Security

I am trying to use auth0 as an IDp for Splunk and I get the "Saml response does not contain group information." error, any help is greatly appreciated.

ghlogger
Explorer

I think this is a sample snip of the auth0 xml response
but there is no attribute to use that has group information (see below)

tried authentication.conf role = Group (first line)
splunkd.log:04-03-2020 17:39:57.331 +0000 ERROR Saml - No value found in SamlRes
ponse for match key=saml:AttributeStatement/saml:Attribute attrName=role = Group
s err=No nodes found for xpath=saml:AttributeStatement/saml:Attribute
splunkd.log:04-07-2020 16:30:37.575 +0000 ERROR Saml - No value found in SamlResponse for match key=saml:AttributeStatement/saml:Attribute attrName=Groups err=No nodes found for xpath=saml:AttributeStatement/saml:Attribute

there is an auth0 api that has group info, how do i get splunk to access it "myname.auth0.com/api/v2/users/{id}/roles"

Response snip




Tags (1)

ilya_resh
Engager

Hi, just stumbled upon this one. You've probably already resolved the issue, but for anyone who might have a similar issue in the future:

Roles are not returned by Auth0 SAML assertion by default, but you can implement a rule that fixes that.

I've created a guide here a while back:

https://isbyr.com/return-user-roles-in-auth0/

Hope that this helps.

Tags (3)
0 Karma

jawaharas
Motivator

@ghlogger 
Try below config in 'authentication.conf' file. 

 

[authenticationResponseAttrMap_SAML]
role = http://schemas.auth0.com/roles

 

The attribute value is fetched using 'SAML Tracer' addon. 

Also, make sure to create a 'Auth Pipeline' rule in Auth0 with below code to pull the roles during authorization.

function (user, context, callback) {
  // Get the user roles from the Authorization context
  const assignedRoles = (context.authorization || {}).roles;
  // Update the user object.
  user.roles = assignedRoles;
  callback(null, user, context);
}

 

0 Karma

ghlogger
Explorer

This is the snip that did not seem to make it into the post, removed the less than and slash greater than chars.

Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="E-Mail Address" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Given Name" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Name" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Surname" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Name ID" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
0 Karma

ghlogger
Explorer

I have been able to configure Auth0 to output all required fields but none are being used by Splunk. What exactly do I need to supply the identity data in the response so that Splunk will. use it ?

If I add the this to authentication.conf I can login but no SAML data is available, name, email address, groups - roles.
[saml]
defaultRoleIfMissing = splunk_user

If I do not add above authentication is successful but login is refused with a group error: "Saml response does not contain group information."

This is a snip of the response, if I use Auth0 -> Splunk the response has all of the identity data, if I use the AD connector in Auth0: AD -> Auth0 -> Splunk, this is the response. Both methods return user identity data but it is ignored by Splunk.

<saml:Subject>
  <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">ad|Splunk-to-AD-LDAP|xxxxxx-xxxxxxxxx</saml:NameID>
  <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
    <saml:SubjectConfirmationData NotOnOrAfter="2020-04-27T21:30:17.217Z" Recipient="https://1.2.3.4:8000/saml/acs" InResponseTo="mysplunk.6.xxxxxxxxxxxxxxxxx"/>
  </saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2020-04-27T20:30:17.217Z" NotOnOrAfter="2020-04-27T21:30:17.217Z">
  <saml:AudienceRestriction>
    <saml:Audience>mysplunk</saml:Audience>
  </saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2020-04-27T20:30:17.217Z" SessionIndex="_xxxxxxxxx_xxxx">
  <saml:AuthnContext>
     <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
  </saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml:AttributeValue xsi:type="xs:string">ad|Splunk-to-AD-LDAP|xxxxxxxx</saml:AttributeValue>
  </saml:Attribute>
  <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml:AttributeValue xsi:type="xs:string">first.last@fl.mydomain.com</saml:AttributeValue>
  </saml:Attribute>
  <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml:AttributeValue xsi:type="xs:string">first last</saml:AttributeValue>
  </saml:Attribute>
  <saml:Attribute Name="http://mydomain.auth0.com/identity/claims/groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml:AttributeValue xsi:type="xs:string">splunk_user</saml:AttributeValue>
  </saml:Attribute>
  <saml:Attribute Name="http://schemas.auth0.com/identities/default/provider" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml:AttributeValue xsi:type="xs:string">ad</saml:AttributeValue>
  </saml:Attribute>
  <saml:Attribute Name="http://schemas.auth0.com/identities/default/connection" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml:AttributeValue xsi:type="xs:string">Splunk-to-AD-LDAP</saml:AttributeValue>
  </saml:Attribute>
  <saml:Attribute Name="http://schemas.auth0.com/identities/default/isSocial" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml:AttributeValue xsi:type="xs:boolean">false</saml:AttributeValue>
  </saml:Attribute>
</saml:AttributeStatement>
0 Karma

ghlogger
Explorer

The xml above is from the plunkd.log but scrubbed.

0 Karma
Get Updates on the Splunk Community!

Exciting News: The AppDynamics Community Joins Splunk!

Hello Splunkers,   I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...

Stay Connected: Your Guide to March Tech Talks, Office Hours, and Webinars!

&#x1f340; A new season is on the horizon, and March brings fresh opportunities to grow! Our Community Office ...

Welcome AppDynamics to Splunk Community Sweepstakes

SWEEPSTAKES OFFICIAL RULES The Welcome Appdynamics to Splunk Community Sweepstakes Official Rules NO PURCHASE ...