Multi-Factor Authentication (MFA/2FA) for Splunk

Last updated on May 16, 2024

MFA for Splunk is a secure way to authenticate your Splunk users using multiple authentication methods. The first method is usually the login and password. Slunk MFA can use secondary authentication methods such as Mobile Push, Passcode (TOTP & Bypass Code), and WebAuthn/U2F Security Keys.

Overview

The purpose of this document is to enable Rublon Two-Factor Authentication (2FA) for users connecting to Splunk. In order to achieve that, you have to use Rublon Access Gateway, which allows you to integrate Rublon with Splunk to add Two-Factor Authentication to your logins.

Supported Authentication Methods

Authentication Method	Supported	Comments
Mobile Push	✔	N/A
WebAuthn/U2F Security Key	✔	N/A
Passcode	✔	N/A
SMS Passcode	✔	N/A
SMS Link	✔	N/A
Phone Call	✔	N/A
QR Code	✔	N/A
Email Link	✔	N/A
YubiKey OTP Security Key	✔	N/A

Before you start

You need to install and configure Rublon Access Gateway itself before configuring Splunk to work with it. Read Rublon Access Gateway and follow the steps in Installation and Configuration sections. Afterwards, follow the Configuration section in this document.

Configuration

1. Log in to Splunk.

2. Select Settings from the top bar menu. Choose Authentication Methods in the USERS AND AUTHENTICATION section.

3. Select SAML as the External authentication source.

4. Click SAML Settings.

5. Click SAML Configuration in the top right corner.

6. Download SP Metadata File. You are going to need it later.

7. Fill in the General Settings section of the form. Do not close or save the form yet. Refer to the following image and table.

Single Sign On (SSO) URL	The protected endpoint on your IdP to which Splunk will send authentication requests. Enter SSO URL from Rublon Access Gateway.
Single Log Out (SLO) URL	The IdP protocol endpoint for logging out. Enter Logout URL from Rublon Access Gateway.
IdP certificate path	Location of IdP certificate file. Either: a) Create a folder SPLUNK_INSTALATION_DIR\etc\auth\idpCerts. Place the SSL Certificate inside that folder and change the file name to idp.pem. Then, only specify the name of the file (idp.pem) in the IdP certificate path field. OR b) Store idp.pem in a different location, but then you have to provide the entire path to the idp.pem file. The certificate itself can be obtained from Rublon Access Gateway (Applications → Information for configuring applications with Rublon Access Gateway → DOWNLOAD CERTIFICATE).
Replicate Certificates	Check.
Issuer Id	Entity ID of IdP. Enter Entity ID from Rublon Access Gateway.
Entity ID	Hostname of your Splunk instance.
Sign AuthnRequest	Check.
Verify SAML response	Check.

8. Do not close the Splunk SAML Configuration yet. Do not save the form. You are going to get back to the form later and fill in more fields.

9. Open Rublon Access Gateway. Go to Applications → Import application metadata.

10. Enter the Application name, and upload the SP Metadata file downloaded from Splunk.

11. Go back to the Splunk SAML Configuration.

Note

12. Expand the Alias section. Enter the Role alias according to your configuration. It’s description in our example.

13. Click Save to save your SAML configuration.

14. Click New Group in the top right corner.

15. Enter your Group Name. The name of your group needs to correspond to the description value in user LDAP attributes. In our example the group name is admins.

16. Assign all users that require access to Splunk via Rublon. Click Save to add your new group.

17. Your configuration is now complete. Your users can log in to Splunk with Rublon 2FA enabled.

Log in to Splunk with Rublon 2FA enabled

1. Open your browser and enter the address of your Splunk instance.

2. You should be redirected to the Rublon Access Gateway login page.

3. Provide your username and password. A window will appear with a selection of various 2FA methods from Rublon.

4. In this example, let’s use the Email Link 2FA method (first icon on the left). Select it, and you should receive an email from Rublon. Confirm your login by clicking the link provided in the email.

5. One of the options in the Rublon 2FA window is to Remember this device. Check it, and you will not be required to go through Rublon Authentication during your next login to Dropbox.

6. After selecting the desired 2FA method, you will be presented with a window like the one below.

7. Once you have confirmed your login using the chosen 2FA method, you will be redirected to Splunk.

Troubleshooting

If you encounter any issues with your Rublon integration, please contact Rublon Support.

Rublon Access Gateway

Rublon Access Gateway – Integrations