Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

ADFS SAML: IDP failed to authenticate request (Splunk 6.4)

dkoops
Path Finder
‎04-19-2016 01:14 AM

We have some trouble getting SAML to work with our ADFS. After a login attempt, we are redirected to a Splunk error screen with the message:

IDP failed to authenticate request. Status Message="" Status Code="Responder"

We assume this is because we have to tell our ADFS how Splunk signs the request, but we are unable to find out which certificate Splunk uses for this..

If we disable 'signAuthnRequest', a login attempt results in some sort of loop that goes nowhere.
Anyone..?

Reply
1 Solution
Solved! Jump to solution
Solution

dkoops
Path Finder
‎04-21-2016 04:49 AM

We got it to work. Thanks all for the help!

We fixed it by disabling signAuthnRequest. Earlier this resulted in some sort of loop but this was ADFS's fault apparently, and fixed with some adjustments in ADFS settings (not sure which).

View solution in original post

Reply
Solved! Jump to solution

walker_liu
Explorer
‎08-24-2018 01:00 AM

I encounter this issue with the same error message and suffer for few weeks. There are two way to login with SAML SSO, IDP-Initiated SSO and SP-Initiated SSO. And this error only happen on SP-Initiated SSO.
Here is the symptom I saw:
1. Error message from splunk side: 

IDP failed to authenticate request. Status Message="" Status Code="Responder"

And if you try to open SSO page, then will still be auto-redirected to Splunk with same error. The only way to escape this loop is to clear all the browser data then open SSO page, which means you can only login with IDP-Initiated SSO.
2. Error message from ADFS server side:

Event ID 364: Encountered error during federation passive request

I take two action to solve this problem(thanks for splunk support and my IT member):

  1. Enable "signAuthnRequest", which is totally different way with the answer here.
  2. Make sure step 27 and 28 on the doc: https://www.splunk.com/blog/2016/09/14/configuring-microsofts-adfs-splunk-cloud.html is well configured. Especially SigningCertificateRevocationCheck=None.

After doing that, both IDP-Initiated SSO and SP-Initiated SSO are working.

Reply
Solved! Jump to solution

parteek_accentu
New Member
‎02-22-2019 09:53 AM

can you please guide about IDP and SP initiated SSO ? how did you solve this issue

0 Karma
Reply
Solved! Jump to solution

walker_liu
Explorer
‎06-04-2019 07:15 PM

I basically follow the Splunk doc I post to set it up. And IDP & SP initiated SSO are both used in SAML in default. I believe there're lots of blog taking about both SSO initialization like this: https://blogs.oracle.com/dcarru/sp-vs-idp-initiated-sso

0 Karma
Reply
Solved! Jump to solution

jbullough
Path Finder
‎12-22-2016 07:58 AM

I have this same issue and disabling "signAuthnRequest" doesn't resolve the issue. Does anyone have any new tricks to fix this?

Reply
Solved! Jump to solution
Solution

dkoops
Path Finder
‎04-21-2016 04:49 AM

We got it to work. Thanks all for the help!

We fixed it by disabling signAuthnRequest. Earlier this resulted in some sort of loop but this was ADFS's fault apparently, and fixed with some adjustments in ADFS settings (not sure which).

Reply
Solved! Jump to solution

cesaccenturefed
Path Finder
‎06-04-2019 01:39 PM

This didnt work for us.

0 Karma
Reply
Solved! Jump to solution

rgopalan
Splunk Employee
Splunk Employee
‎04-19-2016 04:01 PM

You can get the certificate used by Splunk to sign saml requests from '/en-US/saml/spmetadata' endpoint of splunkweb after logging in as a local user.

You can also narrow down the issue by looking at the event logs on the instance where ADFS is set up.

Reply
Solved! Jump to solution

dkoops
Path Finder
‎04-20-2016 01:13 AM

Thx for the tip, I'll give that output to our ADFS guy. Hopefully he'll be able to make something of it!

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎04-19-2016 03:33 AM

The certificate should come from your IdP not Splunk. You should have an XML file from the IDP that you "install" on Splunk.

http://docs.splunk.com/Documentation/Splunk/6.3.3/Security/ConfigureSSOinSplunkWeb

0 Karma
Reply
Solved! Jump to solution

dkoops
Path Finder
‎04-19-2016 04:46 AM

Yes we did this. It resulted in 2 certificates in the 'splunk/etc/auth/idpCerts' folder. After checking, the 2 seem correct.

After using some SAML debug plugin, we found the following:

HTTP/?.? 200 OK
Cache-Control: no-cache,no-store
Pragma: no-cache
Content-Length: 15294
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-HTTPAPI/2.0
X-Frame-Options: DENY
P3P: CP="ADFS doesn't have P3P policy, please contact your site's admin for more details."
Set-Cookie:
0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎04-20-2016 06:41 AM

This error suggests ADFS v3 isn't setup on the IdP but that's what Splunk is using or perhaps it's the other way around. There's a patch for ADFS that you'll find everyone mentions when you google the P3P error message you posted. Make sure you have that patch and ADFS v3 installed.

Finally if you're copying and pasting certs from windows to linux, please make sure you use dosutils (that's the package) and its command called dos2unix to convert the cert file to Unix format.
Or even if you created the file in windows and will use in linux (usually the case). What happens is there are some line breaks / character encoding issues that occur when using windows formatted files on linux OS'es.

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...