Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

KEYCLOAK SAML issue

Araton71
Explorer
‎05-20-2026 01:14 AM

I've configured my splunk enterprise to get saml login with keycloak.

[authentication]

authSettings = saml

authType = SAML

[saml]

blacklistedAutoMappedRoles = admin,power

caCertFile = /opt/splunk/etc/auth/cacert.pem

cacheSAMLUserInfotoDisk = false

clientCert = /opt/splunk/etc/auth/server.pem

enableAutoMappedRoles = true

entityId = https://homesoc.tester.local

excludedAutoMappedRoles = admin,power

fqdn = https://itpghomesoc03

idpCertExpirationCheckInterval = 86400s

idpCertExpirationWarningDays = 90

idpCertPath = idpCert.pem

idpSLOUrl = https://www.tester.net/realms/tester/protocol/saml

idpSSOUrl = https://www.tester.net/realms/tester/protocol/saml

inboundDigestMethod = SHA1;SHA256;SHA384;SHA512

inboundSignatureAlgorithm = RSA-SHA1;RSA-SHA256;RSA-SHA384;RSA-SHA512

issuerId = https://www.tester.net/realms/tester

lockRoleToFullDN = true

redirectPort = 8000

replicateCertificates = true

saml_negative_cache_timeout = 3600

scimEnabled = false

signAuthnRequest = false

signatureAlgorithm = RSA-SHA256

signatureRawPubKey = false

signedAssertion = true

sloBinding = HTTP-POST

sslPassword = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

ssoBinding = HTTP-REDIRECT

[roleMap_SAML]
admin = splunk-admin

 

but I have following error when try to login

Saml response does not contain group information.

 

In splunkd.log 

05-20-2026 09:24:47.181 +0200 ERROR Saml [2814333 webui] - No value found in SamlResponse for match key=saml:AttributeStatement/saml:Attribute attrName=role err=No nodes found for xpath=saml:AttributeStatement/saml:Attribute

What is missing ?

Labels (1)
Labels
Tags (1)
0 Karma
Reply

Araton71
Explorer
‎05-20-2026 01:28 AM

On UI SAML Configuration ALIAS check must be tick and in role alias filed 

Araton71_2-1779265613667.png

 

it needs to add same value setted in keycloak

Araton71_0-1779265470652.png

and in authentication.conf

[authenticationResponseAttrMap_SAML]
role = groups

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What has goals but no motivation?

June 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

AI is one of the biggest topics in the market today, and for security teams, its value goes far beyond the ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...