Archive
Highlighted

(Native) Splunk APP on WIndows Azure AD - Can't make It work

Path Finder

Hi,

I've been trying to make my Splunkweb able to login with SAML coming from Windows Azure AD, but even wasting few days on searching and diging in a lot of sites, communities and bad written docs I just can't make It Work.

This is what I have until now.

alt text

My Cloud Scenario in AWS is shown in the picture above (CLOUD)

I'm Using an AWS ELB with two listeners:
Port 80 to Splunk's 80
Port 443 (with certs) to Splunk's 80

My splunk web is running on port 80.


AZURE SIDE

  1. In WAAD > Add an app from the gallery, choose Splunk and named it Splunk.
  2. Once the app was added, I click on "Configure single sign-on".

On the Wizard

2.1. Click on "Microsoft Azure AD Single Sign-On".

SEE WIZARD1 in the picture on top

2.1. Now starts the guessing game, Why in the doc [Configure SSO with AzureAD or AD FS as your Identity Provider][3] The writer didn't just give examples of filling this fields? A Doc about Integration with AD tells nothing about the required information on the AD side to an APP provided by the Splunk It self.

SEE WIZARD2 in the picture on top

In the field "SIGN ON URL" there'1s an example to use, unbelievable win, but how about "IDENTIFIER" and "REPLY URL" ?

The Azure Wizard Help tells me this about them:
IDENTIFIER
The Identifier should uniquely identify the application for which single sign on is being setup. Typically this is also a value that azure will send back to application as 'audience' of authentication token and the application is expected to validate it. This is also referred to as the "Entity Id" in SAML.
REPLY URL
The reply URL is where the application expects to receive the authentication token. This is also referred to as the "Assertion Consumer Service" (ACS) URL in SAML.

"Entity Id" and "ACS" in SAML

The guessing game leaded me to get data in a path http s://mysplunkweb/saml/spmetadata. It tells me this about the fields I mentioned above.

entityID="splunkEntityId" - what it means?

Location="http ://sso1:80/saml/acs" - May I assume "http ://mysplunkweb:80/saml/acs" ?

Continuing the Guessing game, I filled like this.

SIGN ON URL: http s://mysplunkweb/en-US/app/launcher/home
IDENTIFIER: urn:oasis:names:tc:SAML:2.0:metadata
REPLY URL: http s://mysplunkweb:80/saml/acs

2.3. In the 3rd step I download the FederationMetadata.xml to upload on my Splunkweb.
* Honorable Mention to the link "View Splunk configuration instructions" that days ago leaded to another app, today leads to nowhere, and tomorrow who knows.

SEE WIZARD3 in the picture on top

2.4. Once uploaded on Splunkweb I click "next", then Finish.

SPLUNKWEB SIDE

On Splunkweb

Now the documentation is useful.

  1. Settings > Access Controls > Authentication method > Mark "SAML" and click on "Configure Splunk to use SAML"

    1. Click on "SAML Configuration". Opening a form where the first thing is upload the FederationMetadata.xml mentioned in a previous step.

This Action fills the fields: "Single Sign On (SSO) URL", "Single Log Out (SLO) URL" and "IdP certificate path" but not "Entity ID", which tells on mouse hover the Icon "?" "This is your Splunk Instalation". What it means?
The Documentation says "This field is the entity ID as configured in the SP connection entry in your IdP." If this is in the FederationMetada why doesn't fills like the rest? nvm..

  1. Fill Entity ID with http s://sts.windows.net/MyDirectoryID/ found in federationmetadata.

    1. Fill the rest of the fields as documented.

Advanced Settings
Attribute Alias Role: http ://schemas.microsoft.com/ws/2008/06/identity/claims/role
Attribute Alias Real Name: http ://schemas.microsoft.com/identity/claims/displayname
Attribute Alias Mail: http ://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Fully qualified domain name or IP of the load balancer: Empty
Redirect port - load balancer port: Empty
Redirect to URL after logout: Empty

Conclusion

I assigned the app to my User in AD, but when I try to access the app on my directory It shows me the this error:

Correlation ID: 2702cb32-ee6a-4f57-a250-e4da5ea4cc32
Timestamp: 2016-06-23 18:01:11Z
AADSTS70001: Application with identifier 'http s://sts.windows.net/xxxx/' was not found in the directory xxxx

Tags (1)
0 Karma
Highlighted

Re: (Native) Splunk APP on WIndows Azure AD - Can't make It work

Splunk Employee
Splunk Employee

The error is exactly what it says it is: You would have set the entityId in splunk to "http s://sts.windows.net/xxxx/" which seems like a typo to me. Ensure that entityId configured in splunk is exactly same as APPID URI of configured application.
Alternatively you could try SPLUNK APP in AZURE AD Marketplace it may configuration on Azure AD simpler. Let me know how it goes.

View solution in original post

Highlighted

Re: (Native) Splunk APP on WIndows Azure AD - Can't make It work

Path Finder

Thank you for answering, I filled the fields with the information present in FederationMetadata, but I tried many different information in EntityID like the app url... but It doesn't works anyway... I AM using the Splunk APP in Azure AD from their gallery, and It is not that simple... there's NO "how to" and as shown in right/down corner the link "View Splunk configuration Instructions" do NOT link to a "how to".

