Security

Splunk 6.3.3 SAML SSO with OpenAM

New Member

I'm currently trying to implement SAML SSO in Splunk 6.3.3 through our IDP OpenAM. We have a clustered search head deployment, so I've set up the same SAML configuration on each of the search heads. Going to the Splunk URL correctly redirects me to my IDP to authenticate, after which I'm returned to Splunk but then gives me an error, "Failed to decode response from IDP Please provide diag for analysis." Looking at the SAML assertion, it looks like the attributes are all being passed properly. I have mail, role, and realName coming through with the correct values, and the role is mapped in Splunk.

Any help with this would be appreciated.

I'm seeing the SAML assertion in my IDP's logs as well as the browser using a SAML plugin. Here's a sample of the assertion.

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="s2cbfb3124321dsa23b24083a863fefa5a5fb7" InResponseTo="ip-xx-xxx-x-xxx.example.com.2.CAC3A6AC-A13F-4B98-AC89-38F3B6AADAAB" Version="2.0" IssueInstant="2017-02-21T14:59:46Z" Destination="https://splunk.example.com/saml/acs">
  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://openam.example.com:443/openam</saml:Issuer>
  <samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Value="urn:oasis:names:tc:SAML:2.0:status:Success">
    </samlp:StatusCode>
  </samlp:Status>
  <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="s215basdfasde364c0a972c1fdba327cebe6ab461" IssueInstant="2017-02-21T14:59:46Z" Version="2.0">
    <saml:Issuer>https://openam.example.com:443/openam</saml:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
        <ds:Reference URI="#s215basdfasdfsadf972c1fdba327cebe6ab461">
          <ds:Transforms>
            <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          </ds:Transforms>
          <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
          <ds:DigestValue>rP6GNqHIasdfUPINw8SzaDxqh40pU=</ds:DigestValue>
        </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>
      DSFSDFSDFweqerqwer6tfZUzufv2cgdDd4TEYZ1HJyeiyUMTDE9mXx2HOQvJ34NGN9bS1p7ObuER
      Zsy6lFa4lg68SDvXUHy7Y0fc4qMldskzxcvasd209adsf0jl2kl323p0R54eFQiAYhmEvYZa
      z2JkXS1NGiMhVexDrsE=
      </ds:SignatureValue>
      <ds:KeyInfo>
        <ds:X509Data>
          <ds:X509Certificate>
          aqwerDSSFJKasdfasdheqkeewoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
          bGllkddddddddddddddddddddddddddddddddddddddwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w
          ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOsdafcahassdfdfdfwwerTM5WjBnMQsw
          CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK
          BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B
          AQEFAAOBjQAwgYkCgYasdfadsfasdfsatKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0ENshU5vOf+
          RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY
          Js0Vo5+IgjxuEWnjnnVgHqqweryL8CAwEAATANBgkqhkiG9w0BAQshdfgklafqQFAAOBgQB3Pw/U
          QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfuhassYoAdiDA
          cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhabxcvzcxvJDC
          /Ffwasdfasdfasdf
          </ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </ds:Signature>
    <saml:Subject>
      <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://openam.example.com:443/openam" SPNameQualifier="https://splunk-jr.example.com">IuETZqdtV/M/SSKkmTjan2DbI+y7</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
      <saml:SubjectConfirmationData InResponseTo="ip-xx-xxx-x-xxx.example.com.2.CAC3A6AC-A13F-4B98-AC89-38F3B6AADAAB" NotOnOrAfter="2017-02-21T15:09:46Z" Recipient="https://splunk-jr.example.com/saml/acs"/></saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2017-02-21T14:49:46Z" NotOnOrAfter="2017-02-21T15:09:46Z">
      <saml:AudienceRestriction>
        <saml:Audience>https://splunk-jr.example.com</saml:Audience>
      </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant="2017-02-21T14:59:46Z" SessionIndex="s29a35edf1eff225e647507eb4dcb107a03bd90203">
      <saml:AuthnContext>
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
      </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement>
      <saml:Attribute Name="mail">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">myemail@example.com</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="role">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">SPK-AdminRole</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="realName">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">myuid</saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
  </saml:Assertion>
</samlp:Response>
Tags (3)
0 Karma

Splunk Employee
Splunk Employee

The only supported Identity Providers prior to 6.5 were:

  • Ping Identity
  • Okta
  • Azure AD
  • ADFS

http://docs.splunk.com/Documentation/Splunk/6.4.6/Security/HowSAMLSSOworks

6.5.x introduced support for SAML 2.0. Any IdP (Identity Provider) that can generate a SAML 2.0 compliant SAML response can now be used with Splunk, and we'll be glad to assist.

http://docs.splunk.com/Documentation/Splunk/6.5.0/Security/HowSAMLSSOworks

Builder

How are you seeing the SAML assertion? Please post a sample.

