Security

I am trying to use auth0 as an IDp for Splunk and I get the "Saml response does not contain group information." error, any help is greatly appreciated.

ghlogger
Explorer

I think this is a sample snip of the auth0 xml response
but there is no attribute to use that has group information (see below)

tried authentication.conf role = Group (first line)
splunkd.log:04-03-2020 17:39:57.331 +0000 ERROR Saml - No value found in SamlRes
ponse for match key=saml:AttributeStatement/saml:Attribute attrName=role = Group
s err=No nodes found for xpath=saml:AttributeStatement/saml:Attribute
splunkd.log:04-07-2020 16:30:37.575 +0000 ERROR Saml - No value found in SamlResponse for match key=saml:AttributeStatement/saml:Attribute attrName=Groups err=No nodes found for xpath=saml:AttributeStatement/saml:Attribute

there is an auth0 api that has group info, how do i get splunk to access it "myname.auth0.com/api/v2/users/{id}/roles"

Response snip




Tags (1)

jawaharas
Motivator

@ghlogger 
Try below config in 'authentication.conf' file. 

 

[authenticationResponseAttrMap_SAML]
role = http://schemas.auth0.com/roles

 

The attribute value is fetched using 'SAML Tracer' addon. 

Also, make sure to create a 'Auth Pipeline' rule in Auth0 with below code to pull the roles during authorization.

function (user, context, callback) {
  // Get the user roles from the Authorization context
  const assignedRoles = (context.authorization || {}).roles;
  // Update the user object.
  user.roles = assignedRoles;
  callback(null, user, context);
}

 

0 Karma

ghlogger
Explorer

This is the snip that did not seem to make it into the post, removed the less than and slash greater than chars.

Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="E-Mail Address" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Given Name" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Name" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Surname" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Name ID" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
0 Karma

ghlogger
Explorer

I have been able to configure Auth0 to output all required fields but none are being used by Splunk. What exactly do I need to supply the identity data in the response so that Splunk will. use it ?

If I add the this to authentication.conf I can login but no SAML data is available, name, email address, groups - roles.
[saml]
defaultRoleIfMissing = splunk_user

If I do not add above authentication is successful but login is refused with a group error: "Saml response does not contain group information."

This is a snip of the response, if I use Auth0 -> Splunk the response has all of the identity data, if I use the AD connector in Auth0: AD -> Auth0 -> Splunk, this is the response. Both methods return user identity data but it is ignored by Splunk.

<saml:Subject>
  <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">ad|Splunk-to-AD-LDAP|xxxxxx-xxxxxxxxx</saml:NameID>
  <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
    <saml:SubjectConfirmationData NotOnOrAfter="2020-04-27T21:30:17.217Z" Recipient="https://1.2.3.4:8000/saml/acs" InResponseTo="mysplunk.6.xxxxxxxxxxxxxxxxx"/>
  </saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2020-04-27T20:30:17.217Z" NotOnOrAfter="2020-04-27T21:30:17.217Z">
  <saml:AudienceRestriction>
    <saml:Audience>mysplunk</saml:Audience>
  </saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2020-04-27T20:30:17.217Z" SessionIndex="_xxxxxxxxx_xxxx">
  <saml:AuthnContext>
     <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
  </saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml:AttributeValue xsi:type="xs:string">ad|Splunk-to-AD-LDAP|xxxxxxxx</saml:AttributeValue>
  </saml:Attribute>
  <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml:AttributeValue xsi:type="xs:string">first.last@fl.mydomain.com</saml:AttributeValue>
  </saml:Attribute>
  <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml:AttributeValue xsi:type="xs:string">first last</saml:AttributeValue>
  </saml:Attribute>
  <saml:Attribute Name="http://mydomain.auth0.com/identity/claims/groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml:AttributeValue xsi:type="xs:string">splunk_user</saml:AttributeValue>
  </saml:Attribute>
  <saml:Attribute Name="http://schemas.auth0.com/identities/default/provider" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml:AttributeValue xsi:type="xs:string">ad</saml:AttributeValue>
  </saml:Attribute>
  <saml:Attribute Name="http://schemas.auth0.com/identities/default/connection" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml:AttributeValue xsi:type="xs:string">Splunk-to-AD-LDAP</saml:AttributeValue>
  </saml:Attribute>
  <saml:Attribute Name="http://schemas.auth0.com/identities/default/isSocial" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml:AttributeValue xsi:type="xs:boolean">false</saml:AttributeValue>
  </saml:Attribute>
</saml:AttributeStatement>
0 Karma

ghlogger
Explorer

The xml above is from the plunkd.log but scrubbed.

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...