Security

Configuring Google IDP SAML for Group membership based SSO?

aamer86
Path Finder

Hi, 

 

I am trying to use our Google Idp (Google workspace) to enable SSO on our Splunk. 

I followed this link and it worked successfully when adding custom attribute individually to each user. 

Now I need to use Google groups for Splunk RBAC so authentication and Authorisation is handled using groups membership.

When using the Groups membership, I couldnt find any clear answer from Google or Splunk about what to be used here as App Attribute 

aamer86_0-1681987031848.png

 

I only found this link 

which is useless 

 

I raised a support ticket with google and got this answer 

aamer86_1-1681987199879.png

 

Could you advise on how to setup RBAC using google groups membership or help with Google SAML IDP setup 

 

 

Labels (2)
0 Karma

ojensen
Explorer

I had been struggling with the same problem. After a lot of experimentation with different ideas and inspecting SAML payloads. My two main findings as best as I can tell are:

  1. When you configure a Google Groups mapping in Google SAML configuration, Google will send the group name as an attribute identically to if it were an attribute set up in the attribute mapping.
  2. When Splunk receives a SAML assertion with a role attribute, I think it will try to match it against roles as well as SAML groups. Though in my case all of the role attributes I use are SAML group names, so I cannot confirm that it will match the "role" attribute against an actual role name.

But also crucially, when you update Google SAML configurations, it can take 5-10 minutes for the update to "go live". So watch the SAML assertions that you are actually sending to Splunk as you experiment, because otherwise you'll make a changes and even if you get it right it'll appear to not work, you'll make more changes, and suddenly things work, but actually the working configuration was n attempts ago, and it will break itself as it slowly updates to your later configuration attempts, and all you'll know is that something you tried at some point over the last however long was correct.

So the net result:

  1. Set the "App attribute" to "role", exactly like you did in your screenshot. If you have created a role in splunk whose name is the same as your Google group, you're done.
  2. If your Google group has a different name than your role, then set up a SAML group in Splunk with the same name as your google group and assign it the role you want. Splunk will lowercase the group name, that's fine, it'll still match.
  3. As a result, you can actually use both (e.g. a group to grant "user" access, and individual user attributes to grant admin access)

In my case, I already had a Google group called "Engineering" that I wanted to set up with the "user" role. Here are my configs:

Splunk:

1. Configure SAML groups with names corresponding to your Google groups

Screenshot 2023-11-03 at 09.30.30.png

2. Configure your Google SAML configuration. If you plan to use both user attributes and Google groups, set both a user attribute and a Group membership, both pointing to the "role" App attribute. If you only plan on using groups, you can omit the user attribute. In my case, as you can see from my Splunk config above, I want the "Engineering" google group to all have "user" access to Splunk:

Screenshot 2023-11-03 at 09.31.23.png3. If you want to specify role overrides, set them as you did before:

Screenshot 2023-11-03 at 09.31.50.png

4. If it isn't working, decode and review the SAML assertion that Splunk is receiving. It can take a surprisingly long time for changes made in Google's SAML configuration to go "live". You will likely observe that you're passing along a SAML assertion that does not reflect your most recent Google configuration changes -- if that's the case, just wait a while and try again in a bit.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...