Security

How come I'm unable to logout in Splunk SAML SSO?

pmalcakdoj
Path Finder

Splunk is configured to use SAML auth with ADFS v4.

Login works fine, but logout throws an error: "Failed to validate SAML logout response received from IDP"

_internal shows:

"No extra status code found in SamlResponse, Not a valid status. Could not evaluate xpath expression /samlp:LogoutResponse/samlp:Status/samlp:StatusMessage or no matching nodes foundNo value found in SamlResponse for key=/samlp:LogoutResponse/samlp:Status/samlp:StatusMessageCould not evaluate xpath expression /samlp:LogoutResponse/samlp:Status/samlp:StatusDetail/Cause or no matching nodes foundNo value found in SamlResponse for key=/samlp:LogoutResponse/samlp:Status/samlp:StatusDetail/Cause"
1 Solution

pmalcakdoj
Path Finder

The problem lies with the way splunk stores the nameID attribute. This is a case sensitivity issue.

  • When you first login, ADFS sends a login saml response that contains nameID like contoso\PMalcak
  • Splunk then stores it as "/opt/splunk/etc/users/_reserved/contoso_pmalcak.some_guid_here"
  • When you go to logout, splunk has already lost any knowledge of case sensitivity
  • Upon logout, splunk sends ADFS a saml logout request that contains nameID like contoso\pmalcak
  • ADFS uses nameID in case sensitive manner and as such is unable to process the logout request.

Until Splunk fixes this bug, this has to be corrected on ADFS side.

I am told the following from my ADFS guy who has figured out how to correct this:
- can't fix it in ADFS v2 or v3 since in ADFS 2.0 and 3.0 it did not support $_.Tolower()

==============================

Potential Fix #1 (did not work for us):

1) Compile a Custom Attribute store .dll per the MS article.
https://docs.microsoft.com/en-us/previous-versions/adfs-2.0/hh599320(v=msdn.10)
2) Add the custom attribute store to ADFS
Rule 1
use custom Rules for the relying party agreement.
Rule 1 take the widnows account name from the pipeline and call the custome attribute store
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]

=> add(store = "StringProcessing", types = ("http://schema.local/windowsaccountname/lower"), query = "toLower", param = c.Value);

Rule 2 Issue lower case windows account name as nameID
@RuleTemplate = "MapClaims"
@RuleName = "Name_id"
c:[Type == "http://schema.local/windowsaccountname/lower"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent");

==============================

Potential Fix #2 (did work for us):

not proud of and shameful method with out the custom String Processing Attribute Store.
Rule 1- 26 Feeding into each other
@RuleName = "Convert Upper A to lower"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> add(Type = "http://schema.local/windowsaccountname/lower/A", Value = RegExReplace(c.Value, "A", "a"));

@RuleName = "Convert Upper B to lower"
c:[Type == "http://schema.local/windowsaccountname/lower/A"]
=> add(Type = "http://schema.local/windowsaccountname/lower/B", Value = RegExReplace(c.Value, "B", "B"));
.........Repeat for each letter
.......................
Rule 27
@RuleTemplate = "MapClaims"
@RuleName = "Name_id "
c:[Type == "http://schema.local/windowsaccountname/lower/Z" ]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent");

I have no way of validating if any of the above is correct, but... he says that's what he did on his end... and logout now magically started to work, so I wasn't gonna question it.

Hopefully this helps some other lost soul banging their head against the wall

View solution in original post

pmalcakdoj
Path Finder

The problem lies with the way splunk stores the nameID attribute. This is a case sensitivity issue.

  • When you first login, ADFS sends a login saml response that contains nameID like contoso\PMalcak
  • Splunk then stores it as "/opt/splunk/etc/users/_reserved/contoso_pmalcak.some_guid_here"
  • When you go to logout, splunk has already lost any knowledge of case sensitivity
  • Upon logout, splunk sends ADFS a saml logout request that contains nameID like contoso\pmalcak
  • ADFS uses nameID in case sensitive manner and as such is unable to process the logout request.

Until Splunk fixes this bug, this has to be corrected on ADFS side.

I am told the following from my ADFS guy who has figured out how to correct this:
- can't fix it in ADFS v2 or v3 since in ADFS 2.0 and 3.0 it did not support $_.Tolower()

==============================

Potential Fix #1 (did not work for us):

1) Compile a Custom Attribute store .dll per the MS article.
https://docs.microsoft.com/en-us/previous-versions/adfs-2.0/hh599320(v=msdn.10)
2) Add the custom attribute store to ADFS
Rule 1
use custom Rules for the relying party agreement.
Rule 1 take the widnows account name from the pipeline and call the custome attribute store
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]

=> add(store = "StringProcessing", types = ("http://schema.local/windowsaccountname/lower"), query = "toLower", param = c.Value);

Rule 2 Issue lower case windows account name as nameID
@RuleTemplate = "MapClaims"
@RuleName = "Name_id"
c:[Type == "http://schema.local/windowsaccountname/lower"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent");

==============================

Potential Fix #2 (did work for us):

not proud of and shameful method with out the custom String Processing Attribute Store.
Rule 1- 26 Feeding into each other
@RuleName = "Convert Upper A to lower"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> add(Type = "http://schema.local/windowsaccountname/lower/A", Value = RegExReplace(c.Value, "A", "a"));

@RuleName = "Convert Upper B to lower"
c:[Type == "http://schema.local/windowsaccountname/lower/A"]
=> add(Type = "http://schema.local/windowsaccountname/lower/B", Value = RegExReplace(c.Value, "B", "B"));
.........Repeat for each letter
.......................
Rule 27
@RuleTemplate = "MapClaims"
@RuleName = "Name_id "
c:[Type == "http://schema.local/windowsaccountname/lower/Z" ]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent");

I have no way of validating if any of the above is correct, but... he says that's what he did on his end... and logout now magically started to work, so I wasn't gonna question it.

Hopefully this helps some other lost soul banging their head against the wall

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...