Security

ADFS SAML: IDP failed to authenticate request (Splunk 6.4)

dkoops
Path Finder

We have some trouble getting SAML to work with our ADFS. After a login attempt, we are redirected to a Splunk error screen with the message:

IDP failed to authenticate request. Status Message="" Status Code="Responder"

We assume this is because we have to tell our ADFS how Splunk signs the request, but we are unable to find out which certificate Splunk uses for this..

If we disable 'signAuthnRequest', a login attempt results in some sort of loop that goes nowhere.
Anyone..?

1 Solution

dkoops
Path Finder

We got it to work. Thanks all for the help!

We fixed it by disabling signAuthnRequest. Earlier this resulted in some sort of loop but this was ADFS's fault apparently, and fixed with some adjustments in ADFS settings (not sure which).

View solution in original post

walker_liu
Explorer

I encounter this issue with the same error message and suffer for few weeks. There are two way to login with SAML SSO, IDP-Initiated SSO and SP-Initiated SSO. And this error only happen on SP-Initiated SSO.
Here is the symptom I saw:
1. Error message from splunk side:

IDP failed to authenticate request. Status Message="" Status Code="Responder"

And if you try to open SSO page, then will still be auto-redirected to Splunk with same error. The only way to escape this loop is to clear all the browser data then open SSO page, which means you can only login with IDP-Initiated SSO.
2. Error message from ADFS server side:

Event ID 364: Encountered error during federation passive request

I take two action to solve this problem(thanks for splunk support and my IT member):

  1. Enable "signAuthnRequest", which is totally different way with the answer here.
  2. Make sure step 27 and 28 on the doc: https://www.splunk.com/blog/2016/09/14/configuring-microsofts-adfs-splunk-cloud.html is well configured. Especially SigningCertificateRevocationCheck=None.

After doing that, both IDP-Initiated SSO and SP-Initiated SSO are working.

parteek_accentu
New Member

can you please guide about IDP and SP initiated SSO ? how did you solve this issue

0 Karma

walker_liu
Explorer

I basically follow the Splunk doc I post to set it up. And IDP & SP initiated SSO are both used in SAML in default. I believe there're lots of blog taking about both SSO initialization like this: https://blogs.oracle.com/dcarru/sp-vs-idp-initiated-sso

0 Karma

jbullough
Path Finder

I have this same issue and disabling "signAuthnRequest" doesn't resolve the issue. Does anyone have any new tricks to fix this?

dkoops
Path Finder

We got it to work. Thanks all for the help!

We fixed it by disabling signAuthnRequest. Earlier this resulted in some sort of loop but this was ADFS's fault apparently, and fixed with some adjustments in ADFS settings (not sure which).

cesaccenturefed
Path Finder

This didnt work for us.

0 Karma

rgopalan
Splunk Employee
Splunk Employee

You can get the certificate used by Splunk to sign saml requests from '/en-US/saml/spmetadata' endpoint of splunkweb after logging in as a local user.

You can also narrow down the issue by looking at the event logs on the instance where ADFS is set up.

dkoops
Path Finder

Thx for the tip, I'll give that output to our ADFS guy. Hopefully he'll be able to make something of it!

0 Karma

jkat54
SplunkTrust
SplunkTrust

The certificate should come from your IdP not Splunk. You should have an XML file from the IDP that you "install" on Splunk.

http://docs.splunk.com/Documentation/Splunk/6.3.3/Security/ConfigureSSOinSplunkWeb

0 Karma

dkoops
Path Finder

Yes we did this. It resulted in 2 certificates in the 'splunk/etc/auth/idpCerts' folder. After checking, the 2 seem correct.

After using some SAML debug plugin, we found the following:

HTTP/?.? 200 OK
Cache-Control: no-cache,no-store
Pragma: no-cache
Content-Length: 15294
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-HTTPAPI/2.0
X-Frame-Options: DENY
P3P: CP="ADFS doesn't have P3P policy, please contact your site's admin for more details."
Set-Cookie: 
0 Karma

jkat54
SplunkTrust
SplunkTrust

This error suggests ADFS v3 isn't setup on the IdP but that's what Splunk is using or perhaps it's the other way around. There's a patch for ADFS that you'll find everyone mentions when you google the P3P error message you posted. Make sure you have that patch and ADFS v3 installed.

Finally if you're copying and pasting certs from windows to linux, please make sure you use dosutils (that's the package) and its command called dos2unix to convert the cert file to Unix format.
Or even if you created the file in windows and will use in linux (usually the case). What happens is there are some line breaks / character encoding issues that occur when using windows formatted files on linux OS'es.

Get Updates on the Splunk Community!

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...