SSO, Splunk and Troubleshooting v2
In the last post we talked about setting up and testing SSO with Splunk.
In my deployment this setup and configuration went great......minus one detail we hand't thought about.
When authenticating users,as well as power users, accounts worked great.
The problem we ran into that we didn't initially think of was that as Splunk Administrators we used a separate account to authenticate into Splunk with. So when we would SSO into Splunk it would authenticate us as our user/power user accounts and not our Administrator accounts.
We had several options on how to handle this but the workaround that we settled on was creating creating a privileged workstation we could RDP to and access Splunk web from there using our new privileged Administrator SSO credentials.
Once we did this we had to move our knowledge objects from the previous Administrator credentials. This was really easy using the web UI. You can do this by going to: Settings -> All Configurations -> Reassign Knowledge Objects
There you can use filters to find all of your knowledge objects and select/change the en mass.
The other thing to remember is that there is always a backdoor once SSO is enabled that you can use to login:
These were just a few things we encountered and worth noting for the rest of you in case you may encounter some of these things yourself.
Have a great weekend!