Monitoring Splunk

Creating Tokens in Splunk via GUI- How to troubleshoot error?

anandhalagaras1
Contributor

Hi Team,

Recently we have upgraded our Splunk Cloud to 8.1.2011.1 version. So we got a requirement to create a Token so I have navigated to Settings and clicked Token. By default it was in disabled state so I have enabled it and when I tried to create Token in GUI. I am getting an error as below"

"Token creation failed because: Cannot use tokens for SAML user anandh because neither attribute query requests (AQR) nor scripted auth are supported."

I am an admin but still I couldn't able to create the token and moreover the user authentication is happening via SAML and the SAML has been configured in Azure end.

 

So kindly let me know how to fix it and create a token.

Labels (1)
0 Karma

vzabawski
Path Finder

Token authentication mechanism kind of works in parallel with SAML, so it requires SAML Attribute Query support in order to retrieve the information about group membership. Without AQR, this can be done with a script which extends Splunk auth and retrieves the information about group membership on its own, without AQR.

You have 3 possible options:

1. Use identity provider which supports Attribute Query (AQR)

2. Use Azure or Okta since Splunk has auth extensions for them out of the box

3. Create your own authentication extension.

 

If I'm not mistaken, Splunk cloud doesn't support auth extensions, so option 3 might be not applicable to your case.

0 Karma

scottj1y
Path Finder

If your cluster uses LDAP then how can there be non-LDAP users?  The authentication conf file will be configured to use LDAP.  I tried setting it up for a user in our authentication.conf file and got the same error that the OP got.

0 Karma

vzabawski
Path Finder

Internal users co-exist with your authentication mechanism without any issues. Have been using internal users with LDAP and SAML. You just need to add en-US/account/login?loginType=Splunk to your Splunk url in order to log in with the internal user.

0 Karma

General_Talos
Path Finder

Hey @anandhalagaras1 

If I am not wrong , Splunk "authentication tokens" are not for SAML user because they already have permission to Access Splunk (with SAML username and Pass.).

"Authentication Tokens" are for non SAML users and temporary/time-based access to a user with token generated by admin.

For more :
https://docs.splunk.com/Documentation/Splunk/8.1.1/Security/UseAuthTokens

vzabawski
Path Finder

Authentication tokens are supported with SAML, internal and LDAP authentication mechanisms.

However, for SAML, your identity provider needs to support AQR (Attribute Query) or have a custom authentication extension. Splunk provides custom authentication extension out of the box for Okta and Azure.

Source: https://docs.splunk.com/Documentation/SplunkCloud/8.2.2203/Security/Setupauthenticationwithtokens#Su...

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...