0 Karma

New Member

I edited the question to include SAML response.

0 Karma

Builder

I don't see any problems with the assertion.

My best guess is you'd see this error if the SAML certs are different between two search heads. One sends the request but the IdP assertion goes to a different one. Can you generate the SP metadata from each search head and compare? Confirm that the SP metadata is the same across all the search heads.

0 Karma

New Member

The certs are in fact different, I'll have to make changes for that, so thanks for pointing that out. For now, for debugging, I stopped two of the instances so that it only redirects me to the instance whose metadata I imported into my IdP. I've also disabled authn request and assertion signing and I'm still getting the same error.

This is the error I'm seeing in splunkd.log.

02-21-2017 13:09:33.282 -0500 INFO  Saml - AuthNRequests will not be signed.
02-21-2017 13:09:34.236 -0500 WARN  UiSAML - SAML - Failed to decode=[PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6\r\ncHJvdG9jb2wiIElEPSJzMmQzODExZGU5MDJjMTIzM2UxYTE5Njc2NzdiMmE2NTdhMmIzN2YwNjgi\r\nIEluUmVzcG9uc2VUbz0iaXAtMTAtMTc2LTEtMjM3LmhlbGl4LmdzYS5nb3YuMTIuMzA0OUIyODEt\r\nM0M0Ny00N0M0LUFFRTUtRUUwODlEQzdEQTdBIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0i\r\nMjAxNy0wMi0yMV ...... ] from IDP.
0 Karma

Builder

post the authentication.conf from this search head

0 Karma

New Member
[authentication]
authSettings = saml
authType = SAML

[rolemap_SAML]
admin = SPK-AdminRole

[saml]
allowSslCompression = true
attributeQueryRequestSigned = false
attributeQueryResponseSigned = false
attributeQuerySoapPassword = $1$lcTpy+ipR2ra
attributeQuerySoapUsername = ackunkel
attributeQueryTTL = 3600
caCertFile = /opt/splunk/etc/auth/server.pem
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH
entityId = https://splunk.example.com
fqdn = https://splunk.example.com
idpAttributeQueryUrl = https://openam.example.com:443/openam/ArtifactResolver/metaAlias/idp
idpCertPath = /opt/splunk/etc/system/local/openam_pub.crt
idpSSOUrl = https://openam.example.com:443/openam/SSORedirect/metaAlias/idp
redirectAfterLogoutToUrl = https://internal.example.com
redirectPort = 0
signAuthnRequest = false
signedAssertion = false
sslKeysfile = /opt/splunk/etc/auth/server.pem
sslKeysfilePassword = $1$lcTpy+ipR2ra
sslVerifyServerCert = false
sslVersions = SSL3,TLS1.0,TLS1.1,TLS1.2
0 Karma

Builder
signedAssertion = [true|false]
* OPTIONAL
* This tells Splunk if the SAML assertion has been signed by the IDP
* If set to false, Splunk will not verify the signature of the assertion
  using the certificate of the IDP.
* Currently, we accept only signed assertions.
* Defaults to true.

I am unclear if "* Currently, we accept only signed assertions." means that splunk will always try to verify the signature. Anyway, my working config has "signedAssertion = true"

idpCertPath = /opt/splunk/etc/system/local/openam_pub.crt

idpCertPath = <Pathname>
* This value is relative to $SPLUNK_HOME/etc/auth/idpCerts.
* If it is empty, Splunk will automatically verify with certificates in all subdirectories present in $SPLUNK_HOME/etc/auth/idpCerts.

I think this is part of your problem, it's looking for your IdP cert in $SPLUNK_HOME/etc/auth/idpCerts/opt/splunk/etc/system/local/openam_pub.crt. Change this config to "idpCertPath = openam_pub.crt" and put this in $SPLUNK_HOME/etc/auth/idpCerts/openam_pub.crt. Also change "signedAssertion = true".

0 Karma

New Member

Getting the same error. By working config, do you mean with OpenAM, or another IdP?

0 Karma

Builder

I use a different IdP. I'm not sure what the problem is then. Perhaps you should engage support. Please post the fix if you determine the cause, I'd be interested to know. Thanks.

0 Karma

New Member

I'm talking to support now. Thanks for the help. I'll keep it updated.

0 Karma

Path Finder

Were you ever able to get OpenAM support working? My Org is about to start this process.

0 Karma

New Member

I wasn't able to get it working with the built-in SAML functionality, but I was able to get it working with an Apache Reverse Proxy Setup. Similar to https://www.splunk.com/blog/2013/03/28/splunkweb-sso-samlv2/.

0 Karma