Solved: Re: Splunk SSO with PingFederate/SAML - works, but...

nvonkorff · ‎10-20-2015

SSO with Splunk and PingFederate works well in terms of authenticating, but I can only get it working if "defaultRoleIfMissing" is configured in authentication.conf.

If I remove that setting, Splunk does not allow the login and displays: "No valid Splunk role is found in the local mapping or in the assertion."

I have confirmed that the Splunk role to SAML group mapping is definitely configured correctly, trying through both the config files and the web UI, but neither seems to work.

I turned on debugging and got the below XML from the idP response. What is strange is that the 'realName' and 'mail' attributes are being pulled correctly from the response, but not the 'role' section.

<saml:AttributeStatement>
  <saml:Attribute Name="realName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">SplunkUser</saml:AttributeValue>
  </saml:Attribute>
  <saml:Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">AllUsers</saml:AttributeValue>
    <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">User</saml:AttributeValue>
    <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Employee</saml:AttributeValue>
    <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin2</saml:AttributeValue>
    <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin</saml:AttributeValue>
  </saml:Attribute>
  <saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">nick@example.com</saml:AttributeValue>
  </saml:Attribute>
</saml:AttributeStatement>

Has anyone else experienced this issue? Any pointers?

hossyee · ‎12-02-2015

The roles need to be in DN format.
for example,
cn=User,dc=test,dc=local

View solution in original post

hossyee · ‎12-02-2015

The roles need to be in DN format.
for example,
cn=User,dc=test,dc=local

davidpaper · ‎07-07-2016

Can you elaborate on where this DN format for the role needs to live? Coming from the SAML side or in authentication.conf? A specific example showing what worked would be very useful. Thanks!

suarezry · ‎07-11-2016

Your Identity Provider needs to pass the role information with the correct DN format to splunk.

suarezry · ‎07-11-2016

for example:

       <saml:Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
         <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=AllUsers,dc=myfqdn,dc=ca</saml:AttributeValue>
         <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=User,dc=myfqdn,dc=ca</saml:AttributeValue>
         <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=Employee,dc=myfqdn,dc=ca</saml:AttributeValue>
         <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=admin2,dc=myfqdn,dc=ca</saml:AttributeValue>
         <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=admin,dc=myfqdn,dc=ca</saml:AttributeValue>
       </saml:Attribute>

nvonkorff · ‎12-03-2015

Thanks hossyee. I actually opened a case with Splunk support and they got back to me with this answer. I should have come back and updated my question, but you beat me to it! 🙂

bgadsk · ‎05-13-2016

newbie question:
What is the format of the Entity ID and the Attribute query URL in the SAML Configuration form?

rdimri_splunk · ‎07-07-2016

Entity ID: there is no specific format for this. This is what your SAML provider has been configured with and you should use the same value. Generally you need to identify the service provider uniquely with provider, this is that identifier.

Attribute Query URL: Does your SAML Provider support attribute query ? If not then this is not needed.

Splunk SSO with PingFederate/SAML - works, but roles not being found

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms