Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

SAML: If a user belongs to several groups in LDAP and they fit several mappings, do they inherit multiple roles in Splunk 6.5.0?

ofaura
Path Finder
‎01-10-2017 02:35 PM

What happens if a user belongs to several groups in the LDAP and then this user fits in several mappings, does this user inherit multiple roles? If not, is there any way getting that a user (with SAML in place) get several roles?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

pgreer_splunk
Splunk Employee
Splunk Employee
‎01-12-2017 01:46 PM

As @hunters states, in LDAP yes, they can be part of multiple groups and if those multiple groups 'map' to multiple roles in Splunk the user will 'map' to multiple roles.

The subject of your question has 'SAML' and the tags include 'SAML' as well as 'PingFederate'. So, if you are asking about SAML, here's a little additional info:

In SAML, PingFederate (if configured as appropriate for SAML integration with Splunk on-prem or cloud) will send an XML assertion to Splunk with an attribute named 'role'. This 'role' attribute will contain a list of all LDAP groups that a user's account is within. In the SAML mappings setup in 6.5.0, you will then configure what role (or roles) the LDAP group maps to. If there are more than one 'group->role' mappings for the user's 'role' list, then once the user is authenticated in via SAML they will 'map' to multiple Splunk roles.

For more information on configuring Ping for SAML (cloud specific but nearly identical for on-prem), see the blog:

Ping SAML Blog

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

pgreer_splunk
Splunk Employee
Splunk Employee
‎01-12-2017 01:46 PM

As @hunters states, in LDAP yes, they can be part of multiple groups and if those multiple groups 'map' to multiple roles in Splunk the user will 'map' to multiple roles.

The subject of your question has 'SAML' and the tags include 'SAML' as well as 'PingFederate'. So, if you are asking about SAML, here's a little additional info:

In SAML, PingFederate (if configured as appropriate for SAML integration with Splunk on-prem or cloud) will send an XML assertion to Splunk with an attribute named 'role'. This 'role' attribute will contain a list of all LDAP groups that a user's account is within. In the SAML mappings setup in 6.5.0, you will then configure what role (or roles) the LDAP group maps to. If there are more than one 'group->role' mappings for the user's 'role' list, then once the user is authenticated in via SAML they will 'map' to multiple Splunk roles.

For more information on configuring Ping for SAML (cloud specific but nearly identical for on-prem), see the blog:

Ping SAML Blog

0 Karma
Reply
Solved! Jump to solution

ofaura
Path Finder
‎01-13-2017 01:34 AM

Thanks for the clarification, my question was regarding SAML. I will check our PingFederate setup to get this working!

0 Karma
Reply
Solved! Jump to solution

hunters_splunk
Splunk Employee
Splunk Employee
‎01-10-2017 03:32 PM

Yes, ofaura, if a user belongs to several l LDAP groups, the user also assumes to the corresponding mapped Splunk roles of these groups.
Note that you can also map more than one role to an LDAP group, and not all groups must be mapped.
Mappings can be checked at any time. The LDAP server is rechecked each time a user logs into Splunk.

Hope it helps. Thanks!
Hunter

0 Karma
Reply
Get Updates on the Splunk Community!

Enhance Your Splunk App Development: New Tools & Support

UCC FrameworkAdd-on Builder has been around for quite some time. It helps build Splunk apps faster, but it ...

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...