# Customer Search Head Notes

To add a customer-facing search head (including one for qmulos or qcontrol):

## Okta Setup - Directory -> Groups

1. In Okta Admin, go to directory->groups
1. Add a Group, such as 'FRTIB'
1. Review the Rules tab, reviewing the group for 'Federated Users are Splunk Users'.

## Okta Setup - Security -> Identity Providers

1. In Okta Admin, go to Security->Identity Providers
1. Add a provider. Follow one of the examples. For now, make up the customer's IdP URLs and use any certificate you can find temporarily. YOu'll get the real certificate from teh customer later.
1. Expand the new IdP and download the metadata. Send it to the customer and ask for:
  * IdP Issuer URI (EntityID)
  * IdP Single Sign-on URL (Authn endpoint)
  * IdP Signature Certificate
1. In the Routing Rules tab, set up a new routing rule with the assigned prefix.

Notes:
Okta also has configuration for Federated Users under:
* Security->Multifactor, Factor Enrollment tab. Federated Users are excluded from enrollment.
* Security->Authentication, Sign On tab. Federated users are excluded from MFA.

## Create the Application for the Search Head

1. Use our script to create the app in okta
```
cd ~/msoc-infrastructure/tools/okta_app_maker
OKTA_API_TOKEN=blah ./okta_app_maker.py 'FRTIB Splunk Customer SH [Prod]' https://search.frtib.xdr.accenturefederalcyber.com
```
1. Edit ~/msoc-infrastructure/salt/pillar/CUST_variables.sls
1. Paste the info from the script and updates the `if` clause
1. Submit your PR to develop, then to master.
1. Edit the application in okta:
  * Fix the icon
  * Assign the groups: CUST, mdr-engineers, mdr-admins, (Maybe more?)

## Add the customer SH to the customer

```
cd ~/xdr-terraform-live/prod/aws-us-gov/mdr-prod-CUST
cp -a ~/xdr-terraform-live/test/aws-us-gov/mdr-test-modelclient/190-splunk-customer-searchhead .
cd 190-splunk-customer-searchhead/
rm -rf .terragrunt-cache/
vim terragrunt.hcl
# update tag to latest
vim ../account.hcl
# Add "splunk-cust-sh" to instance_types
# Add to splunk_volume_sizes:
    "customer_searchhead" = {
      "swap": 8,  # minimum: 8
      "/": 10,    # minimum: 10
      "/home": 4, # minimum: 4
      "/var": 15, # minimum: 15
      "/var/tmp": 4, # minimum: 4
      "/var/log": 8, # minimum: 8
      "/var/log/audit": 8, # minimum: 8
      "/tmp": 4,  # minimum: 4
      "/opt/splunk": 60, # No minimum; not in base image
    },
```

Do a PR, get approval, then terraform, highstate, and proceed as usual.

## When Metadata from Customer is Received

Update the IdP configuration in okta and test.