Security

SHC with SAML authentication - role update on existing group does not apply

Communicator

Hello,

I have a Search Head Cluster configured with SAML authentication (ADFS)...
For an existing SAML group (already granted with some role), adding new roles using GUI does not apply.

For instance I have a user user1 member of SAML group group1.
And I have several roles app1, app2, app3

I initially grant the user with role app1... Looking at authentication.conf, I see:

[userToRoleMap_SAML]
user1@domain.com = app1

[roleMap_SAML]
app1 = group1

For this first test, access to app1 is ok for user1... Also I already noticed that the role group assignment has been copied to the user... Strange but so far, it does not create a real problem.

But then if I edit again group role assignment to add more roles. This time, I get:

[userToRoleMap_SAML]
user1@domain.com = app1

[roleMap_SAML]
app1 = group1
app2 = group1
app3 = group1

roleMap_SAML is updated as expected, but this time, no copy-paste to the user section.
And the roles are never really granted to the user including after a rolling restart.
I checked the value of roles using "| rest splunk_server=local /services/authentication/current-context " and I only see the role defined by user mapping.

Why does the group mapping does not work ?

0 Karma
1 Solution

Splunk Employee
Splunk Employee

You do need to do an Authentication Refresh under Settings > Authentication Method at the bottom.

View solution in original post

Explorer

@sylbaea - I am strugging with setting up Splunk SHC to work with ADFS (all internal) ... any chance you can share any info?

I have a F5 LB VIP (no SSL) - call this https://splunk:443 that points to 3 SHC members (call this https://splunk1:8000 , https://splunk2:8000, https://splunk3:8000)

Each of the splunk cluster members - have the same "ssl certificate" with CN = splunk (Custom CA signed cert)

I am struggling to follow steps on https://docs.splunk.com/Documentation/Splunk/7.2.4/Security/SAMLSHC .....

Any help would be great!

0 Karma

Splunk Employee
Splunk Employee

You do need to do an Authentication Refresh under Settings > Authentication Method at the bottom.

View solution in original post

Communicator

Thanks ! I missed that button... It does resolve my concern... This being said, I do not remember it was advised to use this button in the documentation... Maybe I missed it too.
Thanks a lot.

0 Karma

Communicator

you may want to put your comment as an answer.

0 Karma

Splunk Employee
Splunk Employee

Done. Please upvote for exposure. 🙂 (yay fake internet points!)

0 Karma

Path Finder

@brreeves
I am facing the same issue, after removing the user from SAML portal, the user remains in the authentication.conf, however he is not able to login. How do I address this concern ?

0 Karma

Splunk Employee
Splunk Employee

@sidhantbhayana if you remove them from the SAML IdP, they will no longer have access. Authentication.conf is what gets applied after they are approved by the IdP.

0 Karma

Builder

I need some clarification... Are you trying to login through ADFS as user1 and your problem is that this user is not being given the app2 and app3 role in splunk?

0 Karma

Communicator

yes, this is my problem.
In the meantime, I found old discussions here about same problem. It was stated that we cannot have both SSO with SAML and role group remapping working... Does this limitation still exist ?
In same discussions, it was also suggested to create roles directly matching AD groups. I have not tried that yet but ideally I would like to be able to maintain my own naming convention for roles in Splunk.

0 Karma

Builder

Ok, so your first step is to find out what role information ADFS releasing to you, to pass to splunk. Use a browser plugin to trace your saml messages:
https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/

What is the role information in the ADFS assertion?

0 Karma

Splunk Employee
Splunk Employee

This would be good to confirm that it is returning the group we think it is (group1) so that we're sure it SHOULD be applying that role to user1.

0 Karma

Communicator

As explained above, this part works fine... group list is properly communicated through SAML answer (I did use similar plugin to the one you suggest to confirm that)... My problem is for the next role update... For unknow reason, it does not look to be taken into account. And I am not sure what are the constraints (do we need to restart the all SHC members to refresh the role config ? do we need impacted users to explicitly logout, etc.)

0 Karma

Builder

Ok...
If you have confirmed that ADFS is passing the correct role information with a browser plugin then your next step is to look at $SPLUNK_HOME/var/log/splunk/splunkd.log for any SAML related errors or warnings.

0 Karma

Splunk Employee
Splunk Employee

I do not believe that this limitation exists. What version are you running?

0 Karma

Communicator

6.5.3 (Windows)

Splunk Employee
Splunk Employee

Based on the configuration, as long as user1 is a member of group1, they should receive those permissions as well as their userToRoleMap permissions.

0 Karma