Login and Permission Fallback

The login and permission fallback feature ensures uninterrupted access during maintenance or outages.

Login and permission fallback is an optional setting that keeps users working when Splunk Cloud Platform is temporarily unavailable. When fallback is enabled, users can sign in to Splunk Observability Cloud through a secondary single sign-on (SSO) integration, and they keep their most recent known roles and capabilities until Splunk Cloud Platform is reachable again.

Fallback is turned off by default. When it is off, users must sign in with Unified Identity, and a Splunk Cloud Platform outage can prevent access.

How Fallback Works

  • Users are matched to the same Splunk Observability Cloud account across login methods by email address.
  • Splunk Observability Cloud stores a snapshot of each user's roles and capabilities for up to one week after their most recent Unified Identity login. During fallback, it uses this snapshot.
  • If a user does not have a valid snapshot, for example, has not signed in with Unified Identity in the past week, the user uses the organization's default SSO role.
  • Username and password login remains unavailable for centralized user and role management users, even when fallback is enabled.
Note: Use the secondary login method only as a backup when the Splunk Cloud Platform or related services are unavailable. Sign in with Unified Identity to ensure full access to platform features, such as the Log Observer Connect default connection.

Limitation

Splunk Observability Cloud caches user roles and capabilities for up to one week. This cached snapshot is used for fallback authentication and is updated only when a user signs in with Unified Identity.

Issue
If roles or capabilities are modified in Splunk Cloud Platform after the last snapshot refresh, those changes will not be reflected in Splunk Observability Cloud until the user re-authenticates with Unified Identity.
Mitigation
Encourage users to sign in using Unified Identity whenever possible.

How to Set Up Login and Permission Fallback

Follow these steps as an administrator to set up login and permission fallback:
  1. Configure a secondary SSO integration.
    1. In Splunk Observability Cloud, go to Data Management > Available Integrations > Login Services
    2. Add an SSO integration. For more information, see Single Sign On.
    • Use the same identity source as the paired Splunk Cloud Platform stack, and assign the application to the users who have the o11y_access role in Splunk Cloud Platform. This keeps access synchronous between the primary and secondary login methods.
    • The email address in the identity provider (IdP) assertion must match the email address the user verified during their first Unified Identity login. The email address is how Splunk Observability Cloud identifies the user as the same account.
    • Give the integration a display name that identifies Unified Identity as the preferred login method. You can also clear Show on login page while fallback is not in use.
  2. Set a default SSO role.
    1. Go to Settings > General Settings > User Management .
    2. Select a role from the default SSO role drop-down list. For more information, see Set up a default SSO role.

      Splunk Observability Cloud automatically assigns roles to users who do not have a valid capability snapshot, such as those who have not signed in with Unified Identity in the past week.

  3. Optional: Turn fallback on or off when needed. Go to Settings > General Settings > User Management and select the allow fallback checkbox. Fallback is off by default.
    Allow Fallback For Alternative Login
    Note: Keep at least one administrator account that is not tied to Unified Identity. You need this account to turn on fallback when Splunk Cloud Platform is unavailable.