Security

ADFS SAML: IDP failed to authenticate request (Splunk 6.4)

Path Finder

We have some trouble getting SAML to work with our ADFS. After a login attempt, we are redirected to a Splunk error screen with the message:

IDP failed to authenticate request. Status Message="" Status Code="Responder"

We assume this is because we have to tell our ADFS how Splunk signs the request, but we are unable to find out which certificate Splunk uses for this..

If we disable 'signAuthnRequest', a login attempt results in some sort of loop that goes nowhere.
Anyone..?

1 Solution

Path Finder

We got it to work. Thanks all for the help!

We fixed it by disabling signAuthnRequest. Earlier this resulted in some sort of loop but this was ADFS's fault apparently, and fixed with some adjustments in ADFS settings (not sure which).

View solution in original post

Explorer

I encounter this issue with the same error message and suffer for few weeks. There are two way to login with SAML SSO, IDP-Initiated SSO and SP-Initiated SSO. And this error only happen on SP-Initiated SSO.
Here is the symptom I saw:
1. Error message from splunk side:

IDP failed to authenticate request. Status Message="" Status Code="Responder"

And if you try to open SSO page, then will still be auto-redirected to Splunk with same error. The only way to escape this loop is to clear all the browser data then open SSO page, which means you can only login with IDP-Initiated SSO.
2. Error message from ADFS server side:

Event ID 364: Encountered error during federation passive request

I take two action to solve this problem(thanks for splunk support and my IT member):

  1. Enable "signAuthnRequest", which is totally different way with the answer here.
  2. Make sure step 27 and 28 on the doc: https://www.splunk.com/blog/2016/09/14/configuring-microsofts-adfs-splunk-cloud.html is well configured. Especially SigningCertificateRevocationCheck=None.

After doing that, both IDP-Initiated SSO and SP-Initiated SSO are working.

0 Karma

New Member

can you please guide about IDP and SP initiated SSO ? how did you solve this issue

0 Karma

Explorer

I basically follow the Splunk doc I post to set it up. And IDP & SP initiated SSO are both used in SAML in default. I believe there're lots of blog taking about both SSO initialization like this: https://blogs.oracle.com/dcarru/sp-vs-idp-initiated-sso

0 Karma

Path Finder

I have this same issue and disabling "signAuthnRequest" doesn't resolve the issue. Does anyone have any new tricks to fix this?

Path Finder

We got it to work. Thanks all for the help!

We fixed it by disabling signAuthnRequest. Earlier this resulted in some sort of loop but this was ADFS's fault apparently, and fixed with some adjustments in ADFS settings (not sure which).

View solution in original post

Path Finder

This didnt work for us.

0 Karma

Splunk Employee
Splunk Employee

You can get the certificate used by Splunk to sign saml requests from '/en-US/saml/spmetadata' endpoint of splunkweb after logging in as a local user.

You can also narrow down the issue by looking at the event logs on the instance where ADFS is set up.

Path Finder

Thx for the tip, I'll give that output to our ADFS guy. Hopefully he'll be able to make something of it!

0 Karma

SplunkTrust
SplunkTrust

The certificate should come from your IdP not Splunk. You should have an XML file from the IDP that you "install" on Splunk.

http://docs.splunk.com/Documentation/Splunk/6.3.3/Security/ConfigureSSOinSplunkWeb

0 Karma

Path Finder

Yes we did this. It resulted in 2 certificates in the 'splunk/etc/auth/idpCerts' folder. After checking, the 2 seem correct.

After using some SAML debug plugin, we found the following:

HTTP/?.? 200 OK
Cache-Control: no-cache,no-store
Pragma: no-cache
Content-Length: 15294
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-HTTPAPI/2.0
X-Frame-Options: DENY
P3P: CP="ADFS doesn't have P3P policy, please contact your site's admin for more details."
Set-Cookie: 
0 Karma

SplunkTrust
SplunkTrust

This error suggests ADFS v3 isn't setup on the IdP but that's what Splunk is using or perhaps it's the other way around. There's a patch for ADFS that you'll find everyone mentions when you google the P3P error message you posted. Make sure you have that patch and ADFS v3 installed.

Finally if you're copying and pasting certs from windows to linux, please make sure you use dosutils (that's the package) and its command called dos2unix to convert the cert file to Unix format.
Or even if you created the file in windows and will use in linux (usually the case). What happens is there are some line breaks / character encoding issues that occur when using windows formatted files on linux OS'es.

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!