Security

Problem with SSO SAML (Splunk 6.5)

Explorer

Splunk issues the HTTP POST to our IdP with the auth request ,
on the browser we login to our IdP successfully , submit the form and then get HTTP POST back to Splunk with Auth Msg/Response
The splunk main/splash page then appears (but without the login/pwd prompts ) and displays a "No arguments found" message.
Splunkd.log file shows a similar message .
Haven't seen any info on this message on the boards.. but maybe something basic. Any thoughts on what this might mean?
thanks!

Labels (2)
1 Solution

Builder

Use this browser plugin to trace your SAML exchange:
https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/

What does the response from the IdP look like?

View solution in original post

Splunk Employee
Splunk Employee

Integration with SAML IdP's is vastly improved in 6.5. One has to seldom modify the authentication.conf file directly if the integration is performed correctly for the IdP through the SAML configuration UI.

There are many more IdPs that we've integrated with since 6.5. In 6.4 we only "supported" Okta, Ping, ADFS and Azure. There are blogs for each of those four that step you through how to perform the integration, specific to each IdP, in 6.4. Such as ADFS integration here Okta integration here Ping integration here and Azure integration here .

Most likely one of those would get you what you need for whichever IdP you're trying to integrate with now. NOTE: In addition to those four, we have customers (in Splunk Cloud) that have integrated with Google, OneLogin, IBM Tivoli Identity Manager, SecureAuth, CA Siteminder and many others. And most likely many of those and others by on-prem customers. There is a team within our support organization that is well schooled on SAML integrations and are ready and willing to help you with your setup.

I suggest you open a support ticket with Splunk, note the SAML IdP you're integrating with, and you'll get all the support you need. If it's an IdP we've not integrated with in the past, the support team will work with you to get it up and running so we'll have the internal knowledge to know how to get it working for the next customer.

Engager

Does this SAML support team still exist at Splunk?

0 Karma

Builder

Use this browser plugin to trace your SAML exchange:
https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/

What does the response from the IdP look like?

View solution in original post

Explorer

Thanks ... See Idp Response below (exported from saml tracer)

Instead of "role","realName" and "mail" which I believe Splunk expects : Idp returns "Groups","FederationKey", and "Email" in the response.
I believe I need to map these to role,realName, mail in the SAML config, which I did try doing that but same "No arguments found" error resulted. Thinking its probably something basic at this point ...

<samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                ID="_37173e23-c4d4-46d6-85c5-0786e1d651f0"
                Version="2.0"
                IssueInstant="2017-02-10T16:53:10Z"
                Destination="http://www.test.com:8000//saml/acs"
                xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                >
    <saml:Issuer>www.auth.test.com</saml:Issuer>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <Reference URI="#_37173e23-c4d4-46d6-85c5-0786e1d651f0">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <DigestValue>FrMXOU9JKV2KMVT70BhsZMBm330=</DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue> removed signature here==</SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate> removed cert here...</X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <saml:Assertion Version="2.0"
                    ID="_a4f4ebeb-42d4-47aa-9290-7ddbf2d39884"
                    IssueInstant="2017-02-10T16:53:10Z"
                    >
        <saml:Issuer>www.auth.test.com</saml:Issuer>
        <saml:Subject>
            <saml:NameID NameQualifier="www.auth.test.com">chrism@test.com</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData NotOnOrAfter="2017-02-10T16:58:10Z"
                                              Recipient="http://www.test.com:8000//saml/acs"
                                              />
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2017-02-10T16:48:10Z"
                         NotOnOrAfter="2017-02-10T16:58:10Z"
                         >
            <saml:AudienceRestriction>
                <saml:Audience>http://www.test.com:8000//saml/acs</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement AuthnInstant="2017-02-10T16:53:10Z"
                             SessionIndex="1885244480"
                             >
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
        <saml:AttributeStatement>
            <saml:Attribute Name="FederationKey"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                            FriendlyName="header"
                            >
                <saml:AttributeValue xmlns:q1="http://www.w3.org/2001/XMLSchema"
                                     p7:type="q1:string"
                                     xmlns:p7="http://www.w3.org/2001/XMLSchema-instance"
                                     >chrism@test.com</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="Groups"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                            >
                <saml:AttributeValue xmlns:q2="http://www.w3.org/2001/XMLSchema"
                                     p7:type="q2:string"
                                     xmlns:p7="http://www.w3.org/2001/XMLSchema-instance"
                                     >&quot;HRUserGroup&quot;,&quot;TEST_EMP&quot;,&quot;TEST_MGR&quot;</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="FirstName"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                            >
                <saml:AttributeValue xmlns:q3="http://www.w3.org/2001/XMLSchema"
                                     p7:type="q3:string"
                                     xmlns:p7="http://www.w3.org/2001/XMLSchema-instance"
                                     >CHRISTOPHER</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="Email"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                            >
                <saml:AttributeValue xmlns:q4="http://www.w3.org/2001/XMLSchema"
                                     p7:type="q4:string"
                                     xmlns:p7="http://www.w3.org/2001/XMLSchema-instance"
                                     >chrism@test.com</saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>
    </saml:Assertion>
</samlp:Response>
0 Karma

