Security

Problem with SAML authentication after updating to Splunk 7.0.0

vidhyaArumalla
Path Finder

I have upgraded to Splunk 7.0.0, and I am encountering with "Verification of SAML assertion using the IDP's certificate provided failed. Error: Failed to verify signature with cert :S:\Splunk\etc\auth\idpCerts\idpCert.pem;" error. My earlier version with 6.6.3 was stable

0 Karma

alan_reagan
Engager

I was also experiencing this issue after upgrading from Splunk 6.5.0 to 7.0.0. I did have cert_1.pem and cert_2.pem files sitting in $SPLUNK_HOME/etc/auth/idpCerts prior to and after the upgrade. It seems that when the MSI runs an in place upgrade it may not be able to account for the new idpCertChain_1 storage location. Simply moving the files to this location did not correct the problem. It wasn't until I worked with support and went through the whole process of setting up SAML again that the issue was corrected by putting the root CA cert and the AD FS token signing cert in the IdP certificate chains free text box of the SAML configuration page. Once we did this, Splunk rebuilt the cert_1.pem and cert_2.pem files inside of the new $SPLUNK_HOME/etc/auth/idpCerts/idpCertChain_1 folder and it started working correctly.

rdimri_splunk
Splunk Employee
Splunk Employee

Hello Could you please see if

  1. The signing certificate that IdP uses has not expired, if it has please use a new certificate for signing and export new IdpMetadata and reimport that metadata into splunk.
  2. If you are using certificate chains, like root CA -> intermediate CA -> (any level of intermediate CAs) -> signing cert. Ensure that under folder $SPLUNK_HOME/etc/auth/idpCerts there is a folder called idpCertChain_1 and there are all the files of intermediate CAs and your signing certificate. Also ensure that under $SPLUNK_HOME/etc/auth/idpCerts there are no pem files directly under it.

Let me know how it goes. Also if this does not solve your problem would it be possible to list the files and directories directly under $SPLUNK_HOME/etc/auth/idpCerts . You dont have to paste the contents of the file, just the file names themselves should be sufficient.

Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...