We have some trouble getting SAML to work with our ADFS. After a login attempt, we are redirected to a Splunk error screen with the message:
IDP failed to authenticate request. Status Message="" Status Code="Responder"
We assume this is because we have to tell our ADFS how Splunk signs the request, but we are unable to find out which certificate Splunk uses for this..
If we disable 'signAuthnRequest', a login attempt results in some sort of loop that goes nowhere.
Anyone..?
We got it to work. Thanks all for the help!
We fixed it by disabling signAuthnRequest. Earlier this resulted in some sort of loop but this was ADFS's fault apparently, and fixed with some adjustments in ADFS settings (not sure which).
I encounter this issue with the same error message and suffer for few weeks. There are two way to login with SAML SSO, IDP-Initiated SSO and SP-Initiated SSO. And this error only happen on SP-Initiated SSO.
Here is the symptom I saw:
1. Error message from splunk side:
IDP failed to authenticate request. Status Message="" Status Code="Responder"
And if you try to open SSO page, then will still be auto-redirected to Splunk with same error. The only way to escape this loop is to clear all the browser data then open SSO page, which means you can only login with IDP-Initiated SSO.
2. Error message from ADFS server side:
Event ID 364: Encountered error during federation passive request
I take two action to solve this problem(thanks for splunk support and my IT member):
After doing that, both IDP-Initiated SSO and SP-Initiated SSO are working.
can you please guide about IDP and SP initiated SSO ? how did you solve this issue
I basically follow the Splunk doc I post to set it up. And IDP & SP initiated SSO are both used in SAML in default. I believe there're lots of blog taking about both SSO initialization like this: https://blogs.oracle.com/dcarru/sp-vs-idp-initiated-sso
I have this same issue and disabling "signAuthnRequest" doesn't resolve the issue. Does anyone have any new tricks to fix this?
We got it to work. Thanks all for the help!
We fixed it by disabling signAuthnRequest. Earlier this resulted in some sort of loop but this was ADFS's fault apparently, and fixed with some adjustments in ADFS settings (not sure which).
This didnt work for us.
You can get the certificate used by Splunk to sign saml requests from '/en-US/saml/spmetadata' endpoint of splunkweb after logging in as a local user.
You can also narrow down the issue by looking at the event logs on the instance where ADFS is set up.
Thx for the tip, I'll give that output to our ADFS guy. Hopefully he'll be able to make something of it!
The certificate should come from your IdP not Splunk. You should have an XML file from the IDP that you "install" on Splunk.
http://docs.splunk.com/Documentation/Splunk/6.3.3/Security/ConfigureSSOinSplunkWeb
Yes we did this. It resulted in 2 certificates in the 'splunk/etc/auth/idpCerts' folder. After checking, the 2 seem correct.
After using some SAML debug plugin, we found the following:
HTTP/?.? 200 OK
Cache-Control: no-cache,no-store
Pragma: no-cache
Content-Length: 15294
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-HTTPAPI/2.0
X-Frame-Options: DENY
P3P: CP="ADFS doesn't have P3P policy, please contact your site's admin for more details."
Set-Cookie:
This error suggests ADFS v3 isn't setup on the IdP but that's what Splunk is using or perhaps it's the other way around. There's a patch for ADFS that you'll find everyone mentions when you google the P3P error message you posted. Make sure you have that patch and ADFS v3 installed.
Finally if you're copying and pasting certs from windows to linux, please make sure you use dosutils (that's the package) and its command called dos2unix to convert the cert file to Unix format.
Or even if you created the file in windows and will use in linux (usually the case). What happens is there are some line breaks / character encoding issues that occur when using windows formatted files on linux OS'es.