0 Karma
Highlighted

Re: (Native) Splunk APP on WIndows Azure AD - Can't make It work

Splunk Employee
Splunk Employee

Yeah sorry about no "how to" link being present I am going to enumerate the steps for you below.

1) Login to https://manage.windowsazure.com

2) Navigate to your directory by selecting the Azure Active Directory on the left hand pane, this will expose all the directories that are present. If you want a separate directory then create one, or else select the directory in which you want users to access splunk.

3) Click on "APPLICATIONS" tab, then go to "ADD" button on the bottom banner and click it. Select the option "Add an application from the gallery". This should be the second option.

4) This pops up "Add an application for my organization to use", go to the search box on the top right hand side and type "splunk", then search for the application by clicking on the search icon ( magnifying glass)
There is a lot of text on the right hand column of the page put your cursor there and hit tab (because of lot of text the text box is hidden and the page is not scrollable), this will show a "DISPLAY NAME" text box on the bottom of the page, fill-it with the name that you want this application to show up in your list of applications. We will call it "SplunkSamlAppForAzure"
Click on the check mark on the bottom.

5) Click on the app you just created in you applications pane.

6) On the next pane check on "Microsoft Azure AD Single Sign-On" (first option).

7) a)Fill in the SIGN ON URL, this is the landing page on which users are taken to in case of IdP initiated flow.
You can follow the tool tip and configure this to : https://YOUR_SPLUNK_SERVER_URL/en-US/app/launcher/home
b) Fill in IDENTIFIER field with entity id of Splunk, to uniquely identify Splunk within the Azure Directory.
We will set it to our splunk instance "https://mrt.sv.splunk.com:8001"
c)Fill in REPLY URL field with the https://YOUR_SPLUNK_SERVER_URL/saml/acs
d) Leave "Configure the certificate used for federated single sign-on (optional)." unchecked, you may want to explore this if you need to select a specific cert , or create a new cert to sign the assertions with. We will let it pick a default cert in this configuration.

😎 Go to the next page.
a) Download metadata this will be needed to configure splunk with IdP settings.
b) You can skip this as directions for configuring splunk havent been added yet.
c) Check the checkbox to confirm you have configured splunk.
d)Go to the next 2 pages.

9) Go to "ATTRIBUTES" tab on the top and click on it
a) click on add user attribute and give it name "realName" for value select user.displayname.
b) Add another attribute and give it name "mail" for value select user.mail
c) Click on "Apply Changes" on the bottom of the page.

10) Click on the blue cloud with a thunderbolt icon (on the left of "DASHBOARD" tab) to go to the screen and assign users to the application. Click on "Assign Accounts" and then add the users that you want to have access to the application.

We map splunk roles to the groups a user is part of in Azure Active directory. Typically the users are already as part of groups based on their role within the organization like "it admins", or "dev" or "test". Specifically for Azure AD we map them to ids of groups. We recommend to assign users from known groups so that when a user authenticates and his group object ids are sent in the authentication response are present in the role mapping present in splunk.

Assign users to the application.

11) Collect information about Groups that will be used to sign in to splunk. IdP in the saml assertion returns the groups that a user belongs to, on Splunk we map those groups to a Splunk Role. Azure AD instead of sending group names sends string identifiers for group id's we need to collect this information from Azure AD page. The object Id for group can be found by going to your Directory Page and then navigating to the group whose Object Id is to be retrieved.

Configure Splunk:

1) Configure "Group Object Id" to "Splunk Role" mapping.
a) Go to SAML configuration page. Click on "New Group" button on the top right hand side of the screen.
b) In the text box add "Group Object Id" that you collected in Step 11.
c) Select the Splunk group that you want to map the user to.
d) Hit Save.

2) Import Azure AD metadata.
a) Go to "SAML Configuration" button on right hand side on the corner.
b) Click on "MetaData XML File" and upload the metadata file that you downloaded in Step 9.
c) Fill entity id, this should be the same value as "IDENTIFIER" as you configured in 7.
d) Scroll down on the page and go to "Advance Settings" section and set values as
1) "Attribute Alias Role" : http://schemas.microsoft.com/ws/2008/06/identity/claims/groups

Save configuration: logout and try to login again

Let me know how it goes.

Highlighted

Re: (Native) Splunk APP on WIndows Azure AD - Can't make It work

Path Finder

Thank you so much! it works! This "how to" just killed the question!

0 Karma
Highlighted

Re: (Native) Splunk APP on WIndows Azure AD - Can't make It work

Contributor

Thanks a lot rdimri_splunk this how to was very helpfull

0 Karma
Highlighted

Re: (Native) Splunk APP on WIndows Azure AD - Can't make It work

Path Finder

has anybody run across the issue of too many groups to get passed via the saml response? I am seeing a groups.link like this:
http://schemas.microsoft.com/claims/groups.link

there is a 150 group limit in Azure AD's saml implementation so any overage would be returned as a link instead of a list of groups. any idea what to do in that case to get the group names?