Security

Splunk SSO with PingFederate/SAML - works, but roles not being found

Path Finder

SSO with Splunk and PingFederate works well in terms of authenticating, but I can only get it working if "defaultRoleIfMissing" is configured in authentication.conf.

If I remove that setting, Splunk does not allow the login and displays: "No valid Splunk role is found in the local mapping or in the assertion."

I have confirmed that the Splunk role to SAML group mapping is definitely configured correctly, trying through both the config files and the web UI, but neither seems to work.

I turned on debugging and got the below XML from the idP response. What is strange is that the 'realName' and 'mail' attributes are being pulled correctly from the response, but not the 'role' section.

<saml:AttributeStatement>
  <saml:Attribute Name="realName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">SplunkUser</saml:AttributeValue>
  </saml:Attribute>
  <saml:Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">AllUsers</saml:AttributeValue>
    <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">User</saml:AttributeValue>
    <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Employee</saml:AttributeValue>
    <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin2</saml:AttributeValue>
    <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin</saml:AttributeValue>
  </saml:Attribute>
  <saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">nick@example.com</saml:AttributeValue>
  </saml:Attribute>
</saml:AttributeStatement>

Has anyone else experienced this issue? Any pointers?

0 Karma
1 Solution

Engager

The roles need to be in DN format.
for example,
cn=User,dc=test,dc=local

View solution in original post

Engager

The roles need to be in DN format.
for example,
cn=User,dc=test,dc=local

View solution in original post

Contributor

Can you elaborate on where this DN format for the role needs to live? Coming from the SAML side or in authentication.conf? A specific example showing what worked would be very useful. Thanks!

0 Karma

Builder

Your Identity Provider needs to pass the role information with the correct DN format to splunk.

0 Karma

Builder

for example:

       <saml:Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
         <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=AllUsers,dc=myfqdn,dc=ca</saml:AttributeValue>
         <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=User,dc=myfqdn,dc=ca</saml:AttributeValue>
         <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=Employee,dc=myfqdn,dc=ca</saml:AttributeValue>
         <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=admin2,dc=myfqdn,dc=ca</saml:AttributeValue>
         <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=admin,dc=myfqdn,dc=ca</saml:AttributeValue>
       </saml:Attribute>
0 Karma

Path Finder

Thanks hossyee. I actually opened a case with Splunk support and they got back to me with this answer. I should have come back and updated my question, but you beat me to it! 🙂

0 Karma

New Member

newbie question:
What is the format of the Entity ID and the Attribute query URL in the SAML Configuration form?

0 Karma

Splunk Employee
Splunk Employee

Entity ID: there is no specific format for this. This is what your SAML provider has been configured with and you should use the same value. Generally you need to identify the service provider uniquely with provider, this is that identifier.

Attribute Query URL: Does your SAML Provider support attribute query ? If not then this is not needed.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!