topic Re: SHC with SAML authentication - role update on existing group does not apply in Security

SHC with SAML authentication - role update on existing group does not apply

sylbaea — Wed, 28 Jun 2017 10:57:15 GMT

Hello,

I have a Search Head Cluster configured with SAML authentication (ADFS)...
For an existing SAML group (already granted with some role), adding new roles using GUI does not apply.

For instance I have a user user1 member of SAML group group1.
And I have several roles app1, app2, app3

I initially grant the user with role app1... Looking at authentication.conf, I see:

[userToRoleMap_SAML]
user1@domain.com = app1

[roleMap_SAML]
app1 = group1

For this first test, access to app1 is ok for user1... Also I already noticed that the role group assignment has been copied to the user... Strange but so far, it does not create a real problem.

But then if I edit again group role assignment to add more roles. This time, I get:

[userToRoleMap_SAML]
user1@domain.com = app1

[roleMap_SAML]
app1 = group1
app2 = group1
app3 = group1

roleMap_SAML is updated as expected, but this time, no copy-paste to the user section.
And the roles are never really granted to the user including after a rolling restart.
I checked the value of roles using "| rest splunk_server=local /services/authentication/current-context " and I only see the role defined by user mapping.

Why does the group mapping does not work ?

Re: SHC with SAML authentication - role update on existing group does not apply

suarezry — Wed, 28 Jun 2017 20:38:15 GMT

I need some clarification... Are you trying to login through ADFS as user1 and your problem is that this user is not being given the app2 and app3 role in splunk?

Re: SHC with SAML authentication - role update on existing group does not apply

sylbaea — Thu, 29 Jun 2017 01:33:21 GMT

yes, this is my problem.
In the meantime, I found old discussions here about same problem. It was stated that we cannot have both SSO with SAML and role group remapping working... Does this limitation still exist ?
In same discussions, it was also suggested to create roles directly matching AD groups. I have not tried that yet but ideally I would like to be able to maintain my own naming convention for roles in Splunk.

Re: SHC with SAML authentication - role update on existing group does not apply

brreeves_splunk — Thu, 29 Jun 2017 12:56:43 GMT

I do not believe that this limitation exists. What version are you running?

Re: SHC with SAML authentication - role update on existing group does not apply

suarezry — Thu, 29 Jun 2017 14:06:27 GMT

Ok, so your first step is to find out what role information ADFS releasing to you, to pass to splunk. Use a browser plugin to trace your saml messages:
https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/

What is the role information in the ADFS assertion?

Re: SHC with SAML authentication - role update on existing group does not apply

sylbaea — Thu, 29 Jun 2017 14:08:17 GMT

6.5.3 (Windows)

Re: SHC with SAML authentication - role update on existing group does not apply

brreeves_splunk — Thu, 29 Jun 2017 14:11:23 GMT

Based on the configuration, as long as user1 is a member of group1, they should receive those permissions as well as their userToRoleMap permissions.

Re: SHC with SAML authentication - role update on existing group does not apply

sylbaea — Thu, 29 Jun 2017 14:11:54 GMT

As explained above, this part works fine... group list is properly communicated through SAML answer (I did use similar plugin to the one you suggest to confirm that)... My problem is for the next role update... For unknow reason, it does not look to be taken into account. And I am not sure what are the constraints (do we need to restart the all SHC members to refresh the role config ? do we need impacted users to explicitly logout, etc.)

Re: SHC with SAML authentication - role update on existing group does not apply

brreeves_splunk — Thu, 29 Jun 2017 14:12:12 GMT

This would be good to confirm that it is returning the group we think it is (group1) so that we're sure it SHOULD be applying that role to user1.

Re: SHC with SAML authentication - role update on existing group does not apply

brreeves_splunk — Thu, 29 Jun 2017 14:12:53 GMT

You do need to do an Authentication Refresh under Settings > Authentication Method at the bottom.

Re: SHC with SAML authentication - role update on existing group does not apply

suarezry — Thu, 29 Jun 2017 14:16:32 GMT

Ok...
If you have confirmed that ADFS is passing the correct role information with a browser plugin then your next step is to look at $SPLUNK_HOME/var/log/splunk/splunkd.log for any SAML related errors or warnings.

Re: SHC with SAML authentication - role update on existing group does not apply

sylbaea — Thu, 29 Jun 2017 14:24:09 GMT

Thanks ! I missed that button... It does resolve my concern... This being said, I do not remember it was advised to use this button in the documentation... Maybe I missed it too.
Thanks a lot.

Re: SHC with SAML authentication - role update on existing group does not apply

sylbaea — Thu, 29 Jun 2017 14:24:37 GMT

you may want to put your comment as an answer.

Re: SHC with SAML authentication - role update on existing group does not apply

brreeves_splunk — Thu, 29 Jun 2017 14:26:14 GMT

Done. Please upvote for exposure. 🙂 (yay fake internet points!)

Re: SHC with SAML authentication - role update on existing group does not apply

sidhantbhayana — Fri, 20 Jul 2018 14:17:11 GMT

@brreeves
I am facing the same issue, after removing the user from SAML portal, the user remains in the authentication.conf, however he is not able to login. How do I address this concern ?

Re: SHC with SAML authentication - role update on existing group does not apply

brreeves_splunk — Fri, 20 Jul 2018 22:38:19 GMT

@sidhantbhayana if you remove them from the SAML IdP, they will no longer have access. Authentication.conf is what gets applied after they are approved by the IdP.

Re: SHC with SAML authentication - role update on existing group does not apply

deepamshah — Tue, 26 Feb 2019 22:12:56 GMT

@sylbaea - I am strugging with setting up Splunk SHC to work with ADFS (all internal) ... any chance you can share any info?

I have a F5 LB VIP (no SSL) - call this https://splunk:443 that points to 3 SHC members (call this https://splunk1:8000 , https://splunk2:8000, https://splunk3:8000)

Each of the splunk cluster members - have the same "ssl certificate" with CN = splunk (Custom CA signed cert)

I am struggling to follow steps on https://docs.splunk.com/Documentation/Splunk/7.2.4/Security/SAMLSHC .....

Any help would be great!

Re: SHC with SAML authentication - role update on existing group does not apply

roshanadabala — Mon, 08 Jul 2024 11:58:49 GMT

I have added a New SAML group from our organisation Azure AD and assigned a role which was created before with limited privileges/capabilities and access to only 2 indexes. However, users in that group have reported being unable to access the resources. Upon verifying in the users section of Splunk Cloud settings, I noticed that the specific users involved in that group were not assigned their roles. Is there a troubleshooting step I should take? I noticed an option in the SAML settings to reload the SAML configuration, but I am hesitant to click on it.