Monitoring Splunk

Creating Tokens in Splunk via GUI- How to troubleshoot error?


Hi Team,

Recently we have upgraded our Splunk Cloud to 8.1.2011.1 version. So we got a requirement to create a Token so I have navigated to Settings and clicked Token. By default it was in disabled state so I have enabled it and when I tried to create Token in GUI. I am getting an error as below"

"Token creation failed because: Cannot use tokens for SAML user anandh because neither attribute query requests (AQR) nor scripted auth are supported."

I am an admin but still I couldn't able to create the token and moreover the user authentication is happening via SAML and the SAML has been configured in Azure end.


So kindly let me know how to fix it and create a token.

Labels (1)
0 Karma

Path Finder

Token authentication mechanism kind of works in parallel with SAML, so it requires SAML Attribute Query support in order to retrieve the information about group membership. Without AQR, this can be done with a script which extends Splunk auth and retrieves the information about group membership on its own, without AQR.

You have 3 possible options:

1. Use identity provider which supports Attribute Query (AQR)

2. Use Azure or Okta since Splunk has auth extensions for them out of the box

3. Create your own authentication extension.


If I'm not mistaken, Splunk cloud doesn't support auth extensions, so option 3 might be not applicable to your case.

0 Karma

Path Finder

If your cluster uses LDAP then how can there be non-LDAP users?  The authentication conf file will be configured to use LDAP.  I tried setting it up for a user in our authentication.conf file and got the same error that the OP got.

0 Karma

Path Finder

Internal users co-exist with your authentication mechanism without any issues. Have been using internal users with LDAP and SAML. You just need to add en-US/account/login?loginType=Splunk to your Splunk url in order to log in with the internal user.

0 Karma

Path Finder

Hey @anandhalagaras1 

If I am not wrong , Splunk "authentication tokens" are not for SAML user because they already have permission to Access Splunk (with SAML username and Pass.).

"Authentication Tokens" are for non SAML users and temporary/time-based access to a user with token generated by admin.

For more :

Path Finder

Authentication tokens are supported with SAML, internal and LDAP authentication mechanisms.

However, for SAML, your identity provider needs to support AQR (Attribute Query) or have a custom authentication extension. Splunk provides custom authentication extension out of the box for Okta and Azure.


0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2023 Splunk Career Impact Report

We’ve been shouting it from the rooftops! The findings from the 2023 Splunk Career Impact Report showing that ...

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...