Solved: SAML response from ADFS

llopreiato · ‎03-23-2021

Hi all,

we are trying to configure Splunk on premise (7.3.6) to work with SAML and ADFS but we are stuck with some errors:

with signedAssertion = false we see in internal logs:

ERROR Saml - Failed to parse issuer. Could not evaluate xpath expression //saml:Assertion/saml:Issuer or no matching nodes found. No value found in SamlResponse for key=//saml:Assertion/saml:Issuer

with signedAssertion = true

ERROR UiSAML - Verification of SAML assertion using the IDP's certificate provided failed. Error: start node xmlSecNodeSignature not found in document

Any suggestions?

llopreiato · ‎03-31-2021

We solved our problem by following Splunk support suggestion to remove encryption from ADFS as specified in chapter 13 of this guide:

https://www.splunk.com/en_us/blog/tips-and-tricks/configuring-microsofts-adfs-splunk-cloud.html

View solution in original post

hschuhkn · ‎01-11-2024

Had the same error message to an adfs server with encryption and in my case this worked, dont know if it is correct.

I added the encrypted private key to signAuthnRequest certificate, which is this authentication.conf parameter:

[saml]
clientCert = cert_and_encrypted_private_key.pem

The password of the encypted private key was configured to the parameter sslPassword of the same stanza
sslPasswort =

No this parameter could be set to true:

signAuthnRequest = true

and reloaded authentication to let the sslPasswort be hashed.

Worked for me.

llopreiato · ‎03-31-2021

We solved our problem by following Splunk support suggestion to remove encryption from ADFS as specified in chapter 13 of this guide:

https://www.splunk.com/en_us/blog/tips-and-tricks/configuring-microsofts-adfs-splunk-cloud.html

SAML response from ADFS

authentication

SAML

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)