Getting Data In

How to modify my configuration of Splunk SSO with SAML and ADFS as the Identity Provider?

justinb82
Engager

I'm attempting to configure SSO for Splunk with ADFS as the IdP. I have mapped an Active Directory group to the admin group in Splunk like this:

[rolemap_SAML]
admin = splunk_admin

Whenever I attempt to login I receive the following message:

No valid splunk role found in the local mapping or assertion.

I am getting what appears to be a valid response from ADFS, but it seems Splunk is having an issue parsing it. I'm sure the issue lies with some misconfiguration on my part, but I'm having trouble pinning it down. I'm reaching out to the Splunk community to see if anyone else has had a similar experience, or can offer some insight.

Here are some sanitized excerpts from the SAML response for reference:

My UPN passed from ADFS:

<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">johndoe@myorg.int</NameID>

My realName Attribute:

<Attribute Name="realName"> <AttributeValue>John Doe<AttributeValue> </Attribute>

My 'mail' Attribute

<Attribute Name="mail"> <AttributeValue>JohnDoe@myorg.org</AttributeValue> <Attribute>

My 'role' Attribute

<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role"> <AttributeValue>Domain Users</AttributeValue>

...MORE ATTRIBUTES...

<AttributeValue>splunk_admin<AttributeValue> </Attribute>
0 Karma
1 Solution

suarezry
Builder

If the attribute name is not called "role" then you also need to set authenticationResponseAttrMap_SAML in authentication.conf, ie:

[authenticationResponseAttrMap_SAML]
 role = http://schemas.microsoft.com/ws/2008/06/identity/claims/role

Also, look at $SPLUNK_HOME/var/log/splunkd.log for SAML related entries to help you troubleshoot.

View solution in original post

suarezry
Builder

If the attribute name is not called "role" then you also need to set authenticationResponseAttrMap_SAML in authentication.conf, ie:

[authenticationResponseAttrMap_SAML]
 role = http://schemas.microsoft.com/ws/2008/06/identity/claims/role

Also, look at $SPLUNK_HOME/var/log/splunkd.log for SAML related entries to help you troubleshoot.

rdimri_splunk
Splunk Employee
Splunk Employee

Actually role can be any strings in 6.4 and onwards, they dont have to be of form ""cn=splunk_admin,dc=myorg,dc=int"
"Domain Users" would still work.

You are right about the attribute alias mapping though

Alternatively you can look at the claim language generated for "role" in ADFS, copy it out and change the name from "http://..." to just role and add a custom claim. That should also work.

justinb82
Engager

Thanks to the both of you for your time. I added that additional setting to the authentication.conf file and it works great!

0 Karma

suarezry
Builder

Thanks, I did not realize the format requirement for the role value has been removed. I've edited my answer to remove this part.

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...