Using Keycloak as the IDP for Spunk via SAML

Securing applications
1

Does anyone have experience setting up Keycloak as the IDP for Spunk using Spunk’s SAML configuration?

2

We’ve been successful! I’ll post again with the Keycloak and Splunk configuration details on 2020-03-09T07:00:00Z

3

Here are the steps we used to successfully configure Keycloak as the IdP for Splunk via SAML

  1. Setup Keycloak
    Start a Keycloak server instance, we used my keycloak-react-app project
    1. Clone the repo and start up the Docker environment with: docker-compose up -d
      1. Note: the React App is unnecessary. You can comment the service out or delete it from the docker-compose.yml to save some build time
    2. Log into the Keycloak web interface at localhost:8080 using the username admin and password Pa55w0rd
    3. Open the Administration Console
    4. Navigate to Configure → Roles via the menu on the left
    5. Add two new roles: reportingadmin and reportingviewer
    6. Navigate to Manage → Users via the menu on the left
    7. Add a user for yourself
    8. In the ‘Credentials’ tab for your user, set a password
    9. In the ‘Role Mapping’ tab for your user, add the reportingadmin role
  2. Provision Splunk
    1. I suggest using Docker/containerized version of Splunk to get started.
    2. For these instructions we used an in-house git repository which has two Splunk users configured administrator and user in Splunk’s /etc/passwd file
    3. Some users had to get an updated Splunk license to enable the SAML features… your milage may vary
  3. Get Splunk SAML configuration
    1. In Splunk, navigate to the Settings menu (in the top right) → Users and Authentication → Access Controls
    2. Navigate to Authentication Method
    3. Select SAML Authentication and click “Configure Splunk to use SAML”
    4. Click the “Download File” button to get the metadata configuration to import into Keycloak
  4. Add a Splunk Client to Keycloak
    1. In the Keycloak admin console, click on Clients in the menu on the left
    2. Click the Create button at the top right of the table
    3. Click the “Select File” button and select the SPMetadata.xml file you got from Splunk
    4. Click Save
  5. Configure Splunk to use Keycloak
    1. Click on the “Installation” tab
    2. In the Format dropdown menu, select Keycloak SAML Wildfly/JBoss Subsystem
    3. In the SingleSignOnService block of the XML in Keycloak, copy the value of bindingUrl. Paste it on the Splunk SAML configuration side into the “Single Sign On (SSO) URL” text field
    4. In the SingleLogoutService block of the XML in Keycloak, copy the value of postBindingUrl. Paste it on the Splunk SAML configuration side into the “Single Log Out (SLO) URL” text field
    5. In the SP block of the XML in Keycloak, copy the value of entityID. Paste it on the Splunk SAML configuration side into the “Entity ID” text field
    6. In the Splunk SAML configuration, take the URL you got from bindingUrl/postBindingUrl above, remove “/protocol/saml” from the end of it, and paste it into the “Issuer ID” text field
      For example, if the binding URL is http://localhost:8080/auth/realms/master/protocol/saml, the URL to paste here is http://localhost:8080/auth/realms/master/protocol/saml,
    7. In Keycloak, navigate to Realm Settings in the menu on the left
    8. Click on the Keys tab
    9. For the RSA key in the table, click the Certificate button. Copy the contents of the dialog that opens up
    10. Paste the Certificate contents into your text editor of choice, then add a -----BEGIN CERTIFICATE----- preamble to the line before it, and -----END CERTIFICATE----- to the line after it
    11. Copy the contents of your text editor window. Paste it on the Splunk SAML configuration side into the “IdP Certificate Chains” text field
    12. Click Save
  6. Fix the Role attribute name
    1. In the Keycloak admin console, navigate to Client Scopes in the menu on the left
    2. Click on role_list in the table
    3. Click on the Mapper tab
    4. Click on role_list in the table, again
    5. Change the “Role attribute name” field to “role” (lower case) and click Save
  7. Configure Splunk groups
    1. After configuring Splunk to use SAML, you should be in the SAML Groups configuration page. Click on “New Group”
    2. Enter reportingadmin in the Group Name field, select the administrator Role from the list on the left, then click Save
    3. Click “New Group” again
    4. Enter reportingviewer in the Group Name field, select the user Role from the list on the left, then click Save

If you log out of Splunk now, you should be able to log in again, this time with your Keycloak username and password.

1 Like
4

Hi, I followed your tutorial but I have an error message on keycloak “Invalid requester”. :scream:

1 Like
5

My team recently successfully integrated keycloak with splunk via SAML.

Through that process, the most frequent reason we got the “Invalid Requester” error message was because splunk was signing AuthnRequests with a certificate that didn’t match what was configured in keycloak. That being said, there are multiple reasons you could get the “Invalid Requester” error message.

The certificate should be included in the SAML assertion body sent from splunk in the AuthnRequests. I’d first double check to make sure that certificate matches what you have configured in keycloak.

You can either export the auto-generated certificate + private key from your keycloak SAML client “SAML Keys” tab and make splunk use that, or you can export the default certificate splunk creates and upload it to keycloak.

This is assuming you are signing assertions from splunk, which IIRC is the default setting.

6

Hi, it’s work thanks

7

Could anyone explain what should be done on Splunk’s side? I’ve imported Splunk server’s pem to Keycloak. Specified Keycloak’s certificate using clientCert parameter in authentication.conf, but it still doesn’t work. What am I missing?