Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

KEYCLOAK SAML issue

Araton71
Loves-to-Learn
2 weeks ago

I've configured my splunk enterprise to get saml login with keycloak.

[authentication]

authSettings = saml

authType = SAML

[saml]

blacklistedAutoMappedRoles = admin,power

caCertFile = /opt/splunk/etc/auth/cacert.pem

cacheSAMLUserInfotoDisk = false

clientCert = /opt/splunk/etc/auth/server.pem

enableAutoMappedRoles = true

entityId = https://homesoc.tester.local

excludedAutoMappedRoles = admin,power

fqdn = https://itpghomesoc03

idpCertExpirationCheckInterval = 86400s

idpCertExpirationWarningDays = 90

idpCertPath = idpCert.pem

idpSLOUrl = https://www.tester.net/realms/tester/protocol/saml

idpSSOUrl = https://www.tester.net/realms/tester/protocol/saml

inboundDigestMethod = SHA1;SHA256;SHA384;SHA512

inboundSignatureAlgorithm = RSA-SHA1;RSA-SHA256;RSA-SHA384;RSA-SHA512

issuerId = https://www.tester.net/realms/tester

lockRoleToFullDN = true

redirectPort = 8000

replicateCertificates = true

saml_negative_cache_timeout = 3600

scimEnabled = false

signAuthnRequest = false

signatureAlgorithm = RSA-SHA256

signatureRawPubKey = false

signedAssertion = true

sloBinding = HTTP-POST

sslPassword = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

ssoBinding = HTTP-REDIRECT

[roleMap_SAML]
admin = splunk-admin

 

but I have following error when try to login

Saml response does not contain group information.

 

In splunkd.log 

05-20-2026 09:24:47.181 +0200 ERROR Saml [2814333 webui] - No value found in SamlResponse for match key=saml:AttributeStatement/saml:Attribute attrName=role err=No nodes found for xpath=saml:AttributeStatement/saml:Attribute

What is missing ?

Labels (1)
Labels
Tags (1)
0 Karma
Reply

Araton71
Loves-to-Learn
2 weeks ago

On UI SAML Configuration ALIAS check must be tick and in role alias filed 

Araton71_2-1779265613667.png

 

it needs to add same value setted in keycloak

Araton71_0-1779265470652.png

and in authentication.conf

[authenticationResponseAttrMap_SAML]
role = groups

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...