This is interpreted by SPL as a search for the text "expression" OR "with pipe". For example, A or B is expressed as A | B.īecause pipe characters are used to separate commands in SPL, you must enclose a regular expression that uses the pipe character in quotation marks. Here are a few things that you should know about using regular expressions in Splunk searches.Ī pipe character ( | ) is used in regular expressions to specify an OR condition. You can also use regular expressions with evaluation functions such as match and replace. You can use regular expressions with the rex and regex commands. That way you always have a way to log in locally with admin role if anything is wrong with SAML - without having to log a support case with Splunk in order to have it done for you.Splunk Search Processing Language (SPL) regular expressions are PCRE (Perl Compatible Regular Expressions). A suggestion is for you to create your own locally defined account that has the admin role assigned to it. Use that URL if you need to log into any existing locally defined account. This is the URL /en-US/account/login?loginType=splunk, in our example. There is a specific URL for your instance that you can point your browser to in order to get to the locally defined user login page for locally defined users. *" in order to send * all* groups to the Splunk Cloud instance. Note: You can use the Regex filter with the value ". In our example below we used Equals filter with the splunkcloudadmin value ( step 16).
Also, you need to have the same group(s) in Okta (assigned to your Splunk Cloud application users). This filter and value should cover the required group(s) in Splunk Cloud. Select a group filter and filter value for the role attribute. Still in Okta, select the Sign On tab for the Splunk Cloud app, then click Edit. In Okta, select the General tab for the Splunk Cloud app, then click Edit.įor example, if you log into, enter here.Įnter your Entity ID. In Splunk, go to Settings > Access controls > Authentication method, then click Reload authentication configuration: Note: You can use a regex expression in the role to set multiple roles per group.įor example: role Matches regex. Note that it can be a one to many relationship – you can have a group map to one or more Splunk Roles. The roles you select are copied over to the Selected Item(s) list. This name should be exactly the same value as user’s Group name in Okta.Ĭlick on one or more roles in the Splunk Roles - Available item(s) selection list. In the Create new SAML Group page, enter the following (see screen shot at end of step for reference):
Redirect port – load balancer port: Enter 0 (zero).īack in the SAML Settings panel, click New Group in the upper right hand corner: Scroll down to the Advanced Settings section and enter the following (see screen capture at end of step for reference):įully qualified domain name or IP of the load balancer of your instance: Enter. Note: This value is case sensitive so it should be typed in exactly as you are going to use in the Okta app ( step 18).Ĭheck Sign AuthnRequest and Sign SAML Response. Metadata Contents: Copy and paste the following: Sign in to Okta Admin app to have this variable generated for you.Įntity ID: Use the following value: Splunk-.įor example, if you log into, use Splunk-acme as the Entity ID. In the SAML Configuration page, enter the following (see screen capture at end of step for reference): In the SAML Settings panel, click SAML Configuration in the upper right hand corner: Login to Splunk Cloud as an administrator.įor External Authentication Method, select SAML, then click Configure Splunk to use SAML: In Okta, select the Sign On tab for the Splunk Cloud app, then click Edit.Ĭlick Browse and navigate to the splunkcloud.cert file you just saved ( step 5, above), then click Upload to upload it to Okta. Save the certificate into a non-formatted text file (Notepad for example), and place a row above the certificate with the text -BEGIN CERTIFICATE- and a row below the certificate with the text -END CERTIFICATE. From the metadata, capture the search head's certificate (masked out below) between the and, as shown below: Once SAML is enabled, open the following URL: /saml/spmetadata.įor example, if you log into, you should open this URL. The Okta/Splunk Cloud SAML integration currently supports the following features:Ĭontact the Splunk Cloud Support team and request that they enable SAML 2.0 for your account. Please use the Okta Administrator Dashboard to add an application and view the values that are specific for your organization. This setup might fail without parameter values that are customized for your organization.
0 kommentar(er)
