Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why does Saml response not contain group information?

sadpan
New Member
‎02-28-2019 04:48 AM

hi
I am trying setup same for Splunk Enterprise instance in my local using okta .

I am getting below error from Splunk on successfull login at okta

"Saml response does not contain group information"

I am using "Splunk enterprise" app in okta

Labels (2)
Labels
0 Karma
Reply

wyfwa4
Communicator
‎03-28-2019 08:48 AM

As with the previous answer - the key is to understand what is being sent and you can use a tool which shows the SAML response. For example I use the add-on "saml-tracer" in firefox. You can then see what attributes are being sent back to Splunk from Okta.

The issue is likely to be one of two issues

1) The user trying to logon is not assigned to a role. For example you have added to a group and the group is not assigned to a role. Ensure that you can confirm in your Okta idp, that the users is either added directly to the role or they are added to a group and the group is assigned to a role.

2) Splunk expects a very specific and case sensitive attribute called "role" - note lower case. If your idp sends this data in a different attribute name - possibly using the "Role" attribute (note upper case R). Then you need to modify the mapping in Splunk to map the "Role" attribute to the "role" attribute.

See below for the relevant section from the "authentication.conf" spec

[authenticationResponseAttrMap_SAML]
* Splunk expects email, real name and roles to be returned as SAML
  Attributes in SAML assertion. This stanza can be used to map attribute names
  to what Splunk expects. These are optional settings and are only needed for
  certain IDPs.

role = <string>
* OPTIONAL
* Attribute name to be used as role in SAML Assertion.
* Default is "role"
Reply

integratorz
Path Finder
‎02-28-2019 09:59 AM

Have you tried looking at the SAML Response?

If not, depending on the browser you are using, you can get tools that will show you the SAML response and allow you to see what exactly is being passed.

If you are using chrome, SAML tracer is a good tool.

https://chrome.google.com/webstore/detail/saml-tracer

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...