Before starting to add two-factor authentication to Splunk, make sure that Duo is compatible with your Splunk install. Log into Splunk's web interface and click the about link in the top right corner.
Splunk 6.5 and later natively includes Duo Security MFA. Users of Splunk 6.5 do not need to download and install the Duo plugin from Duo. Instructions for Splunk 6.5
If you're using Splunk 6.4 or earlier, you'll need to download and install a Duo plugin. Instructions for Splunk versions 6.4 and earlier
This integration communicates with Duo's service on TCP port 443. Also, we do not recommend locking down your firewall to individual IP addresses, since these may change over time to maintain our service's high availability.
The security of your Duo application is tied to the security of your secret key (skey). Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!
Log into Splunk as an admin and navigate to Settings → Users and Authentication → Access Controls.
Click on Authentication Method.
Under "Multifactor Authentication", select Duo Security and then click Configure Duo Security.
Fill out the form with your Duo Splunk application information:
|Integration Key||Your integration key|
|Secret Key||Your secret key|
|API Hostname||Your API hostname (i.e.
|Authentication behavior when Duo Security is unavailable||Choose **Let users login** to allow Splunk logins when Duo Security cloud services are unreachable, or **Do not let users login** to prevent access to Splunk without Duo authentication.|
|Connection Timeout||The maximum limit, in seconds, to complete authentication.|
Splunk automatically generates an Application Secret Key for you. If you'd like to use your own, it should be a mix of letters and numbers at least 40 characters long.
You can generate a random string in Python with:
import os, hashlib print hashlib.sha1(os.urandom(32)).hexdigest()
Click the Save button when done. You can now test your setup
This configuration was tested against versions 4.3.2, 5.0.7, 6.0.1, and 6.1.4. Splunk 6.2-6.4 must be started in "legacy mode" to use the Duo plugin. See instructions for Windows 6.2 , 6.3, or 6.4 and Linux 6.2, 6.3, or 6.4 at Splunk's documentation site).
From the command line, run the install script from within the duo_splunk directory with the following arguments:
$ ./install.sh -i <your_ikey> -s <your_skey> -h <your_host> -d <splunk_location>
||Your integration key
||Your secret key|
||Your API hostname
||The directory where Splunk is installed. Defaults to /opt/splunk if not specified.|
All paths in these instructions are relative to where your top level splunk/ directory is.
Apply the account.py.diff patch to lib/python2.7/site-packages/splunk/appserver/mrsparkle/controllers/account.py
Edit lib/python2.7/site-packages/splunk/appserver/mrsparkle/controllers/account.py to add your Duo account specific API keys (IKEY, SKEY, DUO_HOST, and AKEY).
Copy duoauth.html into share/splunk/search_mrsparkle/templates/account/
Copy duo.web.bundled.min.js into share/splunk/search_mrsparkle/exposed/js/contrib/
Copy duo_web.py into lib/python2.7/site-packages/
$ bin/splunk restart splunkweb
Upon your next login you will be prompted to enroll or authenticate your user using Duo.
Open a new browser and log into Splunk. After you complete primary authentication, the Duo enrollment or login prompt appears.