Solved: Re: No valid splunk role found in local mapping? (...

michaelba · ‎02-03-2017

Splunk,

After completing Active Directory Federation Services (ADFS), our role mappings are not recognized. What are we overlooking?

Here’s the authentication.conf, the role mapping is declared at the bottom:

In AD FS, the relying part transformation rules are:

The NameId claim transformation:

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient");

The Role and realName claim:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/role", "realName"), query = ";tokenGroups,displayName;{0}", param = c.Value);

michaelba · ‎02-05-2017

We found the issue:

In Active Directory, the group splunkadmin needs to be a Global group type.
Logoff the machine and log back so the user's profile could be refreshed with the new group enrollment.

View solution in original post

michaelba · ‎02-05-2017

We found the issue:

In Active Directory, the group splunkadmin needs to be a Global group type.
Logoff the machine and log back so the user's profile could be refreshed with the new group enrollment.

richgalloway · ‎02-05-2017

If your problem is resolved, please accept the answer.

---
If this reply helps you, Karma would be appreciated.

No valid splunk role found in local mapping? (AD FS, SAML, SSO)

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?