Configure SSO integrations for Splunk Observability Cloud

Configure the capability for your users to log in using various SSO providers. Login service integration supports both Identity Provider-initiated SSO and Splunk Observability Cloud-initiated SSO. The latter lets your users log in to Splunk Observability Cloud using your organization's custom URL.

Splunk Observability Cloud provides SSO login service integrations that let your users log in using a third-party identity provider (IdP) that uses SAML SSO. Splunk Observability Cloud supports SSO initiated by the IdP.

Splunk Observability Cloud also supports SSO initiated by Splunk Observability Cloud, and this option lets your users log in to Infrastructure Monitoring using a custom URL you specify.

If you have Splunk Cloud Platform, you can set up Unified Identity and use Splunk Cloud Platform for SSO instead of integrating with a third party identity provider. Unified Identity provides many benefits that third party identity providers do not have, including SSO with your existing Splunk Cloud Platform credentials. For more information, see Unified Identity: Splunk Cloud Platform and Splunk Observability Cloud.

If you do not have Splunk Cloud Platform, you can utilize a third party SSO provider. Splunk Observability Cloud supports the following SSO integrations:

Note: A realm is a self-contained deployment of Splunk Observability Cloud in which your organization is hosted. Different realms have different API endpoints. For example, the endpoint for sending data in the us1 realm is https://ingest.us1.signalfx.com, while the endpoint for sending data in the eu0 realm is https://ingest.eu0.signalfx.com.When you see a placeholder realm name in the documentation, such as <YOUR_REALM>, replace it with your actual realm name. To find your realm name, open the navigation menu in Splunk Observability Cloud, select Settings, and select your username. Locate the realm name in the Organizations section If you don’t include the realm name when specifying an endpoint, Splunk Observability Cloud defaults to the us0 realm.

Provide a custom URL for accessing Splunk Observability Cloud

A custom URL is required to allow users to log in to Splunk Observability Cloud from your organization’s login page. If no custom URL is provided, users can still log in through the identity provider to access Splunk Observability Cloud.

When you configure a login service integration and select Show on login page, the login details for the service appear on your organization’s login page. You can have multiple SSO logins.

The URL must be a subdomain of signalfx.com. To utilize a custom URL, contact support and provide the following:

  • The subdomain you want to use.

  • The organization for which you want to use the custom URL.

  • An organization administrator’s email address.

Name an SSO integration

Give your login service integration a name that your users recognize. On your custom login page, this name appears in the button your users select to sign in. For example, use the name "Log in with Okta" for an Okta login service integration.

Set up a default SSO role

When you set up SSO, the default role for a user signing in to Splunk Observability Cloud through SSO is the power role. You can change the default SSO role to any of the available roles in Splunk Observability Cloud. These are admin, power, usage, and read_only. To learn more about roles, see About roles in Splunk Observability Cloud.

Note: Changing the default SSO role affects only new SSO users. If a user already has an existing role defined by the previous default SSO role, you must change it manually. To change a user's role, see

Assign roles to an existing user

.

To change the default SSO role, do the following:

  1. Go to Settings and then select General Settings .

  2. In the User Management section, set a default role for SSO login by selecting a role from the drop-down list. The drop-down list defaults to the power role. The role you select becomes the role of any new user logging in through an SSO service. You can return to General Settings and update the default role for SSO login at any time.

Integrate an identity provider with multiple organizations

When you integrate a login service with Splunk Observability Cloud, you need to provide information about the integration to the login service. Infrastructure Monitoring gives you an entity identifier (entity ID) that you provide when you configure the login service itself. The service uses the entity ID and other information to connect with Splunk Observability Cloud.

For multiple organizations, the login service needs an entity ID and other information for each organization. Splunk Observability Cloud can provide you with an integration-specific entity ID for the integration in each organization.

When you configure the login service, you provide the entity ID along with other information for each organization you want to connect using the login service. The steps for integrating with each supported login service include the optional steps for using integration-specific entity IDs.

The Google SSO integration doesn’t support integration-specific entity IDs.

Note: You only need an integration-specific entity ID if you want to use the same IdP for multiple organizations.

General integration-specific entity ID steps

Integrate an identity provider with multiple organizations

To get an integration-specific entity ID for an integration, do the following when you create the integration:

  1. Log in to Splunk Observability Cloud.

  2. In the left navigation menu, select Data Management.

  3. Go to the Available integrations tab, or select Add Integration in the Deployed integrations tab.

  4. In the integration filter menu, select All.

  5. In the Search field, search for the login service, and select it.

  6. Select the Integration-specific Entity ID option. Next to this option, the entity ID displays in the form of a URI. Copy this URI and provide it when you configure the login service to communicate with Splunk Observability Cloud.