I spent a little time testing this app a few days ago and found a number of bugs when ingesting process logs from my Shibboleth v3 IdP. Al testing was done on 7.2.9 Splunk Enterprise.
First a couple of notes to anyone that comes across this. There are index time operations so this has to go on the Indexer and Search layers. Immediately after installing the app (from SplunkWeb) it asks to reboot. I didnt look into this much but when splunkweb comes back form the restart (after authenticating) it has a 500 internal server error. it seems like the app is supposed to have some workflow to configure the app but it doesn't work. So before restarting you might want to add ..Shibboleth_App/local/app.conf and add "is_configured = 1" to avoid the 500 error.
In props.conf the signature-id regex doesn't seem to work in all cases. I had to fix it with:
EXTRACT-signature_id = ^[^[\n]*[[\w.-]+:(?\d+)
Then there are a couple bugs in the very basic dashboards:
In overview.xml the "Applications Use By User" dashboard panel had a hard coded index="shibboleth" and so it didnt load any data if using a different index. To make the macro index selection work it needs to be updated with
get_index instead of index="shibboleth".
Likewise in shib_auth_activity.xml in the Top Unique Destinations dashboard panel the search starts with "index=shibboleth
get_index sourcetype=shibboleth:audit" which obviously loads nothing since its trying to get events from two indexes. Remove the "index=shibboleth" part so that the macro works.
Hopefully this saves other admins time and testing if they use this app and perhaps they can be rolled into a bug fix release.
Also, is this app compatible with 7.3 and 8.0?