- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to modify my configuration of Splunk SSO with ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm attempting to configure SSO for Splunk with ADFS as the IdP. I have mapped an Active Directory group to the admin group in Splunk like this:
[rolemap_SAML]
admin = splunk_admin
Whenever I attempt to login I receive the following message:
No valid splunk role found in the local mapping or assertion.
I am getting what appears to be a valid response from ADFS, but it seems Splunk is having an issue parsing it. I'm sure the issue lies with some misconfiguration on my part, but I'm having trouble pinning it down. I'm reaching out to the Splunk community to see if anyone else has had a similar experience, or can offer some insight.
Here are some sanitized excerpts from the SAML response for reference:
My UPN passed from ADFS:
<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">johndoe@myorg.int</NameID>
My realName Attribute:
<Attribute Name="realName"> <AttributeValue>John Doe<AttributeValue> </Attribute>
My 'mail' Attribute
<Attribute Name="mail"> <AttributeValue>JohnDoe@myorg.org</AttributeValue> <Attribute>
My 'role' Attribute
<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role"> <AttributeValue>Domain Users</AttributeValue>
...MORE ATTRIBUTES...
<AttributeValue>splunk_admin<AttributeValue> </Attribute>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the attribute name is not called "role" then you also need to set authenticationResponseAttrMap_SAML in authentication.conf, ie:
[authenticationResponseAttrMap_SAML]
role = http://schemas.microsoft.com/ws/2008/06/identity/claims/role
Also, look at $SPLUNK_HOME/var/log/splunkd.log for SAML related entries to help you troubleshoot.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the attribute name is not called "role" then you also need to set authenticationResponseAttrMap_SAML in authentication.conf, ie:
[authenticationResponseAttrMap_SAML]
role = http://schemas.microsoft.com/ws/2008/06/identity/claims/role
Also, look at $SPLUNK_HOME/var/log/splunkd.log for SAML related entries to help you troubleshoot.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually role can be any strings in 6.4 and onwards, they dont have to be of form ""cn=splunk_admin,dc=myorg,dc=int"
"Domain Users" would still work.
You are right about the attribute alias mapping though
Alternatively you can look at the claim language generated for "role" in ADFS, copy it out and change the name from "http://..." to just role and add a custom claim. That should also work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks to the both of you for your time. I added that additional setting to the authentication.conf file and it works great!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, I did not realize the format requirement for the role value has been removed. I've edited my answer to remove this part.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
