Security

Status code=responder, SSO disabled

Explorer

Running Splunk Enterprise 8.0.0 on an internal network.
I went away on vacation for a few weeks with Splunk working fine and came back to it not. I'm not sure how long it had been down, and no one could really tell me what changed. The first problem was a service account password policy was implemented, so Splunk's service account password changed and it wasn't updated in services to launch Splunk. Once that was changed we could launch Splunk, and then received the errors.

Originally we were using ADFS for SSO and it worked fine, but now when going to the site we get the error, "IDP failed to authenticate. Status Code="Responder" Check Splunkd.log for more information about the failure."
I enabled web debug and it shows SSO Enabled as No.
The certificate has not expired.
I removed and set up SSO again following https://www.splunk.com/en_us/blog/cloud/configuring-microsofts-adfs-splunk-cloud.html
Currently I just log in locally to ensure it's still collecting data.
The splunkd logs show:

ERROR Saml - No extra status code found in SamlResponse, Not a valid status. Could not evaluate xpath expression /samlp:Response/samlp:Status/samlp:StatusMessage or no matching node foundNo value found in SamlResponse for key=/samlp:Response/samlp:Status/samlp:StatusMessage or no matching node foundCould not evaluate xpath expression /samlp:Response/samlp:Status/samlp:StatusDetail/Cause or no matching node foundNo value found in SamlResponse for key=/samlp:Response/samlp:Status/samlp:StatusDetail/Cause
ERROR UiSAML - IDP failed to authenticate request. Status Message="" Status Code="Responder"
ERROR UiSAML - IDP failed to authenticate request. Status Code="Responder"
Labels (1)

What'd you end up doing to fix this? I've got the same problem and can't work it out 😞

0 Karma