[Notification] We're upgrading the JumpCloud Support Center the week of September 30th.

Support Center

Single Sign On (SSO) with Splunk

Important: This article contains out-of-date information. For current application information, see Connecting Applications with JumpCloud Using Pre-Built Connectors.



Configure the JumpCloud SSO Application

  1. Access the JumpCloud Administrator Console at https://console.jumpcloud.com.
  2. Select Applications in the main navigation panel.
  3. Select the + in the upper left, scroll or search for the application in the 'Configure New Application' side panel, then select 'configure'.
  4. Optionally, enter Splunk for the Display Label. This label will appear under the Service Provider logo within the JumpCloud User Portal.
  5. You can upload a service provider application's XML metadata file to populate SAML connector attributes for that application. The attributes populated by the metadata file may vary by the application. To apply a metadata file for the application you're connecting, click Upload Metadata. Navigate to the file you want to upload, then click Open. You'll see a confirmation of a successful upload. Be aware that if you upload more than one metadata file, you'll overwrite the attribute values applied in the previously uploaded file.
  6. In the IDP Entity ID field, enter https://YOURDOMAIN.TLD (e.g., https://thebestwidgets.com).
  7. Select Upload IdP Private Key and upload the private.pem file generated according to the above prerequisites.
  8. Select Upload IdP Certificate and upload the cert.pem file generated according to the above prerequisites.
  9. In the SP Entity ID field, enter Splunk.
  10. In the ACS URL field, enter http://Your_Site_URL/saml/acs. You can get your site URL from the Splunk Admin Console.
  11. Select the Include Group Attribute check box to include the groups a user is a member of in SAML assertions. When this field is selected, all groups that connect the user to the application are included in assertions to that application. The Groups Attribute Name is the service provider's name of the group attribute. By default, the attribute name is memberOf.
  12. In the Groups Attribute Name field, enter role.
  13. In the field terminating the IdP URL, either leave the default value or enter a plaintext string unique to this connector.
  14. Select Activate.

Configure the Service Provider

  1. In the Settings menu, under Users and Authentication, select Access Controls.
  2. Select Authentication method, then select SAML as the External Authentication Method.
  3. Click Configure Splunk to configure SAML.
  4. On the SAML Groups page, click SAML Configuration.
  5. Browse and select your metadata file, or copy and paste your metadata directly into the text window. Refer to your IdP's documentation if you are not sure how to get your metadata file.
  6. In General Settings, provide the following information:
  • Single Sign On URL: This field is populated automatically by the metadata file you provide. It is the protected endpoint on your IdP to which Splunk sends authentication requests. Your users use this URL for SSO login.
  • Single Log Out URL: This field is populated automatically by the metadata file and is the IdP protocol endpoint. If you do not provide this URL, users will not be logged out.
  • IdP's certificate path: This value can be a directory or a file, depending on your IdP requirements. If you provide a file, Splunk uses that file to validate the authenticity of SAML responses. If you provide a directory, Splunk looks for all the certificates that are present as children of the directory and tries to validate SAML responses for each of them. If Splunk fails to validate authenticity of all certificates, the response is not considered authentic.
  • Entity ID: This field is the entity ID as configured in the SP connection entry in your IdP.
  • Sign AuthRequest: Select this option.
  • Sign SAML Response: Select this option.
  1. Skip the Attribute Query Requests section.
  2. In Advanced Settings, optionally provide the following aliasing information:
  • Attribute Alias Role: Use this field to specify a new attribute name on any IdP and then configure an alias in your Splunk deployment for any of the three attributes.
  • Attribute Alias Real Name: You may skip this field. For ADFS, you can use the display name for the Attribute Alias Real Name.
  • Attribute Alias Mail: Skip this field.
  1. Populate the remaining advanced settings only if you need to set up load balancing or change the SAML binding.
  2. Click Save.

Validate SSO authentication workflows

IdP Initiated

  • Access the JumpCloud User Console at https://console.jumpcloud.com.
  • Select the Service Provider icon.
  • This should automatically launch and login to the application.

SP Initiated

  • Navigate to your Service Provider application URL.
  • You will be redirected to log in to the JumpCloud User Portal.
  • The browser will be redirected back to the application and be automatically logged in.
  1. When you configure your Splunk deployment to use your SAML authentication system, you can authorize groups on your SAML server to log in by mapping them to Splunk user roles. You can map multiple groups to a single user role. To authorize groups complete the following steps:
  • On the SAML Groups page, click New Group or click Edit to modify an existing group.
  • Provide a name for the group.
  • Determine the roles that you want to assign to this group by moving the desired roles from the left column to the right column.
  • Click Save.

Last Updated: Aug 20, 2019 10:02AM MDT

Related Articles
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
Invalid characters found