Security
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Does Splunk have a problem with token authentication and SAML?

ww9rivers
Contributor
‎08-30-2023 10:06 PM

Splunk seems to have a problem with authenticating a SAML user account using a token.

The purpose of using token authentication is to allow an external application to run a search and get the results. A sample script is posted on GitHub as a code gist — the script simply starts a search but does not wait for the results.

The problem is that when token authentication is used with a SAML account, it only works when that SAML user is logged in on the Splunk web GUI and while the interactive session is (still) valid.

The problem is shown in the internal log:

 

07-03-2023 19:35:53.931 +0000 ERROR Saml [795668 AttrQueryRequestExecutorWorker-0] - No status code found in SamlResponse, Not a valid status.
07-03-2023 19:35:53.901 +0000 ERROR Saml [795669 AttrQueryRequestExecutorWorker-1] - No status code found in SamlResponse, Not a valid status.

 

The theory on the failure is:

  • The token authentication works with (within) Splunk;
  • But Splunk needs to perform RBAC after authentication. So it does AQR after the authentication;
  • However, when there is no valid, live SAML session, the AQR fails.

(AQR = Attribute Query Request) -- in this case, to get the user's group memberships to map to Splunk roles.

I wonder if anyone has been able to get token authentication to work for a SAML account?

[Edit]: On the other hand, is it simply impossible to use token authentication with a SAML user account?

Labels (4)
0 Karma
Reply

even65tiQ
New Member
‎11-17-2024 05:07 PM

@ww9rivers Did you end up finding a solution for this?
We have run into the same issue. We have noticed that once the user has authenticated and the token is active that it only remains active until the "Get User Info time-to-live" timeframe that is located under Attribute Extensions in the SAML Configuration.

0 Karma
Reply

ww9rivers
Contributor
2 weeks ago

We ended up creating local (splunk) accounts for authenticating with token. Sorry for the late response.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-18-2024 01:10 AM

It kinda makes sense.

With SAML authentication you don't actually authenticate against the SP but against the IdP and then pass the assertions around. How do you expect it to work when you don't authenticate against the IdP?

0 Karma
Reply

ww9rivers
Contributor
2 weeks ago

Well, I expected it to authenticate the account when there is a token present.

When Splunk knows that the account exists (It has authenticated before AND it has a token), why is that not sufficient for authentication?

0 Karma
Reply
Get Updates on the Splunk Community!

Important Update to Data Management Pipeline Builders: RE2 to PCRE2 Migration

Dear Community,   In an effort to deliver a more consistent experience across Splunk Cloud Platform and its ...

Buttercup Games: Further Dashboarding Techniques (Part 4)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top