• Todd Waller

SSO, Splunk and Troubleshooting v2

Hello Everyone

In the last post we talked about setting up and testing SSO with Splunk.

In my deployment this setup and configuration went great......minus one detail we hand't thought about.

When authenticating users,as well as power users, accounts worked great.

The problem we ran into that we didn't initially think of was that as Splunk Administrators we used a separate account to authenticate into Splunk with. So when we would SSO into Splunk it would authenticate us as our user/power user accounts and not our Administrator accounts.

We had several options on how to handle this but the workaround that we settled on was creating creating a privileged workstation we could RDP to and access Splunk web from there using our new privileged Administrator SSO credentials.

Once we did this we had to move our knowledge objects from the previous Administrator credentials. This was really easy using the web UI. You can do this by going to: Settings -> All Configurations -> Reassign Knowledge Objects

There you can use filters to find all of your knowledge objects and select/change the en mass.

The other thing to remember is that there is always a backdoor once SSO is enabled that you can use to login:


These were just a few things we encountered and worth noting for the rest of you in case you may encounter some of these things yourself.


Have a great weekend!


21 views0 comments

Recent Posts

See All

Do you need to dedup when using stats?

I had to do some casual counting of sourcetypes today. In the process I was trying to decide if I needed to dedup before going to stats. It seemed to me a dedup would, in theory, pass less data to sta

How do I learn Splunk administration?

Had an old coworker hit me up a week ago. He took a job as a SOC analyst where part of his job is going to be supporting Splunk. He's a smart guy but Splunk is more complex than it looks. Given I've a