Getting Data In

How to configure Splunk SAML SSO on Windows?

ww9rivers
Contributor

I have successfully configured a Splunk search head (Enterprise v6.5.0) to authenticate with SAML.

But I am having failures on Windows running Splunk Enterprise v6.5.1. Besides that the search head server OS difference, the other difference is what Splunk uses for hostname: On Linux it is the fully qualified DNS name, in Windows, it's just the hostname part without the domain.

The error I am getting is: "Unable to complete request at this time. (Request was from an untrusted provider-AEE5C49E56DD98D1)" in the ID Provider's sign-on screen.

That makes me wonder if there is a mismatch somewhere, possibly related to the hostname/DNS name difference. However, I did set the "fully qualified domain name" and "entity ID" fields to use the fully qualified DNS name in Splunk SAML configuration.

Has anyone else encountered this kind of situation? Thank you in advance for any insights.

suarezry
Builder

Use a browser plugin to trace your SAML exchanges:
https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/

You will be able to see what URL's Splunk is passing to your IdP. You can then verify if those URLs match the Splunk metadata gave to your IdP. What IdP are you using?

0 Karma

pgreer_splunk
Splunk Employee
Splunk Employee

What Identity Provider are you using?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...