Security

SAML: If a user belongs to several groups in LDAP and they fit several mappings, do they inherit multiple roles in Splunk 6.5.0?

ofaura
Path Finder

What happens if a user belongs to several groups in the LDAP and then this user fits in several mappings, does this user inherit multiple roles? If not, is there any way getting that a user (with SAML in place) get several roles?

0 Karma
1 Solution

pgreer_splunk
Splunk Employee
Splunk Employee

As @hunters states, in LDAP yes, they can be part of multiple groups and if those multiple groups 'map' to multiple roles in Splunk the user will 'map' to multiple roles.

The subject of your question has 'SAML' and the tags include 'SAML' as well as 'PingFederate'. So, if you are asking about SAML, here's a little additional info:

In SAML, PingFederate (if configured as appropriate for SAML integration with Splunk on-prem or cloud) will send an XML assertion to Splunk with an attribute named 'role'. This 'role' attribute will contain a list of all LDAP groups that a user's account is within. In the SAML mappings setup in 6.5.0, you will then configure what role (or roles) the LDAP group maps to. If there are more than one 'group->role' mappings for the user's 'role' list, then once the user is authenticated in via SAML they will 'map' to multiple Splunk roles.

For more information on configuring Ping for SAML (cloud specific but nearly identical for on-prem), see the blog:

Ping SAML Blog

View solution in original post

0 Karma

pgreer_splunk
Splunk Employee
Splunk Employee

As @hunters states, in LDAP yes, they can be part of multiple groups and if those multiple groups 'map' to multiple roles in Splunk the user will 'map' to multiple roles.

The subject of your question has 'SAML' and the tags include 'SAML' as well as 'PingFederate'. So, if you are asking about SAML, here's a little additional info:

In SAML, PingFederate (if configured as appropriate for SAML integration with Splunk on-prem or cloud) will send an XML assertion to Splunk with an attribute named 'role'. This 'role' attribute will contain a list of all LDAP groups that a user's account is within. In the SAML mappings setup in 6.5.0, you will then configure what role (or roles) the LDAP group maps to. If there are more than one 'group->role' mappings for the user's 'role' list, then once the user is authenticated in via SAML they will 'map' to multiple Splunk roles.

For more information on configuring Ping for SAML (cloud specific but nearly identical for on-prem), see the blog:

Ping SAML Blog

0 Karma

ofaura
Path Finder

Thanks for the clarification, my question was regarding SAML. I will check our PingFederate setup to get this working!

0 Karma

hunters_splunk
Splunk Employee
Splunk Employee

Yes, ofaura, if a user belongs to several l LDAP groups, the user also assumes to the corresponding mapped Splunk roles of these groups.
Note that you can also map more than one role to an LDAP group, and not all groups must be mapped.
Mappings can be checked at any time. The LDAP server is rechecked each time a user logs into Splunk.

Hope it helps. Thanks!
Hunter

0 Karma
Get Updates on the Splunk Community!

Enhance Your Splunk App Development: New Tools & Support

UCC FrameworkAdd-on Builder has been around for quite some time. It helps build Splunk apps faster, but it ...

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...