topic Re: Creating Tokens in Splunk via GUI in Monitoring Splunk

Creating Tokens in Splunk via GUI- How to troubleshoot error?

anandhalagaras1 — Thu, 30 Jun 2022 15:47:42 GMT

Hi Team,

Recently we have upgraded our Splunk Cloud to 8.1.2011.1 version. So we got a requirement to create a Token so I have navigated to Settings and clicked Token. By default it was in disabled state so I have enabled it and when I tried to create Token in GUI. I am getting an error as below"

"Token creation failed because: Cannot use tokens for SAML user anandh because neither attribute query requests (AQR) nor scripted auth are supported."

I am an admin but still I couldn't able to create the token and moreover the user authentication is happening via SAML and the SAML has been configured in Azure end.

So kindly let me know how to fix it and create a token.

Re: Creating Tokens in Splunk via GUI

General_Talos — Mon, 11 Jan 2021 08:35:33 GMT

Hey @anandhalagaras1

If I am not wrong , Splunk "authentication tokens" are not for SAML user because they already have permission to Access Splunk (with SAML username and Pass.).

"Authentication Tokens" are for non SAML users and temporary/time-based access to a user with token generated by admin.

For more :
https://docs.splunk.com/Documentation/Splunk/8.1.1/Security/UseAuthTokens

Re: Creating Tokens in Splunk via GUI

scottj1y — Mon, 28 Jun 2021 20:25:22 GMT

If your cluster uses LDAP then how can there be non-LDAP users? The authentication conf file will be configured to use LDAP. I tried setting it up for a user in our authentication.conf file and got the same error that the OP got.

Re: Creating Tokens in Splunk via GUI

vzabawski — Thu, 30 Jun 2022 14:19:56 GMT

Authentication tokens are supported with SAML, internal and LDAP authentication mechanisms.

However, for SAML, your identity provider needs to support AQR (Attribute Query) or have a custom authentication extension. Splunk provides custom authentication extension out of the box for Okta and Azure.

Source: https://docs.splunk.com/Documentation/SplunkCloud/8.2.2203/Security/Setupauthenticationwithtokens#Supported_authentication_schemes

Re: Creating Tokens in Splunk via GUI

vzabawski — Thu, 30 Jun 2022 14:22:29 GMT

Internal users co-exist with your authentication mechanism without any issues. Have been using internal users with LDAP and SAML. You just need to add en-US/account/login?loginType=Splunk to your Splunk url in order to log in with the internal user.

Re: Creating Tokens in Splunk via GUI

vzabawski — Thu, 30 Jun 2022 14:50:16 GMT

Token authentication mechanism kind of works in parallel with SAML, so it requires SAML Attribute Query support in order to retrieve the information about group membership. Without AQR, this can be done with a script which extends Splunk auth and retrieves the information about group membership on its own, without AQR.

You have 3 possible options:

1. Use identity provider which supports Attribute Query (AQR)

2. Use Azure or Okta since Splunk has auth extensions for them out of the box

3. Create your own authentication extension.

If I'm not mistaken, Splunk cloud doesn't support auth extensions, so option 3 might be not applicable to your case.