Security

I am trying to use auth0 as an IDp for Splunk and I get the "Saml response does not contain group information." error, any help is greatly appreciated.

ghlogger
Explorer

I think this is a sample snip of the auth0 xml response
but there is no attribute to use that has group information (see below)

tried authentication.conf role = Group (first line)
splunkd.log:04-03-2020 17:39:57.331 +0000 ERROR Saml - No value found in SamlRes
ponse for match key=saml:AttributeStatement/saml:Attribute attrName=role = Group
s err=No nodes found for xpath=saml:AttributeStatement/saml:Attribute
splunkd.log:04-07-2020 16:30:37.575 +0000 ERROR Saml - No value found in SamlResponse for match key=saml:AttributeStatement/saml:Attribute attrName=Groups err=No nodes found for xpath=saml:AttributeStatement/saml:Attribute

there is an auth0 api that has group info, how do i get splunk to access it "myname.auth0.com/api/v2/users/{id}/roles"

Response snip




Tags (1)

jawaharas
Motivator

@ghlogger 
Try below config in 'authentication.conf' file. 

 

[authenticationResponseAttrMap_SAML]
role = http://schemas.auth0.com/roles

 

The attribute value is fetched using 'SAML Tracer' addon. 

Also, make sure to create a 'Auth Pipeline' rule in Auth0 with below code to pull the roles during authorization.

function (user, context, callback) {
  // Get the user roles from the Authorization context
  const assignedRoles = (context.authorization || {}).roles;
  // Update the user object.
  user.roles = assignedRoles;
  callback(null, user, context);
}

 

0 Karma

ghlogger
Explorer

This is the snip that did not seem to make it into the post, removed the less than and slash greater than chars.

Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="E-Mail Address" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Given Name" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Name" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Surname" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Name ID" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
0 Karma

ghlogger
Explorer

I have been able to configure Auth0 to output all required fields but none are being used by Splunk. What exactly do I need to supply the identity data in the response so that Splunk will. use it ?

If I add the this to authentication.conf I can login but no SAML data is available, name, email address, groups - roles.
[saml]
defaultRoleIfMissing = splunk_user

If I do not add above authentication is successful but login is refused with a group error: "Saml response does not contain group information."

This is a snip of the response, if I use Auth0 -> Splunk the response has all of the identity data, if I use the AD connector in Auth0: AD -> Auth0 -> Splunk, this is the response. Both methods return user identity data but it is ignored by Splunk.

<saml:Subject>
  <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">ad|Splunk-to-AD-LDAP|xxxxxx-xxxxxxxxx</saml:NameID>
  <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
    <saml:SubjectConfirmationData NotOnOrAfter="2020-04-27T21:30:17.217Z" Recipient="https://1.2.3.4:8000/saml/acs" InResponseTo="mysplunk.6.xxxxxxxxxxxxxxxxx"/>
  </saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2020-04-27T20:30:17.217Z" NotOnOrAfter="2020-04-27T21:30:17.217Z">
  <saml:AudienceRestriction>
    <saml:Audience>mysplunk</saml:Audience>
  </saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2020-04-27T20:30:17.217Z" SessionIndex="_xxxxxxxxx_xxxx">
  <saml:AuthnContext>
     <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
  </saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml:AttributeValue xsi:type="xs:string">ad|Splunk-to-AD-LDAP|xxxxxxxx</saml:AttributeValue>
  </saml:Attribute>
  <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml:AttributeValue xsi:type="xs:string">first.last@fl.mydomain.com</saml:AttributeValue>
  </saml:Attribute>
  <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml:AttributeValue xsi:type="xs:string">first last</saml:AttributeValue>
  </saml:Attribute>
  <saml:Attribute Name="http://mydomain.auth0.com/identity/claims/groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml:AttributeValue xsi:type="xs:string">splunk_user</saml:AttributeValue>
  </saml:Attribute>
  <saml:Attribute Name="http://schemas.auth0.com/identities/default/provider" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml:AttributeValue xsi:type="xs:string">ad</saml:AttributeValue>
  </saml:Attribute>
  <saml:Attribute Name="http://schemas.auth0.com/identities/default/connection" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml:AttributeValue xsi:type="xs:string">Splunk-to-AD-LDAP</saml:AttributeValue>
  </saml:Attribute>
  <saml:Attribute Name="http://schemas.auth0.com/identities/default/isSocial" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml:AttributeValue xsi:type="xs:boolean">false</saml:AttributeValue>
  </saml:Attribute>
</saml:AttributeStatement>
0 Karma

ghlogger
Explorer

The xml above is from the plunkd.log but scrubbed.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...