Security

How come I'm unable to logout in Splunk SAML SSO?

pmalcakdoj
Path Finder

Splunk is configured to use SAML auth with ADFS v4.

Login works fine, but logout throws an error: "Failed to validate SAML logout response received from IDP"

_internal shows:

"No extra status code found in SamlResponse, Not a valid status. Could not evaluate xpath expression /samlp:LogoutResponse/samlp:Status/samlp:StatusMessage or no matching nodes foundNo value found in SamlResponse for key=/samlp:LogoutResponse/samlp:Status/samlp:StatusMessageCould not evaluate xpath expression /samlp:LogoutResponse/samlp:Status/samlp:StatusDetail/Cause or no matching nodes foundNo value found in SamlResponse for key=/samlp:LogoutResponse/samlp:Status/samlp:StatusDetail/Cause"
1 Solution

pmalcakdoj
Path Finder

The problem lies with the way splunk stores the nameID attribute. This is a case sensitivity issue.

  • When you first login, ADFS sends a login saml response that contains nameID like contoso\PMalcak
  • Splunk then stores it as "/opt/splunk/etc/users/_reserved/contoso_pmalcak.some_guid_here"
  • When you go to logout, splunk has already lost any knowledge of case sensitivity
  • Upon logout, splunk sends ADFS a saml logout request that contains nameID like contoso\pmalcak
  • ADFS uses nameID in case sensitive manner and as such is unable to process the logout request.

Until Splunk fixes this bug, this has to be corrected on ADFS side.

I am told the following from my ADFS guy who has figured out how to correct this:
- can't fix it in ADFS v2 or v3 since in ADFS 2.0 and 3.0 it did not support $_.Tolower()

==============================

Potential Fix #1 (did not work for us):

1) Compile a Custom Attribute store .dll per the MS article.
https://docs.microsoft.com/en-us/previous-versions/adfs-2.0/hh599320(v=msdn.10)
2) Add the custom attribute store to ADFS
Rule 1
use custom Rules for the relying party agreement.
Rule 1 take the widnows account name from the pipeline and call the custome attribute store
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]

=> add(store = "StringProcessing", types = ("http://schema.local/windowsaccountname/lower"), query = "toLower", param = c.Value);

Rule 2 Issue lower case windows account name as nameID
@RuleTemplate = "MapClaims"
@RuleName = "Name_id"
c:[Type == "http://schema.local/windowsaccountname/lower"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent");

==============================

Potential Fix #2 (did work for us):

not proud of and shameful method with out the custom String Processing Attribute Store.
Rule 1- 26 Feeding into each other
@RuleName = "Convert Upper A to lower"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> add(Type = "http://schema.local/windowsaccountname/lower/A", Value = RegExReplace(c.Value, "A", "a"));

@RuleName = "Convert Upper B to lower"
c:[Type == "http://schema.local/windowsaccountname/lower/A"]
=> add(Type = "http://schema.local/windowsaccountname/lower/B", Value = RegExReplace(c.Value, "B", "B"));
.........Repeat for each letter
.......................
Rule 27
@RuleTemplate = "MapClaims"
@RuleName = "Name_id "
c:[Type == "http://schema.local/windowsaccountname/lower/Z" ]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent");

I have no way of validating if any of the above is correct, but... he says that's what he did on his end... and logout now magically started to work, so I wasn't gonna question it.

Hopefully this helps some other lost soul banging their head against the wall

View solution in original post

pmalcakdoj
Path Finder

The problem lies with the way splunk stores the nameID attribute. This is a case sensitivity issue.

  • When you first login, ADFS sends a login saml response that contains nameID like contoso\PMalcak
  • Splunk then stores it as "/opt/splunk/etc/users/_reserved/contoso_pmalcak.some_guid_here"
  • When you go to logout, splunk has already lost any knowledge of case sensitivity
  • Upon logout, splunk sends ADFS a saml logout request that contains nameID like contoso\pmalcak
  • ADFS uses nameID in case sensitive manner and as such is unable to process the logout request.

Until Splunk fixes this bug, this has to be corrected on ADFS side.

I am told the following from my ADFS guy who has figured out how to correct this:
- can't fix it in ADFS v2 or v3 since in ADFS 2.0 and 3.0 it did not support $_.Tolower()

==============================

Potential Fix #1 (did not work for us):

1) Compile a Custom Attribute store .dll per the MS article.
https://docs.microsoft.com/en-us/previous-versions/adfs-2.0/hh599320(v=msdn.10)
2) Add the custom attribute store to ADFS
Rule 1
use custom Rules for the relying party agreement.
Rule 1 take the widnows account name from the pipeline and call the custome attribute store
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]

=> add(store = "StringProcessing", types = ("http://schema.local/windowsaccountname/lower"), query = "toLower", param = c.Value);

Rule 2 Issue lower case windows account name as nameID
@RuleTemplate = "MapClaims"
@RuleName = "Name_id"
c:[Type == "http://schema.local/windowsaccountname/lower"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent");

==============================

Potential Fix #2 (did work for us):

not proud of and shameful method with out the custom String Processing Attribute Store.
Rule 1- 26 Feeding into each other
@RuleName = "Convert Upper A to lower"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> add(Type = "http://schema.local/windowsaccountname/lower/A", Value = RegExReplace(c.Value, "A", "a"));

@RuleName = "Convert Upper B to lower"
c:[Type == "http://schema.local/windowsaccountname/lower/A"]
=> add(Type = "http://schema.local/windowsaccountname/lower/B", Value = RegExReplace(c.Value, "B", "B"));
.........Repeat for each letter
.......................
Rule 27
@RuleTemplate = "MapClaims"
@RuleName = "Name_id "
c:[Type == "http://schema.local/windowsaccountname/lower/Z" ]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent");

I have no way of validating if any of the above is correct, but... he says that's what he did on his end... and logout now magically started to work, so I wasn't gonna question it.

Hopefully this helps some other lost soul banging their head against the wall

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...