Skip to main content

Set login via Microsoft ADFS and Single sign-on (SSO)

Configure Microsoft ADFS Login with SSO (Splunk)

This guide explains how to configure SAML-based Single Sign-On (SSO) using Microsoft ADFS for Splunk.


Configure Splunk SAML Authentication

  1. Log in to Splunk

  2. Go to:
    Settings → Authentication Methods

  3. Select SAML and click SAML Settings

  4. Click SAML Configuration (if not shown automatically)


Import ADFS Metadata

  1. Download metadata from ADFS:
    https://fqdn/FederationMetadata/2007-06/FederationMetadata.xml

  2. Import the Metadata XML file into Splunk


Update SAML Settings

  • Entity ID: e.g. uxm-splunk-test

  • Role Alias:
    http://schemas.microsoft.com/ws/2008/06/identity/claims/role


Advanced Settings

  • Name ID format: (as required)

  • Fully Qualified Domain: Splunk server domain

  • Redirect Port: 443 (or custom)

  • SSO/SLO Binding: HTTP POST


Update Signature Algorithm (SHA256)

By default, SHA1 is used. Update to SHA256:

$SPLUNK_HOME\etc\system\local\authentication.conf
signatureAlgorithm = RSA-SHA256
  • Update caCertFile and clientCert if needed


Export Splunk Metadata

  1. Open:
    https://fqdn/en-US/saml/spmetadata

    OR

  2. Go to:
    Settings → Authentication Methods → SAML → SAML Settings

  3. Click Configure SAML → Download File


Setup ADFS – Relying Party Trust

  1. Add new Relying Party Trust

  2. Select Claims aware

  3. Import Splunk metadata file


Configure General Settings

  • Display Name: UXM Splunk Test / Prod
  • Notes:
    ADFS SSO for UXM (Splunk) running at your URL https://customername.uxmapp.com/

Access Control

  • Allow required AD groups

  • Example groups:

    • UXM-Admin
    • UXM-Users
  • Groups can map to Splunk roles


Remove Encryption

  1. Go to Encryption tab
  2. Click Remove and confirm

ℹ️ Data is still securely transmitted via HTTPS


Verify Identifiers

  • Ensure identifiers match:
    • uxm-splunk-test or

    • uxm-splunk-prod


Configure Endpoints

  1. Go to Endpoints tab
  2. Verify POST bindings:
  • Assertion Consumer:
    https://customername.uxmapp.com/saml/acs

  • Logout endpoint:
    https://customername.uxmapp.com/saml/logout


Save Configuration

  • Click OK to save

Configure Claim Rules

  1. Click Edit Claim Issuance Policy

  2. Click Add Rule

  3. Select: Send LDAP Attributes as Claims


Claim Rule Configuration

  • Name: send_attr_claims
  • Attribute Store: Active Directory

Mappings:

  • Display-Name → realName
  • E-Mail-Addresses → mail
  • Token-Groups (Unqualified Names) → Role
  • User-Principal-Name → Name ID

  1. Click OK and apply