Developing for Splunk Enterprise

SAML Users - Missing info - users real name and email address disappear

nclancy_splunk
Splunk Employee
Splunk Employee

Authentication via SAML works and on initial login the users real name and email address are visible under the users profile both as viewed by the user and as viewed by an admin under the "Users" screen in the Authentication Settings.

At some (seemingly random) point latter the users real name and email address disappear. The user is still logged in and can continue whatever they were doing but the name displayed at the top of the screen changes from thier real name to thier user id.

As far as my understanding of SAML integration goes there is no continuing communication between splunk and the SAML provider after the initial authentication (until the user session times out, which is not happening here since the user continues working fine)

If the user actively logs out from splunk then immediately returns their real name and email address is restored in splunk once again. Then at some point will once again disappear.

Tags (1)
0 Karma

nclancy_splunk
Splunk Employee
Splunk Employee

This occurs for Splunk 6.4.4 possibly related to issue SPL-141089 which is fixed in 6.5 and other releases

Problem evaluation:
Prior to this fix, we didn't have a mechanism of keeping the SAML user attributes such as email and realname on the disk
If the auth system were to be bounced, the cache would get cleared, which would result in the loss of the user attributes
Another scenario identified during the course of this investigation: in a SHC, if the SH, which was used by the LB to log the user in, goes down, a different SH in the cluster wouldn't have the user attributes, resulting in the same problem.

Resolution:
Store the user's real name and email id along with the role list under the userToRoleMap_SAML stanza of authentication.conf.
The role list, real name and email are all separated by "::" delimiter. If any of these string have "::" as part of them, the same is stripped off before storing in authentication.conf
The GET endpoint for admin/SAML-user-role-map is also updated to now return real name and email id along with the real list.

This issue has been fixed in the the following releases:
6.5.6+
6.6.4+
7.0.0+

http://docs.splunk.com/Documentation/Splunk/6.5.6/ReleaseNotes/6.5.6
SPL-141089, SPL-143593, SPL-142248, SPL-143592

SAML - Users realName and email being dropped from the UI on authentication bounce

Support have tested this (on 7.0.2) and when you log in this section is added to authentication.conf to have the name/email mapped:
...
[userToRoleMap_SAML]
user@someaddress.net = admin::Tester::user@someaddress.net

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!