Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

SAML: If a user belongs to several groups in LDAP and they fit several mappings, do they inherit multiple roles in Splunk 6.5.0?

ofaura
Path Finder
‎01-10-2017 02:35 PM

What happens if a user belongs to several groups in the LDAP and then this user fits in several mappings, does this user inherit multiple roles? If not, is there any way getting that a user (with SAML in place) get several roles?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

pgreer_splunk
Splunk Employee
Splunk Employee
‎01-12-2017 01:46 PM

As @hunters states, in LDAP yes, they can be part of multiple groups and if those multiple groups 'map' to multiple roles in Splunk the user will 'map' to multiple roles.

The subject of your question has 'SAML' and the tags include 'SAML' as well as 'PingFederate'. So, if you are asking about SAML, here's a little additional info:

In SAML, PingFederate (if configured as appropriate for SAML integration with Splunk on-prem or cloud) will send an XML assertion to Splunk with an attribute named 'role'. This 'role' attribute will contain a list of all LDAP groups that a user's account is within. In the SAML mappings setup in 6.5.0, you will then configure what role (or roles) the LDAP group maps to. If there are more than one 'group->role' mappings for the user's 'role' list, then once the user is authenticated in via SAML they will 'map' to multiple Splunk roles.

For more information on configuring Ping for SAML (cloud specific but nearly identical for on-prem), see the blog:

Ping SAML Blog

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

pgreer_splunk
Splunk Employee
Splunk Employee
‎01-12-2017 01:46 PM

As @hunters states, in LDAP yes, they can be part of multiple groups and if those multiple groups 'map' to multiple roles in Splunk the user will 'map' to multiple roles.

The subject of your question has 'SAML' and the tags include 'SAML' as well as 'PingFederate'. So, if you are asking about SAML, here's a little additional info:

In SAML, PingFederate (if configured as appropriate for SAML integration with Splunk on-prem or cloud) will send an XML assertion to Splunk with an attribute named 'role'. This 'role' attribute will contain a list of all LDAP groups that a user's account is within. In the SAML mappings setup in 6.5.0, you will then configure what role (or roles) the LDAP group maps to. If there are more than one 'group->role' mappings for the user's 'role' list, then once the user is authenticated in via SAML they will 'map' to multiple Splunk roles.

For more information on configuring Ping for SAML (cloud specific but nearly identical for on-prem), see the blog:

Ping SAML Blog

0 Karma
Reply
Solved! Jump to solution

ofaura
Path Finder
‎01-13-2017 01:34 AM

Thanks for the clarification, my question was regarding SAML. I will check our PingFederate setup to get this working!

0 Karma
Reply
Solved! Jump to solution

hunters_splunk
Splunk Employee
Splunk Employee
‎01-10-2017 03:32 PM

Yes, ofaura, if a user belongs to several l LDAP groups, the user also assumes to the corresponding mapped Splunk roles of these groups.
Note that you can also map more than one role to an LDAP group, and not all groups must be mapped.
Mappings can be checked at any time. The LDAP server is rechecked each time a user logs into Splunk.

Hope it helps. Thanks!
Hunter

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...