Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

KEYCLOAK SAML issue

Araton71
Loves-to-Learn
2 weeks ago

I've configured my splunk enterprise to get saml login with keycloak.

[authentication]

authSettings = saml

authType = SAML

[saml]

blacklistedAutoMappedRoles = admin,power

caCertFile = /opt/splunk/etc/auth/cacert.pem

cacheSAMLUserInfotoDisk = false

clientCert = /opt/splunk/etc/auth/server.pem

enableAutoMappedRoles = true

entityId = https://homesoc.tester.local

excludedAutoMappedRoles = admin,power

fqdn = https://itpghomesoc03

idpCertExpirationCheckInterval = 86400s

idpCertExpirationWarningDays = 90

idpCertPath = idpCert.pem

idpSLOUrl = https://www.tester.net/realms/tester/protocol/saml

idpSSOUrl = https://www.tester.net/realms/tester/protocol/saml

inboundDigestMethod = SHA1;SHA256;SHA384;SHA512

inboundSignatureAlgorithm = RSA-SHA1;RSA-SHA256;RSA-SHA384;RSA-SHA512

issuerId = https://www.tester.net/realms/tester

lockRoleToFullDN = true

redirectPort = 8000

replicateCertificates = true

saml_negative_cache_timeout = 3600

scimEnabled = false

signAuthnRequest = false

signatureAlgorithm = RSA-SHA256

signatureRawPubKey = false

signedAssertion = true

sloBinding = HTTP-POST

sslPassword = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

ssoBinding = HTTP-REDIRECT

[roleMap_SAML]
admin = splunk-admin

 

but I have following error when try to login

Saml response does not contain group information.

 

In splunkd.log 

05-20-2026 09:24:47.181 +0200 ERROR Saml [2814333 webui] - No value found in SamlResponse for match key=saml:AttributeStatement/saml:Attribute attrName=role err=No nodes found for xpath=saml:AttributeStatement/saml:Attribute

What is missing ?

Labels (1)
Labels
Tags (1)
0 Karma
Reply

Araton71
Loves-to-Learn
2 weeks ago

On UI SAML Configuration ALIAS check must be tick and in role alias filed 

Araton71_2-1779265613667.png

 

it needs to add same value setted in keycloak

Araton71_0-1779265470652.png

and in authentication.conf

[authenticationResponseAttrMap_SAML]
role = groups

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...