Setup SAML in Azure Active Directory
Customer have to decide on 2 things:
- Should all users in organization be allowed to access the UXM solution, you can choose between all users or select users/groups in your active directory that are allowed to access the UXM solution.
- Should we automatically assign UXM Splunk roles based on Active Directory group that user is in.
You could for example create a Splunk_User, Splunk_Admin and role for each application thats monitored.
Please note the restriction when SAML login is used, all users will get the assigned Splunk Role, assigning different Splunk Roles is restricted and can only be done if Role Alias maps to a Azure AD group or customer.
Setup Active Directory Enterprise app in AzureAD
Goto https://portal.azure.com and select "Azure Active Directory" and then "Enterprise applications".
Press "New application to create new one"
Search for Splunk and select "Azure AD SSO for Splunk Enterprise and Splunk":
Enter name "UXM Cloud - SSO" and press add:
Goto Manage -> Properties and set "User assignment required?" to No if needed, you will need to add all users or groups under Manage -> Users and Groups if set to Yes.
Optional: Upload UXM logo "appIconAlt_2x.png" attached to guide or from https://repo.uxmapp.com/appIconAlt_2x.png.
Select Manage -> Single Sign-on and choose SAML to setup the integration with our Cloud service.
Enter:
Identifier (Entity ID): https://customername.uxmapp.com
Reply URL (Assertion Consumer Service URL): https://customername.uxmapp.com/saml/acs
Sign on URL (Required): https://customername.uxmapp.com/en-GB/ or https://customername.uxmapp.com/en-US/ depending on how locales should be set. (Formatting of hours as 24 hours clock or 12 hour AM/PM time)
Press Save and close the tab, skip testing the settings if asked.
Edit Users and Claims and create the following 3x claims:
Claim Name | Namespace | Source attribute |
---|---|---|
displayname | http://schemas.microsoft.com/identity/claims | user.displayname |
companyname | http://schemas.xmlsoap.org/ws/2005/05/identity/claims | user.companyname |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims | user.mail |
Press Add new claim to add it and fill out the Name, Namespace and Source attribute:
Edit the SAML Signing Certificate and select Signing Option "Sign SAML response and assertion".
Also add support@uxmapp.com under Notification Email Addresses, so we get notified before the certificate expires.
Close and download the "Federation Metadata XML" file and send it to MCG at support@uxmapp.com, so we can enable the SAML integration on the Splunk server.
Setup SAML in Splunk
Requirements: DNS that AzureAD allows have to be setup or use local hosts file and enter the IP/DNS in there to test it.
Goto Splunk -> Settings -> Access Controls and select Authentication method.
Select SAML and then "Configure Splunk to use SAML".
The first time SAML Configuration will appear automatically, open it up if it doesn't.
Then Select the Federation Meta XML that you received from Azure AD and load it by clicking on "Metadata XML File".
It will fill out most of the values, you need to change:
Entity ID: FQDN that users logs in on, is the one that where approved during the Azure setup.
Role alias: Splunk have to be able to bind this Role alias or else you will see an error about user not being assigned to group.
You can use the companyname or group that user is in if provided by Azure SAML setup.
Use the troubleshooting guide to see which SAML values thats send after you have setup this SAML integration.
Company name = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/companyname
Group name = http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
RealName alias: http://schemas.microsoft.com/identity/claims/displayName
Mail alias: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Name Id Format: Email Address
Fully qualified domain name or IP of the load balancer: FQDN that users logs in on, is the one that where approved during the Azure setup.
Redirect port - load balancer port: 443
SSO Binding: HTTP POST
SLO Binding: HTTP POST
Press Save and test a login from the customers domain in a browser running Incognito.
Update certificate when it expires
The certificate that gives access to validating users is located under $SPLUNK_HOME/etc/auth/idpCerts/idpCert.pem it will expire 3 years after creation.
An email notification will be generated by Microsoft before that happens, the Azure admin can then generate a new certificate that we can import into idpCert.pem. (Or re-import the Federation Metadata XML file if only one certificate is provided, Splunk will complain if multiple certificates exists in Metadata XML file)
Azure AD admin
Select application and Single sign-on, then edit SAML Signing Certificate.
Press New Certificate which generates a new certificate that lasts for 3 year.
Save it and export it as Base64 certificate download.
Set it to Active and delete the old certificate afterwards.
The login process will fail until the new certificate key is uploaded to UXM.
The file will have to be send to support@uxmapp.com and imported into to server under $SPLUNK_HOME/etc/auth/idpCerts/idpCert.pem
No restart of Splunk is required afterwards.
Troubleshooting
There are multiple certs,idpCertPath:idpCert.pem, must be a directory
The Metadata XML File importer will fail if multiple signing certificates is defined, please only setup 1 signing certificate in AzureAD or manually import the newest active one to $SPLUNK_HOME/etc/auth/idpCerts/idpCert.pem
Metadata Certificate Extractor can be used to export the certificates from the Metadata XML file: https://www.rcfed.com/SAMLWSFed/MetadataCertificateExtract
Login errors
You can use the SAML Chrome Plugin to see what attributes that are send when trying to login to the UXM solution, some is restricted by AzureAD like Group.
Deleting old inactive SAML users
Please contact support@uxmapp.com to get old inactive SAML users deleted, an delete request to https://customername.uxmapp.com:8089/services/admin/SAML-user-role-map/userId is needed to removed the SAML information from UXM.