I attempted to configure Splunk Enterprise 6.3.1 to act as a SAMLv2 Service Provider using Splunk Web, but ran into some problems that appear to be Splunk bugs, and then determined that I most likely could not complete the configuration due to limitations within Splunk.
I initially attempted to import an IDP metadata file from Google, which failed with the message:
"Unable to parse the payload received as a part if idp metadata file or xml."
I then tried to import the same xml by pasting the xml into the text box - same result. (Note: I did validate the xml elsewhere and it passed).
Then I tried entering the required values into the web form, but noticed that the web form appeared to be requiring the Attribute Query URL, even though it is indicated as optional, and as far as I know there is no relevant Attribute Query URL for Google Apps as an IDP.
Beyond this, on the Google side, Google requires that you provide an SP ACS URL and an SP Entity Id. I could not determine how I could derive these values from my Splunk instance.
I've also seen a few mentions in the Splunk documentation that indicate that full support for SAML is really only intended for Okta and PingIdentity.
My question is therefore whether there are any plans to support additional IDP's, and specifically Google Apps.
The assertion consumer service URL is: /saml/acs
The SP ID I think can be anything you want so long as it matches whats configured on the IDP.
The metadata can be retrieved by doing the following:
First login with a splunk local admin account by hitting the following URL: /account/login?loginType=Splunk
Once authenticated you can hit the metadata URL: /saml/spmetadata
Splunk should really update their documentation on setting up SAML with their product. The ACS URL is essential in setting up a SAML partnership.
There's a lot of questions about SAML and SSO right here... couldn't any Splunk Staff write a really useful documentation about this? They're making us waste a lot of time due to the missing information.
There is a workaround to configure Splunk SAML without Attribute queries:
I found it was easier to work with $SPLUNK_HOME/etc/system/local/authentication.conf directly than using their web form.