Security

SAML: If a user belongs to several groups in LDAP and they fit several mappings, do they inherit multiple roles in Splunk 6.5.0?

ofaura
Path Finder

What happens if a user belongs to several groups in the LDAP and then this user fits in several mappings, does this user inherit multiple roles? If not, is there any way getting that a user (with SAML in place) get several roles?

0 Karma
1 Solution

pgreer_splunk
Splunk Employee
Splunk Employee

As @hunters states, in LDAP yes, they can be part of multiple groups and if those multiple groups 'map' to multiple roles in Splunk the user will 'map' to multiple roles.

The subject of your question has 'SAML' and the tags include 'SAML' as well as 'PingFederate'. So, if you are asking about SAML, here's a little additional info:

In SAML, PingFederate (if configured as appropriate for SAML integration with Splunk on-prem or cloud) will send an XML assertion to Splunk with an attribute named 'role'. This 'role' attribute will contain a list of all LDAP groups that a user's account is within. In the SAML mappings setup in 6.5.0, you will then configure what role (or roles) the LDAP group maps to. If there are more than one 'group->role' mappings for the user's 'role' list, then once the user is authenticated in via SAML they will 'map' to multiple Splunk roles.

For more information on configuring Ping for SAML (cloud specific but nearly identical for on-prem), see the blog:

Ping SAML Blog

View solution in original post

0 Karma

pgreer_splunk
Splunk Employee
Splunk Employee

As @hunters states, in LDAP yes, they can be part of multiple groups and if those multiple groups 'map' to multiple roles in Splunk the user will 'map' to multiple roles.

The subject of your question has 'SAML' and the tags include 'SAML' as well as 'PingFederate'. So, if you are asking about SAML, here's a little additional info:

In SAML, PingFederate (if configured as appropriate for SAML integration with Splunk on-prem or cloud) will send an XML assertion to Splunk with an attribute named 'role'. This 'role' attribute will contain a list of all LDAP groups that a user's account is within. In the SAML mappings setup in 6.5.0, you will then configure what role (or roles) the LDAP group maps to. If there are more than one 'group->role' mappings for the user's 'role' list, then once the user is authenticated in via SAML they will 'map' to multiple Splunk roles.

For more information on configuring Ping for SAML (cloud specific but nearly identical for on-prem), see the blog:

Ping SAML Blog

0 Karma

ofaura
Path Finder

Thanks for the clarification, my question was regarding SAML. I will check our PingFederate setup to get this working!

0 Karma

hunters_splunk
Splunk Employee
Splunk Employee

Yes, ofaura, if a user belongs to several l LDAP groups, the user also assumes to the corresponding mapped Splunk roles of these groups.
Note that you can also map more than one role to an LDAP group, and not all groups must be mapped.
Mappings can be checked at any time. The LDAP server is rechecked each time a user logs into Splunk.

Hope it helps. Thanks!
Hunter

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...