Recently we have upgraded our Splunk Cloud to 8.1.2011.1 version. So we got a requirement to create a Token so I have navigated to Settings and clicked Token. By default it was in disabled state so I have enabled it and when I tried to create Token in GUI. I am getting an error as below"
"Token creation failed because: Cannot use tokens for SAML user anandh because neither attribute query requests (AQR) nor scripted auth are supported."
I am an admin but still I couldn't able to create the token and moreover the user authentication is happening via SAML and the SAML has been configured in Azure end.
So kindly let me know how to fix it and create a token.
Token authentication mechanism kind of works in parallel with SAML, so it requires SAML Attribute Query support in order to retrieve the information about group membership. Without AQR, this can be done with a script which extends Splunk auth and retrieves the information about group membership on its own, without AQR.
You have 3 possible options:
1. Use identity provider which supports Attribute Query (AQR)
2. Use Azure or Okta since Splunk has auth extensions for them out of the box
If I'm not mistaken, Splunk cloud doesn't support auth extensions, so option 3 might be not applicable to your case.
If your cluster uses LDAP then how can there be non-LDAP users? The authentication conf file will be configured to use LDAP. I tried setting it up for a user in our authentication.conf file and got the same error that the OP got.
Internal users co-exist with your authentication mechanism without any issues. Have been using internal users with LDAP and SAML. You just need to add en-US/account/login?loginType=Splunk to your Splunk url in order to log in with the internal user.
If I am not wrong , Splunk "authentication tokens" are not for SAML user because they already have permission to Access Splunk (with SAML username and Pass.).
"Authentication Tokens" are for non SAML users and temporary/time-based access to a user with token generated by admin.
Authentication tokens are supported with SAML, internal and LDAP authentication mechanisms.
However, for SAML, your identity provider needs to support AQR (Attribute Query) or have a custom authentication extension. Splunk provides custom authentication extension out of the box for Okta and Azure.