Builder

Ok, so you'll need to tell splunk how to map your saml roles. You'll need the following in your authentication.conf:

[authenticationResponseAttrMap_SAML]
mail = Email
realName = FirstName
role = Groups

0 Karma

Explorer

Thanks but still no luck . Same error in the logs (splunkd.log)

"ERROR UiSAML - no arguments found."

0 Karma

Builder

Please post your authentication.conf

0 Karma

Explorer

[authentication]
authSettings = saml
authType = SAML

[roleMap_SAML]
admin = admin;mgr

[saml]
entityId = www.auth.test.com
fqdn = http://www.test.com
idpCertPath = idpCert.pem
idpSLOUrl = https://www.auth.test.com/usersvcs/cspsaml/ssologout.aspx?service=astrasplunk&servicetype=stage
idpSSOUrl = https://www.auth.test.com/usersvcs/cspsaml/?service=astrasplunk&servicetype=stage
issuerId = www.auth.test.com (also tried removing this, no difference)
nameIdFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
redirectPort = 8000
signAuthnRequest = false
signatureAlgorithm = RSA-SHA1
signedAssertion = false
sloBinding = HTTPPost
sslKeysfile = /opt/splunk/etc/auth/server.pem
sslKeysfilePassword = $1$h/QE0gGYmEQv
ssoBinding = HTTPPost

[authenticationResponseAttrMap_SAML]
mail = Email
realName = FederationKey ( this attribute maps to email address, also tried FirstName, no change)
role = Groups
~

0 Karma

Builder

I suggest you familiarize yourself with all the SAML bits in authentication.conf.

entityId = www.auth.test.com

This is supposed to be the entityId of your splunk instance, not your IdP

issuerId = www.auth.test.com

Where did you get this? It doesn't exist in authentication.conf. You can delete this line.

nameIdFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

<saml:NameID NameQualifier="www.auth.test.com">chrism@test.com</saml:NameID>

You're restricting the nameid format but the response doesn't include the format. Since this is an optional setting I'd remove this while troubleshooting. (You can add it back later if you wish once you confirm everything is working).

signatureAlgorithm = RSA-SHA1
signedAssertion = false

You can remove signatureAlgorithm. You're saying that the request should be signed SHA1 but you don't want requests signed???

Also:

  • the response you posted earlier contained "HRUserGroup","TEST_EMP","TEST_MGR" as the group but you don't have these defined in roleMap_SAML.
  • The IdP response you provided seems to have an extra "/" in the SP URLs, ie "http://www.test.com:8000//saml/acs"

Explorer

Thanks Suarezry.

I've tried most of the above with the same error result.
"ERROR - UiSAML No argument Found" .
I will try to get the IdP response URL fixed (remove the extra "/")
What is the entityId of the Splunk instance ?
thanks!

0 Karma

Builder
I will try to get the IdP response URL fixed (remove the extra "/")

Take a look at the SP metadata file you gave to your IdP, it will have the typo there. Of course, the SP metadata file was generated from your splunk config so you'll need to find out where the typo in your config is.

What is the entityId of the Splunk instance ?

You can call it whatever you want. I typically set it to my splunk instance fqdn. So in this case I would set it to 'http://www.test.com'

0 Karma

Explorer

Thanks! the extra "/" fixed the no arguments error problems 🙂
After working thru some cert format issues getting further along .
Seeing a role mapping issue now "No valid splunk role found in local mapping"

0 Karma

Builder

Yes, that's because of this problem:

the response you posted earlier contained "HRUserGroup","TEST_EMP","TEST_MGR" as the group but you don't have these defined in roleMap_SAML.
0 Karma

Explorer

Adding the appropriate group fixed the mapping problem! I was missing the quotes around HRUserGroup. I can now log in! Thanks for all the help.

One last question , since our SAML groups are not very specific at the moment can I authorize based on existing configured Splunk users in the system instead?
So if only a local splunk user called "chrism" was configured in Splunk, then only SAML user "chrism" can be authorized via SAML?

There is a stanza called [usertoRoleMap_SAML] in authentication.conf, that it appears splunk has automatically mapped SAML users to our "user" splunk role.

[roleMap_SAML]
user = "hrusergroup"

[userToRoleMap_SAML]
chrism = user (all these user belong to "hrusergroup")
edwardh =user
stevea= user
..
(seems Splunk is automatically adding users here ?)

0 Karma