We are in a distributed configuration. We want to add SSO to Splunk Active Directory Federation Services (ADFS). We have only configured SSO with ADFS on the search head. For the authentication it works fine (with a little bit of works). But we have a strange behavior with dashboard :
- when running the inline search from a panel, no issue : datas are retrieved and displayed correctly
- when running the search from the dashboard : datas are not displayed, we get a no result found
I've tried to add a new panel on an existing dashboard, same issue. On a new dashboard (private or shared), same issue. I think this is related to a role permission, but don't know how to troubleshoot this.
Does anyone had already encountered this behavior, do we need to set up SSO on all node of the Splunk infrastructure (search head and indexer)?
You do not need to setup SSO on the indexer. It's only required for the search head.
If you hover your mouse over the panel a toolbar shows up at the bottom. One of the icons is "open in search", click on this and confirm you do indeed get results. Then click on the "i" icon (inspect). This will open up the Search Job Inspector window. There is a link for "search.log" which you can browse, it will state the reason for why no results are found.