Security

Azure AD SAML Group Claims

bpluta
New Member

I am trying to get Splunk Enterprise to use SAML authentication against Azure AD. I have followed the steps outlined in the directions on the Configure SSO with AzureAD or AD FS as your Identity Provider direction page. I have consulted the Configuring Microsoft’s Azure SAML Single Sign On (SSO) with Splunk Cloud – Using the 'New' Azure Portal blog post as well, even though it is for Splunk cloud and I am using Splunk on prem.

The problem I am running into is when I try to log in, I get an error "SAML response does not contain group information". Using a SAML browser plugin, I can see Azure is not sending the group information in the SAML response. When looking at Azure AD documents for how to Customize claims issued in the SAML token, it states that Azure AD will NOT send the group claims. If Azure AD will not send the group claims, is there anyway for Splunk to do the role mapping? Has anyone else ran into a problem with Azure AD not providing group claims in the SAML response?

Tags (2)
0 Karma
1 Solution

tkomatsubara_sp
Splunk Employee
Splunk Employee

Hello,

If you use SAML Trace tool, you will notice that group information (object IDs) are within "group" tag.
Like this.

<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups">
                <AttributeValue>1bd5ea35-051f-40fd-bc2a-87693900953d</AttributeValue>
                <AttributeValue>fec3a8e2-f35c-437d-8191-f850da332f5c</AttributeValue>
</Attribute>

As this article explained ( https://www.splunk.com/blog/2017/11/20/configuring-microsoft-s-azure-security-assertion-markup-langu... ), you need specify "Role alias" and create SAML group in Splunk Cloud. The group name needs to be object ID of your Azure's group's object ID.

In this above example, I created a group in Azure and put my user into the Azure group. The group's object ID is fec3a8e2-f35c-437d-8191-f850da332f5c. So that's why I created "fec3a8e2-f35c-437d-8191-f850da332f5c" SAML group in Splunk Cloud.

Then, everything works perfect.

Please try this. This is confirmed in 2019/Feb/3.

Takashi.

View solution in original post

tkomatsubara_sp
Splunk Employee
Splunk Employee

Hello,

If you use SAML Trace tool, you will notice that group information (object IDs) are within "group" tag.
Like this.

<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups">
                <AttributeValue>1bd5ea35-051f-40fd-bc2a-87693900953d</AttributeValue>
                <AttributeValue>fec3a8e2-f35c-437d-8191-f850da332f5c</AttributeValue>
</Attribute>

As this article explained ( https://www.splunk.com/blog/2017/11/20/configuring-microsoft-s-azure-security-assertion-markup-langu... ), you need specify "Role alias" and create SAML group in Splunk Cloud. The group name needs to be object ID of your Azure's group's object ID.

In this above example, I created a group in Azure and put my user into the Azure group. The group's object ID is fec3a8e2-f35c-437d-8191-f850da332f5c. So that's why I created "fec3a8e2-f35c-437d-8191-f850da332f5c" SAML group in Splunk Cloud.

Then, everything works perfect.

Please try this. This is confirmed in 2019/Feb/3.

Takashi.

rashtecq
Observer

Hello @tkomatsubara_sp 

I have followed the instruction given in the link but still I am seeing the same message(Saml response does not contain group information.) while try to login.

When I try to trace the saml response I don't see the group attribute instead I see role attribute.  What is solution to this ?

<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role">
<AttributeValue>SplunkAdmin</AttributeValue>
</Attribute>

I have created a group on Azure and assigned, admin role that group. 

I have created a group on Splunk using the object ID of the above same group and assigned admin role that group.  Rest of the configuration I follwed the document. 

0 Karma

rashtecq
Observer

This has been rectified. I had to add Configure group claims for applications by using Azure Active Directory.

For reference I used this link 

rashtecq_0-1683005453343.png

 

0 Karma

bpluta
New Member

After looking into it further, as you have described, the group claims are in the SAMl response. I think the main problem we had was the role alias was not setup at all as described in the article you linked to.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...