I'm trying to configure the SAML authentication in a search head cluster (x3 peers). The configuration seems to be good since I can access with
SAML users, and I don't have any error in splunkd.log about SAML.
Now I'm with the tests, and for some reason, Splunk is ignoring the mapped roles. I mean; I have one SAML user (user1) and I give it the user role. I created a test app that only the admin role can read and write. When I login with user1, I can see the test app, access it and see all the content inside it. I try similar test with some other users, and every time, it's happening the same.
I checked in Splunk Answers for similar cases and found this:
But none of those suggestions work for me. I tried:
defaultRoleIfMissing and blacklistedAutoMappedRoles with the same result.
The users exist in SAML and in Splunk (we have pending a migration), and I checked the roles in the local version and all of them have the user role.
Have I missed something? Any suggestions, please?
i won't be able to help much but would be curious if your test user is actually getting mapped to the admin role or just ignoring perms on that test app? Can the user share objects in the test app? Can they make other changes in Splunk that only the admin role should be able to?
maybe if you can track down how it's broke, it can help you figure out why it's broke.
The user can create dashboards and panels inside the test app. When I edit the permissions, I only see two rows: Everyone and users. If I do the same with a SAML user with admin role, I can see every row with every role.
With the SAML admin user I create a dashboard with admin role permissions. When I login with the SAML user and check the permissions, I only see the two rows, but I can change the "Display for" option, an set it to private (for example).
The SAML user only can see in the settings menu the correct options and the same goes to the SAML admin user.
The indexes seems to apply correctly the permissions that they have, because, for example, the SAML user can't acces to the _internal index (this is correct because in the user role we have the All non-internal indexes added).
I hope to do some more test.
so the only thing that seems wrong is permissions to the app? If that's the case, have you logged in with any other users that shouldn't have access to that app but they do? Would probably want to rule out any app permission issues before moving onto possible SAML problems.
I created a specific app for the tests but this happens with any app. We have a lot more apps in PRO, every one with his particular privileges and this SAML users can access to all of them, see all info, and even disable any app.
Answering your questions:
have you logged in with any other users that shouldn't have access to that app but they do?
Yes, the same behavior happens with any SAML user added
the only thing that seems wrong is permissions to the app?
Yes, but this happen with any app