Security

Saml response does not contain group information

sadpan
New Member

hi
I am trying setup same for Splunk Enterprise instance in my local using okta .

I am getting below error from Splunk on successfull login at okta

"Saml response does not contain group information"

I am using "Splunk enterprise" app in okta

Tags (1)
0 Karma

wyfwa4
Communicator

As with the previous answer - the key is to understand what is being sent and you can use a tool which shows the SAML response. For example I use the add-on "saml-tracer" in firefox. You can then see what attributes are being sent back to Splunk from Okta.

The issue is likely to be one of two issues

1) The user trying to logon is not assigned to a role. For example you have added to a group and the group is not assigned to a role. Ensure that you can confirm in your Okta idp, that the users is either added directly to the role or they are added to a group and the group is assigned to a role.

2) Splunk expects a very specific and case sensitive attribute called "role" - note lower case. If your idp sends this data in a different attribute name - possibly using the "Role" attribute (note upper case R). Then you need to modify the mapping in Splunk to map the "Role" attribute to the "role" attribute.

See below for the relevant section from the "authentication.conf" spec

[authenticationResponseAttrMap_SAML]
* Splunk expects email, real name and roles to be returned as SAML
  Attributes in SAML assertion. This stanza can be used to map attribute names
  to what Splunk expects. These are optional settings and are only needed for
  certain IDPs.

role = <string>
* OPTIONAL
* Attribute name to be used as role in SAML Assertion.
* Default is "role"

integratorz
Path Finder

Have you tried looking at the SAML Response?

If not, depending on the browser you are using, you can get tools that will show you the SAML response and allow you to see what exactly is being passed.

If you are using chrome, SAML tracer is a good tool.

https://chrome.google.com/webstore/detail/saml-tracer

0 Karma
Get Updates on the Splunk Community!

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...