Security

SAML: If a user belongs to several groups in LDAP and they fit several mappings, do they inherit multiple roles in Splunk 6.5.0?

Path Finder

What happens if a user belongs to several groups in the LDAP and then this user fits in several mappings, does this user inherit multiple roles? If not, is there any way getting that a user (with SAML in place) get several roles?

0 Karma
1 Solution

Splunk Employee
Splunk Employee

As @hunters states, in LDAP yes, they can be part of multiple groups and if those multiple groups 'map' to multiple roles in Splunk the user will 'map' to multiple roles.

The subject of your question has 'SAML' and the tags include 'SAML' as well as 'PingFederate'. So, if you are asking about SAML, here's a little additional info:

In SAML, PingFederate (if configured as appropriate for SAML integration with Splunk on-prem or cloud) will send an XML assertion to Splunk with an attribute named 'role'. This 'role' attribute will contain a list of all LDAP groups that a user's account is within. In the SAML mappings setup in 6.5.0, you will then configure what role (or roles) the LDAP group maps to. If there are more than one 'group->role' mappings for the user's 'role' list, then once the user is authenticated in via SAML they will 'map' to multiple Splunk roles.

For more information on configuring Ping for SAML (cloud specific but nearly identical for on-prem), see the blog:

Ping SAML Blog

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

As @hunters states, in LDAP yes, they can be part of multiple groups and if those multiple groups 'map' to multiple roles in Splunk the user will 'map' to multiple roles.

The subject of your question has 'SAML' and the tags include 'SAML' as well as 'PingFederate'. So, if you are asking about SAML, here's a little additional info:

In SAML, PingFederate (if configured as appropriate for SAML integration with Splunk on-prem or cloud) will send an XML assertion to Splunk with an attribute named 'role'. This 'role' attribute will contain a list of all LDAP groups that a user's account is within. In the SAML mappings setup in 6.5.0, you will then configure what role (or roles) the LDAP group maps to. If there are more than one 'group->role' mappings for the user's 'role' list, then once the user is authenticated in via SAML they will 'map' to multiple Splunk roles.

For more information on configuring Ping for SAML (cloud specific but nearly identical for on-prem), see the blog:

Ping SAML Blog

View solution in original post

0 Karma

Path Finder

Thanks for the clarification, my question was regarding SAML. I will check our PingFederate setup to get this working!

0 Karma

Splunk Employee
Splunk Employee

Yes, ofaura, if a user belongs to several l LDAP groups, the user also assumes to the corresponding mapped Splunk roles of these groups.
Note that you can also map more than one role to an LDAP group, and not all groups must be mapped.
Mappings can be checked at any time. The LDAP server is rechecked each time a user logs into Splunk.

Hope it helps. Thanks!
Hunter

0 Karma