Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- I am trying to use auth0 as an IDp for Splunk and ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to use auth0 as an IDp for Splunk and I get the "Saml response does not contain group information." error, any help is greatly appreciated.
I think this is a sample snip of the auth0 xml response
but there is no attribute to use that has group information (see below)
tried authentication.conf role = Group (first line)
splunkd.log:04-03-2020 17:39:57.331 +0000 ERROR Saml - No value found in SamlRes
ponse for match key=saml:AttributeStatement/saml:Attribute attrName=role = Group
s err=No nodes found for xpath=saml:AttributeStatement/saml:Attribute
splunkd.log:04-07-2020 16:30:37.575 +0000 ERROR Saml - No value found in SamlResponse for match key=saml:AttributeStatement/saml:Attribute attrName=Groups err=No nodes found for xpath=saml:AttributeStatement/saml:Attribute
there is an auth0 api that has group info, how do i get splunk to access it "myname.auth0.com/api/v2/users/{id}/roles"
Response snip
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, just stumbled upon this one. You've probably already resolved the issue, but for anyone who might have a similar issue in the future:
Roles are not returned by Auth0 SAML assertion by default, but you can implement a rule that fixes that.
I've created a guide here a while back:
https://isbyr.com/return-user-roles-in-auth0/
Hope that this helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ghlogger
Try below config in 'authentication.conf' file.
[authenticationResponseAttrMap_SAML]
role = http://schemas.auth0.com/roles
The attribute value is fetched using 'SAML Tracer' addon.
Also, make sure to create a 'Auth Pipeline' rule in Auth0 with below code to pull the roles during authorization.
function (user, context, callback) {
// Get the user roles from the Authorization context
const assignedRoles = (context.authorization || {}).roles;
// Update the user object.
user.roles = assignedRoles;
callback(null, user, context);
}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is the snip that did not seem to make it into the post, removed the less than and slash greater than chars.
Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="E-Mail Address" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Given Name" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Name" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Surname" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Name ID" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have been able to configure Auth0 to output all required fields but none are being used by Splunk. What exactly do I need to supply the identity data in the response so that Splunk will. use it ?
If I add the this to authentication.conf I can login but no SAML data is available, name, email address, groups - roles.
[saml]
defaultRoleIfMissing = splunk_user
If I do not add above authentication is successful but login is refused with a group error: "Saml response does not contain group information."
This is a snip of the response, if I use Auth0 -> Splunk the response has all of the identity data, if I use the AD connector in Auth0: AD -> Auth0 -> Splunk, this is the response. Both methods return user identity data but it is ignored by Splunk.
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">ad|Splunk-to-AD-LDAP|xxxxxx-xxxxxxxxx</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2020-04-27T21:30:17.217Z" Recipient="https://1.2.3.4:8000/saml/acs" InResponseTo="mysplunk.6.xxxxxxxxxxxxxxxxx"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2020-04-27T20:30:17.217Z" NotOnOrAfter="2020-04-27T21:30:17.217Z">
<saml:AudienceRestriction>
<saml:Audience>mysplunk</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2020-04-27T20:30:17.217Z" SessionIndex="_xxxxxxxxx_xxxx">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">ad|Splunk-to-AD-LDAP|xxxxxxxx</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">first.last@fl.mydomain.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">first last</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="http://mydomain.auth0.com/identity/claims/groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">splunk_user</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="http://schemas.auth0.com/identities/default/provider" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">ad</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="http://schemas.auth0.com/identities/default/connection" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">Splunk-to-AD-LDAP</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="http://schemas.auth0.com/identities/default/isSocial" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:boolean">false</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The xml above is from the plunkd.log but scrubbed.
Community Content Calendar, September edition
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
