![]() ![]() Splunk regular expressions are PCRE (Perl Compatible Regular Expressions) and use the PCRE C library. See Quick Reference for SPL2 eval functions in the SPL2 Search Reference. Search commands that use regular expressions include rex and evaluation functions such as match and replace. ![]() You also use regular expressions when you define custom field extractions, filter events, route data, and correlate searches. Regular expressions match patterns of characters in text and are used for extracting default fields, recognizing binary file types, and automatic assignation of source types. For a discussion of regular expression syntax and usage, see an online resource such as or a manual on the subject. That way you always have a way to log in locally with admin role if anything is wrong with SAML - without having to log a support case with Splunk in order to have it done for you.This primer helps you create valid regular expressions. ![]() A suggestion is for you to create your own locally defined account that has the admin role assigned to it. Use that URL if you need to log into any existing locally defined account. This is the URL /en-US/account/login?loginType=splunk, in our example. There is a specific URL for your instance that you can point your browser to in order to get to the locally defined user login page for locally defined users. *" in order to send * all* groups to the Splunk Cloud instance. Note: You can use the Regex filter with the value ". In our example below we used Equals filter with the splunkcloudadmin value ( step 16). Also, you need to have the same group(s) in Okta (assigned to your Splunk Cloud application users). This filter and value should cover the required group(s) in Splunk Cloud. Select a group filter and filter value for the role attribute. Still in Okta, select the Sign On tab for the Splunk Cloud app, then click Edit. In Okta, select the General tab for the Splunk Cloud app, then click Edit.įor example, if you log into, enter here.Įnter your Entity ID. In Splunk, go to Settings > Access controls > Authentication method, then click Reload authentication configuration: Note: You can use a regex expression in the role to set multiple roles per group.įor example: role Matches regex. Note that it can be a one to many relationship – you can have a group map to one or more Splunk Roles. The roles you select are copied over to the Selected Item(s) list. This name should be exactly the same value as user’s Group name in Okta.Ĭlick on one or more roles in the Splunk Roles - Available item(s) selection list. In the Create new SAML Group page, enter the following (see screen shot at end of step for reference): Redirect port – load balancer port: Enter 0 (zero).īack in the SAML Settings panel, click New Group in the upper right hand corner: Scroll down to the Advanced Settings section and enter the following (see screen capture at end of step for reference):įully qualified domain name or IP of the load balancer of your instance: Enter. Note: This value is case sensitive so it should be typed in exactly as you are going to use in the Okta app ( step 18).Ĭheck Sign AuthnRequest and Sign SAML Response. Metadata Contents: Copy and paste the following: Sign in to Okta Admin app to have this variable generated for you.Įntity ID: Use the following value: Splunk-.įor example, if you log into, use Splunk-acme as the Entity ID. In the SAML Configuration page, enter the following (see screen capture at end of step for reference): In the SAML Settings panel, click SAML Configuration in the upper right hand corner: ![]() Login to Splunk Cloud as an administrator.įor External Authentication Method, select SAML, then click Configure Splunk to use SAML: In Okta, select the Sign On tab for the Splunk Cloud app, then click Edit.Ĭlick Browse and navigate to the splunkcloud.cert file you just saved ( step 5, above), then click Upload to upload it to Okta. Save the certificate into a non-formatted text file (Notepad for example), and place a row above the certificate with the text -BEGIN CERTIFICATE- and a row below the certificate with the text -END CERTIFICATE. From the metadata, capture the search head's certificate (masked out below) between the and, as shown below: Once SAML is enabled, open the following URL: /saml/spmetadata.įor example, if you log into, you should open this URL. The Okta/Splunk Cloud SAML integration currently supports the following features:Ĭontact the Splunk Cloud Support team and request that they enable SAML 2.0 for your account. Please use the Okta Administrator Dashboard to add an application and view the values that are specific for your organization. This setup might fail without parameter values that are customized for your organization. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |