Use a third-party hardware or software load balancer in front of your set of clustered search heads to access the set of search heads through a single interface, without needing to specify a particular one. Configure the load balancer so that user sessions are "sticky" or "persistent" to remain on a single search head throughout the session. See Use a load balancer with search head clustering in the Splunk Enterprise Distributed Search manual.

Perform the following tasks to configure Splunk authentication using Splunk UBA:

1. On the Splunk platform, create the same roles that exist in Splunk UBA. For first-time deployments, you must create the uba_user, uba_analyst, and uba_admin roles, along with any other custom roles created in Splunk UBA. There must be a one-to-one mapping of roles between the Splunk platform and Splunk UBA, and the role names must match. Role names are case-insensitive, so a role called uba_testRole on the Splunk platform maps to uba_testrole in Splunk UBA. To learn more about creating users and roles in the Splunk platform, see About users and roles.
   Note: When creating a new role in the Splunk platform, you must first select the uba_user role in the Inheritance section of the page. After the new role is created, it can be assigned to any user in the Splunk platform.

   When testing authentication with the Splunk platform, the user account being used for testing must also have one of the uba_user, uba_analyst, or uba_admin roles assigned to it.

2. In Splunk UBA, select Manage > Settings.
3. Verify the Authentication tab is selected (by default).
   1. Select UBA Authentication to have your Splunk UBA instance authenticate users.
   2. Select Splunk Authentication to have your Splunk instance perform user authentication. You are prompted to provide additional information:
      • Host name and port of your Splunk instance. If search head clustering is configured and a load balancer is available, it is recommended to specify the load balancer host name to avoid a single point of failure. Ensure that port 8089 is accessible on the load balancer.
      • By default only the Splunk accounts with the uba_user role can log in as UBA users. If the Splunk Users option is selected, Splunk accounts with the user role can also log in as UBA users.
      • By default only the Splunk accounts with the uba_admin role can log in as UBA admins. If the Splunk Admins option is selected, Splunk accounts with the admin role can also log in as UBA admins.
      • Select both Splunk Users and Splunk Admins and click Test Connection to verify that the connection with your Splunk instance is working.
4. Click OK to save your changes.

If you do not want to create new roles in the Splunk platform, set the allowSplunkUserRole and allowSplunkAdminRole settings to true to allow users with the Splunk platform user role or admin role, respectively, to log in to Splunk UBA from the Splunk platform.

1. Log in to the Splunk UBA management server as the caspida user using SSH.
2. Open the /etc/caspida/local/conf/uba-site.properties file.
3. Edit or create the ui.splunk.authentication setting to match the following example:

   ui.splunk.authentication={"hostname": "<SplunkServer>", "port": "8089", "allowSplunkUserRole": true, "allowSplunkAdminRole": false}

   allowSplunkUserRole to true to allow users with the user role in the Splunk platform to view data from Splunk UBA in the Splunk platform. Replace <SplunkServer> with the Splunk search head host name. If search head clustering is configured and a load balancer is available, it is recommended to specify the load balancer host name to avoid a single point of failure. Ensure that port 8089 is accessible on the load balancer.