Configuring Splunk in Okta
Author: Jamie Turbill
Release Date: 20/08/2021
Splunk is a platform for machine data. It turns it into something that you can actually use and makes data valuable. Okta provides cloud ready identity and access management, helping you to secure access to your critical applications with powerful features. This blog covers how you can seamlessly integrate these technologies to secure your important Splunk data. Let’s look at how you can achieve secure single-sign on with Splunk and Okta.
Adding the Splunk app to Okta
It’s no secret that Okta has a huge library of pre-built integrations that you can use in the Okta Integration Network (OIN). In fact, as I’m typing this there are over 6000 available! Perhaps it’s no surprise then that both Splunk Cloud and Splunk Enterprise are already available and are fully Okta Verified.
To set up Splunk and Okta, simply add the application to your Okta tenant. Go to your Okta admin portal and click on Applications > Browse App Catalog and simply search for “Splunk”.
We’ll ignore the Splunk Add-on for Okta here, this will be discussed in the next part to this blog. Both Splunk Cloud and Splunk Enterprise are available and support SAML. Because the steps are virtually the same, we’ll focus on Splunk Enterprise today. You can repeat most of the steps below for Splunk Cloud, but you must ensure that SAML is enabled on your Splunk Cloud instance first! (Contact Splunk Support to enable)
Application label and general settings
Finally, save the file as splunk.cert
Configuring Okta Single Logout (SLO)
Also configure the “role” setting at the same time. This defines what Okta groups a user is a member of and is passed to Splunk with the SAML authentication request. I’ve set this to “Matches Regex” and the value .* – which means send anything in this case. (we can control what groups Splunk actually uses later, so normally .* is perfectly fine).
Populating Splunk with Okta's metadata
You should notice immediately that Splunk will auto-fill several fields for you at this point. Make a few other tweaks to this:
- Ensure that the “Single Log Out (SLO) URL” is set – set to Okta’s SLO endpoint.
- This URL is the same as the “Single Sign On (SSO) URL” but /sso/saml is replaced to /slo/saml
- Check the option to “Sign AuthnRequest”
- Entity ID – set this to “splunk-yourcompanyname”
And that’s it! SAML setup is complete. You now just need to map your Okta groups to your Splunk roles, which you can do in Splunk once you save the SAML configuration.
Mapping Okta groups to Splunk roles
This example sets the Okta group “myoktagroupname” to the Splunk role “admin”. You can add multiple mappings here, and also map multiple Splunk roles to 1 Okta group. Simply assign a user to the app in Okta, and test it out!
In the event something goes wrong, you can always login as a standard Splunk user by going to:
SAML users in Splunk are added/updated at the time of login. A user’s email address and full name are also sent from Okta as SAML attributes and are stored in Splunk.
Users do not need to remember a Splunk password ever again! In part 2 of this blog, we will look at how Splunk can enhance the reporting and auditing already available in the Okta platform, using the Splunk add-on for Okta.