Configure Duo multifactor authentication for Splunk Enterprise in the configuration file
You can configure Duo multifactor authentication in Splunk Enterprise using configuration files.
The authentication.conf file determines how Splunk Enterprise uses Duo multifactor authentication to log in.
To configure Duo multifactor authentication with this file, take the following steps:
- On the Splunk Enterprise instance where you want to configure Duo multifactor authentication, open the $SPLUNK_HOME/etc/system/local/authentication.conf file for editing.
- In the
authentication.conffile, edit the [<2FA stanza name>] stanza as follows:[authentication] externalTwoFactorAuthVendor = <Duo> externalTwoFactorAuthSettings = <2FA stanza name, usually 'duo-mfa'> [<2FA stanza name>] universalPrompt = True | False (Default: True) apiHostname = <API Hostname as provided by Duo> integrationKey = <Integration Key as provided by Duo> secretKey = <Secret Key as provided by Duo> appSecretKey = <Manually generated secret key specific to the Splunk application, required if 'universalPrompt=False'> failOpen = True|False (Default: False) timeout = <in seconds> - Save the authentication.conf file and close it.
- Restart Splunk Enterprise.
If the universalPrompt setting has a value of True, it means that the Splunk platform uses the Universal Prompt for Duo multifactor authentication. The value of False means that Splunk Enterprise uses the existing Traditional Prompt experience.
Note: Due to the announced deprecation of the Traditional Prompt, continued use of this experience might result in authentication failure in the future.