Security
Highlighted

Problem with SAML authentication after updating to Splunk 7.0.0

Path Finder

I have upgraded to Splunk 7.0.0, and I am encountering with "Verification of SAML assertion using the IDP's certificate provided failed. Error: Failed to verify signature with cert :S:\Splunk\etc\auth\idpCerts\idpCert.pem;" error. My earlier version with 6.6.3 was stable

0 Karma
Highlighted

Re: Problem with SAML authentication after updating to Splunk 7.0.0

Splunk Employee
Splunk Employee

Hello Could you please see if

  1. The signing certificate that IdP uses has not expired, if it has please use a new certificate for signing and export new IdpMetadata and reimport that metadata into splunk.
  2. If you are using certificate chains, like root CA -> intermediate CA -> (any level of intermediate CAs) -> signing cert. Ensure that under folder $SPLUNKHOME/etc/auth/idpCerts there is a folder called idpCertChain1 and there are all the files of intermediate CAs and your signing certificate. Also ensure that under $SPLUNK_HOME/etc/auth/idpCerts there are no pem files directly under it.

Let me know how it goes. Also if this does not solve your problem would it be possible to list the files and directories directly under $SPLUNK_HOME/etc/auth/idpCerts . You dont have to paste the contents of the file, just the file names themselves should be sufficient.

Highlighted

Re: Problem with SAML authentication after updating to Splunk 7.0.0

Engager

I was also experiencing this issue after upgrading from Splunk 6.5.0 to 7.0.0. I did have cert1.pem and cert2.pem files sitting in $SPLUNKHOME/etc/auth/idpCerts prior to and after the upgrade. It seems that when the MSI runs an in place upgrade it may not be able to account for the new idpCertChain1 storage location. Simply moving the files to this location did not correct the problem. It wasn't until I worked with support and went through the whole process of setting up SAML again that the issue was corrected by putting the root CA cert and the AD FS token signing cert in the IdP certificate chains free text box of the SAML configuration page. Once we did this, Splunk rebuilt the cert1.pem and cert2.pem files inside of the new $SPLUNKHOME/etc/auth/idpCerts/idpCertChain1 folder and it started working correctly.