I have a Search Head Cluster configured with SAML authentication (ADFS)...
For an existing SAML group (already granted with some role), adding new roles using GUI does not apply.
For instance I have a user user1 member of SAML group group1.
And I have several roles app1, app2, app3
I initially grant the user with role app1... Looking at authentication.conf, I see:
[userToRoleMap_SAML] firstname.lastname@example.org = app1 [roleMap_SAML] app1 = group1
For this first test, access to app1 is ok for user1... Also I already noticed that the role group assignment has been copied to the user... Strange but so far, it does not create a real problem.
But then if I edit again group role assignment to add more roles. This time, I get:
[userToRoleMap_SAML] email@example.com = app1 [roleMap_SAML] app1 = group1 app2 = group1 app3 = group1
roleMap_SAML is updated as expected, but this time, no copy-paste to the user section.
And the roles are never really granted to the user including after a rolling restart.
I checked the value of roles using "| rest splunk_server=local /services/authentication/current-context " and I only see the role defined by user mapping.
Why does the group mapping does not work ?
@sylbaea - I am strugging with setting up Splunk SHC to work with ADFS (all internal) ... any chance you can share any info?
Each of the splunk cluster members - have the same "ssl certificate" with CN = splunk (Custom CA signed cert)
I am struggling to follow steps on https://docs.splunk.com/Documentation/Splunk/7.2.4/Security/SAMLSHC .....
Any help would be great!
Thanks ! I missed that button... It does resolve my concern... This being said, I do not remember it was advised to use this button in the documentation... Maybe I missed it too.
Thanks a lot.
I am facing the same issue, after removing the user from SAML portal, the user remains in the authentication.conf, however he is not able to login. How do I address this concern ?
@sidhantbhayana if you remove them from the SAML IdP, they will no longer have access. Authentication.conf is what gets applied after they are approved by the IdP.
yes, this is my problem.
In the meantime, I found old discussions here about same problem. It was stated that we cannot have both SSO with SAML and role group remapping working... Does this limitation still exist ?
In same discussions, it was also suggested to create roles directly matching AD groups. I have not tried that yet but ideally I would like to be able to maintain my own naming convention for roles in Splunk.
Ok, so your first step is to find out what role information ADFS releasing to you, to pass to splunk. Use a browser plugin to trace your saml messages:
What is the role information in the ADFS assertion?
As explained above, this part works fine... group list is properly communicated through SAML answer (I did use similar plugin to the one you suggest to confirm that)... My problem is for the next role update... For unknow reason, it does not look to be taken into account. And I am not sure what are the constraints (do we need to restart the all SHC members to refresh the role config ? do we need impacted users to explicitly logout, etc.)
If you have confirmed that ADFS is passing the correct role information with a browser plugin then your next step is to look at $SPLUNK_HOME/var/log/splunk/splunkd.log for any SAML related errors or warnings.
Based on the configuration, as long as user1 is a member of group1, they should receive those permissions as well as their userToRoleMap permissions.