Identify Splunk users, roles, and authentication schemes
After you have familiarized yourself with the configuration and data on your Splunk Enterprise deployment, review its security setup. This setup includes the users that are on the deployment, their permissions, and the authentication scheme that the deployment uses.
Splunk Enterprise supports several user authentication schemes:
- Splunk internal authentication with role-based user access
- Lightweight directory access protocol (LDAP)
- A scripted authentication API for use with an external authentication system, such as privileged access management (PAM) or remote authentication dial-in user server (RADIUS)
- Multifactor authentication
- Single sign-on, through either version 2 of the security assertion markup language (SAML) protocol or a proxy server
Internal authentication and role-based user access
Role-based access control lets you manage users and restrict or share Splunk Enterprise data. Splunk Enterprise masks data to users in a manner similar to how a relational database manages access to databases.
Discover or modify existing configurations
Familiarize yourself with existing users and the roles that they hold in the deployment. Roles determine what things the users see and the actions they can perform.
In Splunk Web click Settings > Users to see all of your Splunk users. On the Users page you can click on roles and users to examine or edit permissions. You can use this page to create a list of the data available to each user or group of users. See Use access control to secure Splunk data in Securing Splunk Enterprise.
To find a specific user you can use the CLI to search for a user and role. See Find existing users and roles in Securing Splunk Enterprise.
LDAP authentication
When administrators configure Splunk to work with LDAP, they create something called "LDAP strategies". LDAP strategies are collections of configuration data that the Splunk platform uses to work with your LDAP configuration. Splunk can be directed to query these "strategies" in a particular order when searching for LDAP users. See Set up user authentication with LDAP in Securing Splunk Enterprise.
Discover or modify existing LDAP configurations
Familiarize yourself with the existing LDAP groups and permissions mappings by looking at all LDAP strategies in your deployment.
- From the system bar, select Settings > Authentication methods'.
- Select LDAP.
- A link "Configure Splunk to use LDAP" appears. Select that link.
- The "LDAP strategies" page appears. From this page, you can select strategies and view their information and track those LDAP mappings to Splunk roles.
For further information on configuring LDAP strategies in Splunk Enterprise, see Configure LDAP with Splunk Web in Securing Splunk Enterprise.
Multifactor authentication
Splunk Enterprise currently supports multifactor authentication with Duo Security. See About two-factor authentication with Duo Security in Securing Splunk Enterprise.
Find or modify existing configurations
Find out if your deployment uses Duo Multifactor Authentication through Splunk Web.
- From the system bar, select Settings > Authentication Methods.
- Under Multifactor Authentication, select Duo Security.
- A link "Configure Duo Security" appears. Select that link.
- If your deployment uses Duo MFA, a list of Duo MFA connections appears. On this page you can review and manage those connector configurations. See Configure Splunk Enterprise to use Duo Security two-factor authentication in Securing Splunk Enterprise for further information.
Single sign-on with the SAML protocol
Splunk software can leverage the SAML authentication protocol for single sign-on (SSO), using information provided by an external identity provider (IdP). See Authentication using single sign-on with SAML in Securing Splunk Enterprise.
Find or modify existing authentication configurations
Find out if your users are configured for SAML SSO.
- From the system bar, select Settings > Authentication Methods.
- Select SAML.
- A link "Configure Splunk to use LDAP" appears. Select that link.
- The "SAML groups" page appears. You can view any SAML configurations and see if your system has SSO authentication configured for groups of users. From there you can drill down to your IdP information, the mapped groups, and the users assigned to that group.
Proxy single sign-on authentication
ProxySSO lets you configure Single-Sign On (SSO) for Splunk instances through a reverse proxy server. A user logged in using ProxySSO can seamlessly access Splunk Web.
Find existing configurations
You can view any existing HTTP request headers that the proxy server sends to Splunk Web:
Set enableWebDebug=true in web.conf under settings stanza:
http://<ProxyServerIP>:<ProxyServerPort>/debug/sso
ProxySSO login events are logged in var/log/splunkd.log.