Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How come I'm unable to logout in Splunk SAML SSO?

pmalcakdoj
Path Finder
‎02-28-2019 01:45 PM

Splunk is configured to use SAML auth with ADFS v4.

Login works fine, but logout throws an error: "Failed to validate SAML logout response received from IDP"

_internal shows: 

"No extra status code found in SamlResponse, Not a valid status. Could not evaluate xpath expression /samlp:LogoutResponse/samlp:Status/samlp:StatusMessage or no matching nodes foundNo value found in SamlResponse for key=/samlp:LogoutResponse/samlp:Status/samlp:StatusMessageCould not evaluate xpath expression /samlp:LogoutResponse/samlp:Status/samlp:StatusDetail/Cause or no matching nodes foundNo value found in SamlResponse for key=/samlp:LogoutResponse/samlp:Status/samlp:StatusDetail/Cause"
Reply
1 Solution
Solved! Jump to solution
Solution

pmalcakdoj
Path Finder
‎02-28-2019 02:06 PM

The problem lies with the way splunk stores the nameID attribute. This is a case sensitivity issue.

  • When you first login, ADFS sends a login saml response that contains nameID like contoso\PMalcak
  • Splunk then stores it as "/opt/splunk/etc/users/_reserved/contoso_pmalcak.some_guid_here"
  • When you go to logout, splunk has already lost any knowledge of case sensitivity
  • Upon logout, splunk sends ADFS a saml logout request that contains nameID like contoso\pmalcak
  • ADFS uses nameID in case sensitive manner and as such is unable to process the logout request.

Until Splunk fixes this bug, this has to be corrected on ADFS side.

I am told the following from my ADFS guy who has figured out how to correct this:
- can't fix it in ADFS v2 or v3 since in ADFS 2.0 and 3.0 it did not support $_.Tolower()

==============================

Potential Fix #1 (did not work for us):

1) Compile a Custom Attribute store .dll per the MS article.
https://docs.microsoft.com/en-us/previous-versions/adfs-2.0/hh599320(v=msdn.10)
2) Add the custom attribute store to ADFS
Rule 1
use custom Rules for the relying party agreement.
Rule 1 take the widnows account name from the pipeline and call the custome attribute store
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]

=> add(store = "StringProcessing", types = ("http://schema.local/windowsaccountname/lower"), query = "toLower", param = c.Value);

Rule 2 Issue lower case windows account name as nameID
@RuleTemplate = "MapClaims"
@RuleName = "Name_id"
c:[Type == "http://schema.local/windowsaccountname/lower"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent");

==============================

Potential Fix #2 (did work for us):

not proud of and shameful method with out the custom String Processing Attribute Store.
Rule 1- 26 Feeding into each other
@RuleName = "Convert Upper A to lower"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> add(Type = "http://schema.local/windowsaccountname/lower/A", Value = RegExReplace(c.Value, "A", "a"));

@RuleName = "Convert Upper B to lower"
c:[Type == "http://schema.local/windowsaccountname/lower/A"]
=> add(Type = "http://schema.local/windowsaccountname/lower/B", Value = RegExReplace(c.Value, "B", "B"));
.........Repeat for each letter
.......................
Rule 27
@RuleTemplate = "MapClaims"
@RuleName = "Name_id "
c:[Type == "http://schema.local/windowsaccountname/lower/Z" ]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent");

I have no way of validating if any of the above is correct, but... he says that's what he did on his end... and logout now magically started to work, so I wasn't gonna question it.

Hopefully this helps some other lost soul banging their head against the wall

View solution in original post

Reply
Solved! Jump to solution
Solution

pmalcakdoj
Path Finder
‎02-28-2019 02:06 PM

The problem lies with the way splunk stores the nameID attribute. This is a case sensitivity issue.

  • When you first login, ADFS sends a login saml response that contains nameID like contoso\PMalcak
  • Splunk then stores it as "/opt/splunk/etc/users/_reserved/contoso_pmalcak.some_guid_here"
  • When you go to logout, splunk has already lost any knowledge of case sensitivity
  • Upon logout, splunk sends ADFS a saml logout request that contains nameID like contoso\pmalcak
  • ADFS uses nameID in case sensitive manner and as such is unable to process the logout request.

Until Splunk fixes this bug, this has to be corrected on ADFS side.

I am told the following from my ADFS guy who has figured out how to correct this:
- can't fix it in ADFS v2 or v3 since in ADFS 2.0 and 3.0 it did not support $_.Tolower()

==============================

Potential Fix #1 (did not work for us):

1) Compile a Custom Attribute store .dll per the MS article.
https://docs.microsoft.com/en-us/previous-versions/adfs-2.0/hh599320(v=msdn.10)
2) Add the custom attribute store to ADFS
Rule 1
use custom Rules for the relying party agreement.
Rule 1 take the widnows account name from the pipeline and call the custome attribute store
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]

=> add(store = "StringProcessing", types = ("http://schema.local/windowsaccountname/lower"), query = "toLower", param = c.Value);

Rule 2 Issue lower case windows account name as nameID
@RuleTemplate = "MapClaims"
@RuleName = "Name_id"
c:[Type == "http://schema.local/windowsaccountname/lower"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent");

==============================

Potential Fix #2 (did work for us):

not proud of and shameful method with out the custom String Processing Attribute Store.
Rule 1- 26 Feeding into each other
@RuleName = "Convert Upper A to lower"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> add(Type = "http://schema.local/windowsaccountname/lower/A", Value = RegExReplace(c.Value, "A", "a"));

@RuleName = "Convert Upper B to lower"
c:[Type == "http://schema.local/windowsaccountname/lower/A"]
=> add(Type = "http://schema.local/windowsaccountname/lower/B", Value = RegExReplace(c.Value, "B", "B"));
.........Repeat for each letter
.......................
Rule 27
@RuleTemplate = "MapClaims"
@RuleName = "Name_id "
c:[Type == "http://schema.local/windowsaccountname/lower/Z" ]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent");

I have no way of validating if any of the above is correct, but... he says that's what he did on his end... and logout now magically started to work, so I wasn't gonna question it.

Hopefully this helps some other lost soul banging their head against the wall

Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...