Does Splunk have a problem with token authentication and SAML?


Splunk seems to have a problem with authenticating a SAML user account using a token.

The purpose of using token authentication is to allow an external application to run a search and get the results. A sample script is posted on GitHub as a code gist — the script simply starts a search but does not wait for the results.

The problem is that when token authentication is used with a SAML account, it only works when that SAML user is logged in on the Splunk web GUI and while the interactive session is (still) valid.

The problem is shown in the internal log:


07-03-2023 19:35:53.931 +0000 ERROR Saml [795668 AttrQueryRequestExecutorWorker-0] - No status code found in SamlResponse, Not a valid status.
07-03-2023 19:35:53.901 +0000 ERROR Saml [795669 AttrQueryRequestExecutorWorker-1] - No status code found in SamlResponse, Not a valid status.


The theory on the failure is:

  • The token authentication works with (within) Splunk;
  • But Splunk needs to perform RBAC after authentication. So it does AQR after the authentication;
  • However, when there is no valid, live SAML session, the AQR fails.

(AQR = Attribute Query Request) -- in this case, to get the user's group memberships to map to Splunk roles.

I wonder if anyone has been able to get token authentication to work for a SAML account?

[Edit]: On the other hand, is it simply impossible to use token authentication with a SAML user account?

Labels (4)
0 Karma
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...