topic SAML Login problem: Saml response does not contain group information. in Splunk Enterprise

SAML Login problem: Saml response does not contain group information.

Branden — Thu, 12 Dec 2024 20:37:26 GMT

Hello. I am trying to get SAML authentication working on Splunk Enterprise using our local IdP, which is SAML 2.0 compliant.

I can successfully authenticate against the IdP, which returns the assertion, but Splunk won't let me in. I get this error: "Saml response does not contain group information."

I know Splunk looks for a 'role' variable, but our assertion does not return that. Instead, it returns "memberOf", and I added that to authentication.conf:

[authenticationResponseAttrMap_SAML] role = memberOf

I also map the role under roleMap_SAML.

It seems like no matter what I do, no matter what I put, I get the "Saml response does not contain group information." response.

I have a ticket open with tech support, but at the moment, they're not sure what the issue is. Here's a snippet (masked) of the assertion response:

<saml2:Attribute FriendlyName="memberOf" Name="urn:oid:1.2.xxx.xxxxxx.1.2.102" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string"> xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:some-group </saml2:AttributeValue> </saml2:Attribute>

Feeling out of options, I asked ChatGPT (I know, I know), and it said that the namespace our assertion is using may be the issue. It said that Splunk uses the "saml" namespace, but our IdP is returning "saml2". I don't know if that's the actual issue nor, if it is, what to do about it.

splunkd.log shows the error message that I'm seeing in the web interface:

12-12-2024 15:14:24.611 -0500 ERROR Saml [847764 webui] - No value found in SamlResponse for match key=saml:AttributeStatement/saml:Attribute attrName=memberOf err=No nodes found for xpath=saml:AttributeStatement/saml:Attribute

I've looked at the Splunk SAML docs, but don't see anything about namespacing, so maybe ChatGPT just made that up.

What exactly is Splunk looking for that I'm not providing?

If anyone has any suggestions or insight, please let me know.

Thank you!

Re: SAML Login problem: Saml response does not contain group information.

PaulPanther — Fri, 13 Dec 2024 08:45:14 GMT

Have you tried to map the "Name" to the "role" variable?

Have you checked the supported group information formats in the docs and verified it?

Configure SAML SSO using configuration files on Splunk Enterprise - Splunk Documentation

Re: SAML Login problem: Saml response does not contain group information.

Branden — Fri, 13 Dec 2024 14:24:46 GMT

Thank you for your response.

The answer is "yes" to both questions. I've tried mapping the role to Name, memberOf, and FriendlyName.

It looks like the response uses "DN format," and the example in the docs is similar to the response I'm receiving.

One difference I did notice from the doc, however, is the value it's returning. In the doc, it appears to be returning LDAP memberships: CN=Employee, OU=SAML Test, DC=qa, etc... Our back-end uses Grouper for authorization, and the value looks more like org:sections:managed:employee:saml-test:qa:etc... I wonder if that's confusing Splunk...? I'm grasping at this point.