All Apps and Add-ons

Shibboleth Add-on for Splunk v1.1.0 - bugs

New Member

I spent a little time testing this app a few days ago and found a number of bugs when ingesting process logs from my Shibboleth v3 IdP. Al testing was done on 7.2.9 Splunk Enterprise.

First a couple of notes to anyone that comes across this. There are index time operations so this has to go on the Indexer and Search layers. Immediately after installing the app (from SplunkWeb) it asks to reboot. I didnt look into this much but when splunkweb comes back form the restart (after authenticating) it has a 500 internal server error. it seems like the app is supposed to have some workflow to configure the app but it doesn't work. So before restarting you might want to add ..Shibboleth_App/local/app.conf and add "is_configured = 1" to avoid the 500 error.

In props.conf the signature-id regex doesn't seem to work in all cases. I had to fix it with:
EXTRACT-signature_id = ^[^[\n]*[[\w.-]+:(?\d+)

Then there are a couple bugs in the very basic dashboards:

In overview.xml the "Applications Use By User" dashboard panel had a hard coded index="shibboleth" and so it didnt load any data if using a different index. To make the macro index selection work it needs to be updated with get_index instead of index="shibboleth".

Likewise in shib_auth_activity.xml in the Top Unique Destinations dashboard panel the search starts with "index=shibboleth get_index sourcetype=shibboleth:audit" which obviously loads nothing since its trying to get events from two indexes. Remove the "index=shibboleth" part so that the macro works.

Hopefully this saves other admins time and testing if they use this app and perhaps they can be rolled into a bug fix release.

Also, is this app compatible with 7.3 and 8.0?

0 Karma

Path Finder

Hey @mab_cu - are you still around?

We're investigating using this addon as we are spinning up Shibboleth at our institution. Have you found any further information since you made this post?

In the app.conf file, I found a couple names of the authors, and I'm trying to reach out to them to get some more background on things. In the meantime, I wonder if this can be grafted or modified.

There is a "" file that I suspect is trying to perform that workflow you reference. It appears pretty lightweight and provided by Splunk, so I wouldn't imagine it is too hard to make work properly. I did see that same error upon looking at the dashboards in our Heavy Forwarder.


Biggest problem I face is that because this isn't certified with 8.0, I can't install it into our Splunk Cloud instance. So I am hoping to get help with that.

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...