Skip navigation
Documentation

Duo Two-Factor Authentication for Splunk Enterprise

Last Updated: March 19th, 2021

Contents

Duo integrates with Splunk Enterprise to add two-factor authentication to your Splunk logins, complete with inline self-service enrollment and Duo Prompt.

Overview

Before starting to add two-factor authentication to Splunk Enterprise, make sure that Duo is compatible with your Splunk install. Log into Splunk's web interface and click the about link in the top right corner.

Splunk Enterprise 6.5 and later on-premises solutions natively include Duo Security MFA. Users of these Splunk versions do not need to download and install the Duo plugin from Duo. Instructions for Splunk 6.5 and later

If you're using Splunk 6.4 or earlier, you'll need to download and install a Duo plugin. Instructions for Splunk versions 6.4 and earlier

Splunk Cloud does not support Duo MFA.

Connectivity Requirements

This application communicates with Duo's service on SSL TCP port 443.

Firewall configurations that restrict outbound access to Duo's service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability. If your organization requires IP-based rules, please review Duo Knowledge Base article 1337.

Effective June 30, 2023, Duo no longer supports TLS 1.0 or 1.1 connections or insecure TLS/SSL cipher suites. See Duo Knowledge Base article 7546 for additional guidance.

First Steps

  1. Sign up for a Duo account.
  2. Log in to the Duo Admin Panel and navigate to Applications.
  3. Click Protect an Application and locate the entry for Splunk with a protection type of "2FA" in the applications list. Click Protect to the far-right to configure the application and get your integration key, secret key, and API hostname. You'll need this information to complete your setup. See Protecting Applications for more information about protecting applications in Duo and additional application options.
  4. Use NTP to ensure that your server's time is correct.

Treat your secret key like a password

The security of your Duo application is tied to the security of your secret key (skey). Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!

Duo Universal Prompt

The new Universal Prompt provides a simplified and accessible Duo login experience for web-based applications, offering a redesigned visual interface with security and usability enhancements.

Universal Prompt Traditional Prompt
 Duo Push in Universal Prompt  Duo Push in Traditional Prompt

Read the Universal Prompt Update Guide for more information about the update process and the new login experience for users.

Migration to Universal Prompt for your Splunk application will be a three-step process:

  • Splunk updates the Splunk application to implement a redirect to Duo during authentication to support the Universal Prompt. You may need to change a setting in Splunk so that it uses the updated Duo application.
  • Authenticate with Duo 2FA using the updated application so that Duo makes the Universal Prompt activation setting available in the Admin Panel. This first authentication after updating will show the traditional Duo prompt in a redirect.
  • You activate the Universal Prompt experience for users of that Duo Splunk application.

Splunk needs to update Splunk to support the Universal Prompt, but the update isn't available yet. The "Universal Prompt" section reflects this status as "Waiting on App Provider" with the activation options inaccessible. Please contact Splunk to request Duo Universal Prompt support for Splunk.

Universal Prompt Info - Update Not Yet Available

In the meantime, you can use Duo with Splunk and the traditional prompt experience.

After Splunk makes the necessary changes available you may need log in to Splunk as an admin to enable Duo Universal Prompt support.

You'll later return to the settings on this page to activate the Universal Prompt for your Splunk users after Splunk releases the update.

Universal Update Progress

Click the See Update Progress link to view the Universal Prompt Update Progress report. This report shows the update availability and migration progress for all your Duo applications. You can also activate the new prompt experience for multiple supported applications from the report page instead of visiting the individual details pages for each application.

Read the Universal Prompt Update Guide for more information about the update process to support the new prompt, and watch the Duo Blog for future updates about the Duo Universal Prompt.

Configure Duo for Splunk 6.5 and later

  1. Log into Splunk Enterprise as an admin and navigate to SettingsUsers and AuthenticationAccess Controls.

  2. Click on Authentication Method.

  3. Under "Multifactor Authentication", select Duo Security and then click Configure Duo Security.

  4. Fill out the form with your Duo Splunk application information:

    Integration Key Your integration key
    Secret Key Your secret key
    API Hostname Your API hostname (i.e. api-XXXXXXXX.duosecurity.com)
    Authentication behavior when Duo Security is unavailable Choose **Let users login** to allow Splunk logins when Duo Security cloud services are unreachable, or **Do not let users login** to prevent access to Splunk without Duo authentication.
    Connection Timeout The maximum limit, in seconds, to complete authentication.

    Splunk automatically generates an Application Secret Key for you. If you'd like to use your own, it should be a mix of letters and numbers at least 40 characters long.

    You can generate a random string in Python with:

    import os, hashlib
    print hashlib.sha1(os.urandom(32)).hexdigest()
    
    Splunk Native MFA Configuration
  5. Click the Save button when done. You can now test your setup

Learn more about Splunk's native support for Duo MFA in the online manual.

Install Duo for Splunk 6.4 and earlier

This configuration was tested against versions 4.3.25.0.7, 6.0.1, and 6.1.4. Splunk 6.2-6.4 must be started in "legacy mode" to use the Duo plugin. See instructions for Windows 6.2 , 6.3, or 6.4 and Linux 6.2, 6.3, or 6.4 at Splunk's documentation site).

Download the duo_splunk package from GitHub as a zip file and uncompress the package.

From the command line, run the install script from within the duo_splunk directory with the following arguments:

$ ./install.sh -i <your_ikey> -s <your_skey> -h <your_host> -d <splunk_location>

Required Arguments

-i Your integration key (i.e. DIXXXXXXXXXXXXXXXXXX)
-s Your secret key
-h Your API hostname (i.e. api-XXXXXXXX.duosecurity.com)

Optional Arguments

-d The directory where Splunk is installed. Defaults to /opt/splunk if not specified.

Manual Installation Instructions

All paths in these instructions are relative to where your top level splunk/ directory is.

  1. Apply the account.py.diff patch to lib/python2.7/site-packages/splunk/appserver/mrsparkle/controllers/account.py

  2. Edit lib/python2.7/site-packages/splunk/appserver/mrsparkle/controllers/account.py to add your Duo account specific API keys (IKEY, SKEY, DUO_HOST, and AKEY).

  3. Copy duoauth.html into share/splunk/search_mrsparkle/templates/account/

  4. Copy duo.web.bundled.min.js into share/splunk/search_mrsparkle/exposed/js/contrib/

  5. Copy duo_web.py into lib/python2.7/site-packages/

  6. Restart splunkweb: $ bin/splunk restart splunkweb

Upon your next login you will be prompted to enroll or authenticate your user using Duo.

Test Your Setup

Open a new browser and log into Splunk. After you complete primary authentication, the Duo enrollment or login prompt appears.

Splunk Login with Duo

Configure Allowed Hostnames

If you plan to permit use of WebAuthn authentication methods (security keys, U2F tokens, or Touch ID) in the traditional Duo Prompt, Duo recommends configuring allowed hostnames for this application and any others that show the inline Duo Prompt before onboarding your end-users.

The Duo Universal Prompt has built-in protection from unauthorized domains so this setting does not apply.

Troubleshooting

Need some help? Take a look at our Splunk Knowledge Base articles or Community discussions. For further assistance, contact Support.

Network Diagram

Splunk Network Diagram
  1. Splunk connection initiated
  2. Primary authentication
  3. Splunk connection established to Duo Security over TCP port 443
  4. Secondary authentication via Duo Security’s service
  5. Splunk receives authentication response
  6. Splunk session logged in