Refresh expiring SAML identity provider certificates

When you configure the Splunk platform to use SAML as an authentication scheme, you can configure a certificate for your SAML identity provider. As with most security-related certificates, SAML IdP certificates expire after a period of time. When a certificate is due to expire, the Splunk platform notifies you of the upcoming expiration when you log into the Splunk platform instance.

If you don't replace your expiring IdP certificate with a new one, your Splunk Platform instance cannot connect to the IdP, and SAML logins fail. To prevent this problem, update your IdP certificate and replace it before the expiration date.

Upload a refreshed identity provider certificate to your Splunk platform instance

The general procedure for refreshing an IdP certificate on your Splunk platform instance follows. Depending on the IdP you use and whether you use a standalone certificate or certificate chain, the general procedure might differ slightly.

  1. Log into your SAML identity provider and visit its configuration page.
  2. In the configuration page for your IdP, generate a new IdP certificate or certificate chain
  3. Save the certificate or certificate chain as a file.
  4. Log into your Splunk platform instance and go to the SAML configuration page.
  5. On the SAML configuration page, upload the certificate or certificate chain.
  6. On the Settings > Authentication methods page, click "Reload authentication configuration."

Upload a standalone identity provider certificate to your Splunk platform instance

  1. On your IdP, generate new IdP metadata and download the metadata file or copy the metadata file contents.
  2. Log into your Splunk platform instance.
  3. From the system bar, select Settings > Authentication Methods.
  4. In the External section of the page that appears, select SAML.
  5. Select the Configure Splunk to use SAML link that appears.
  6. In the SAML configuration page, perform one of the following actions:
    • Under Metadata XML file, select Select file, the choose the IdP metadata file that you just saved, or
    • Under Metadata contents, paste the contents of the IdP metadata file you copied previously.
  7. Select Apply.
  8. Select Save to close the configuration page.
  9. In the Authentication Methods page, select Reload authentication configuration.

Upload an identity provider certificate chain to your Splunk platform instance

  1. On your IdP, generate the new IdP certificate.
  2. As necessary, arrange your IdP certificate chain as follows:
    • Your certificate chain must be in the privacy-enhanced mail (PEM) format, with -----BEGIN CERTIFICATE----- and ----END CERTIFICATE----- around the text of each individual certificate.
    • You must arrange each certificate in the certificate chain as follows:
      • Root certificate
      • Any intermediate certificates
      • Leaf certificate
  3. Log into your Splunk platform instance.
  4. From the system bar, select Settings > Authentication Methods.
  5. In the External section of the page that appears, select SAML.
  6. Select the Configure Splunk to use SAML link that appears.
  7. In the SAML configuration page, under IdP certificate chains, paste the contents of the IdP certificate chain into the text field.
  8. Select Save to close the configuration page.
  9. In the Authentication Methods page, select Reload authentication configuration.