Encountered an issue with Splunk SAML authentication in conjunction when using scripted inputs for leveraging splunk cloud gateway for mobile.
We have configured SAML with Azure AD for SSO with our existing SHC. As part of Splunk cloud gateway implementation, we performed few additional steps mentioned in the document which is recommending to include scripted inputs.
Post saving the above config, we started noticing issue with SSO auth. The very first SAML request works fine and the subsequent requests starts failing with 404 0r 500 response error on the browser.
In Splunk internal logs, we observed below error after successful splunk SAML response
Seems like the azureScripted.py is not able to obtaimn relevant token from the apikey and query azure graph endpoint for user impersonation. Need help with troubleshooting this issue and see if any users have successful implementation of. splunk cloudgateway with SAML authentication.
We recently updated to 8.0.2 and encountered the same issue yesterday when trying to implement Cloud Gateway. Oddly at first we had a period of about 4 hours where it seemed to work and I was able to register and use devices, but after we began to see the 404 errors.
I wanted to add an update to this after some troubleshooting.. When our crash occurred, a user in the admin group got the message that he did not have the cloud gateway role, though he should have had it. As soon as he tried to add a device, we began getting the 404 errors. This was after two users had successfully added devices to cloud gateway.
To get our search head back online, I renamed the script to 1azureScripted and restarted splunk. When I went back into the SAML configuration, I noticed that the "Script Functions" and "Script Secure Arguments" blocks were empty, although they both showed up in the authentication.conf file. I updated the file and the script function to the original values, which got things working again.
One thing that has me puzzled, is that I had to update the azurescripted.py file to make it proxy aware, and it the process I messed up some of the space/tab combos which resulted in an error, meaning that the script never could've executed successfully anyway.
It seems like we are able to generate tokens as long as something in entered in the script field. If a user has an error during device registration or splunk is restarted, you will begin to see the 404/500 errors.
Are you also using scripted input options with oyur existing saml config. We noticed the provided Azure saml script under authScriptSamples directory doesnt use any oauth implementation to obtain acces token for querying saml endpoints. Are you also using azure sso for your saml auth.
We are using azure sso and trying to use the scripted input options, though the only thing that seems to matter is the name of the script. I can literally put a hello world script in there and I can generate tokens until something crashes or the search head is restarted.
We ended up having to disable the scripted input options. Things worked normally for a bit, but then we started randomly getting the 404/500 pages and would have to re-authenticate to azure using the splunk login url. After re-authenticating it would work for a few minutes, then give us errors again.
I think we finally got it working after making few changes to the script to use Ouath client_credentials to obtain token for user validation. Also we had to switch the name id format in the saml config to use email address as inout for username in the script. Since our Azure graph endpoint doesnt return the group display name we had to use the id in our saml group to map to a relevant role.
Would you be willing to share the changes you made to get this working? It sounds like we're in a very similar situation and I imagine the changes will be similar to what we need to do.