interrupted by a pop up to confirm OAuth scope).  Here is a list of well-known OAuth providers (Wikipedia): https://en.wikipedia.org/wiki/List_of_OAuth_providers To get better understanding of OAuth 2.0 I would recommend reading these docs for developers: Using OAuth 2.0 to Acces
Read more

Study notes: Understanding DNSSEC

Image
DNSSEC Recently I have been researching materials covering DNSSEC as it is an important subject for LPIC-3 Exam 303. DNSSEC has been developed to address security issues of the DNS protocol, in particular preventing DNS cache poisoning attacks . Below I post DNSSEC description from Internet Corporation for Assigned Names and Numbers (ICANN), which I find useful and included in my study notes.  "DNSSEC strengthens authentication in DNS using digital signatures based on public key cryptography. With DNSSEC, it's not DNS queries and responses themselves that are cryptographically signed, but rather DNS data itself is signed by the owner of the data. Every DNS zone has a public/private key pair. The zone owner uses the zone's private key to sign DNS data in the zone and generate digital signatures over that data. As the name "private key" implies, this key material is kept secret by the zone owner. The zone's public key, however, is published in the zone itself
Read more

Linux: auditd fundamentals

Image
auditd stands for the audit daemon and it can be used to log events happening on a Linux host. It is a very powerful tool that can enable Threat Detection and/or - as the name suggests - create audit records. It writes to /var/log/audit/audit.log and collects such information as timestamp, PID, UID, Audit UID (auid), session info (ses), SELinux info (subj) and message (msg). Installation auditd is installed by default on most of the Linux distributions. In my case, I'm using RHEL 8 for the test purpose. The package is called audit .  Rules auditd is rule-based software and it support the following three types of rules: control : to configure general settings of the audit system, such as event rate limit, etc. file : file rules or watches can monitor files or directories and are using the following syntax: -w path-to-file -p permissions -k keyname syscall : these rules are loaded into the matching engine that intercepts every single syscall on the system and for this reason they
Read more