I am running into an issue where nested AD groups that are in my Splunk AD group do not get the access that everyone else does. The situation when something like...
I set up an AD group called Splunk_Win and there were several users in it who had the correct access and could view data. I had a manager request him and his team be added to the group so our Sysadmin added their team group to Splunk_Win and not individually. The manager then said they were getting error logging in and needed access now for an emergency. Our sysadmin decided it was best to just add the manager to Splunk_Win and whala, manager had the access he needed.
I re-created this with another member of the group and asked them to screen shot what they saw (I can't add it but I'll type it out)
Sorry, but we're having trouble signing you in
AADSTS50105: The signed in user user.user@company.com is not assigned to a role for the application a1c025ed-e585-42ab-b809-a4f7b4fd3ea1 (Splunk Enterprise and Splunk Cloud.
This error leads me to believe there is a disconnect between Azure and Splunk. The set up is SSO/SAML and as I said above, if the user goes into the Splunk AD group by themselves they get the access need.
Has anyone run into this or has any ideas (besides adding individuals) to get nested groups to work in Splunk?
Hey anyone who is searching for this answer. I opened a case with Splunk support and the answer i got back was...
"Hi Kelly,
Thanks for the reply.
I have asked a few our SAML admins and they mentioned the same, groups will have to be added individually and not as nested groups; nested are not parsed. I've looked to see if there is more information to support this claim, but it does not seem if that is the case.
My apologies if this is not much help and does not provide clarity on your original request.
Please let me know if you have any additional questions regarding SAML and nested groups."
So the answer is to add users individually and not to add nested groups. 🙂
Hey anyone who is searching for this answer. I opened a case with Splunk support and the answer i got back was...
"Hi Kelly,
Thanks for the reply.
I have asked a few our SAML admins and they mentioned the same, groups will have to be added individually and not as nested groups; nested are not parsed. I've looked to see if there is more information to support this claim, but it does not seem if that is the case.
My apologies if this is not much help and does not provide clarity on your original request.
Please let me know if you have any additional questions regarding SAML and nested groups."
So the answer is to add users individually and not to add nested groups. 🙂
Splunk LDAP configuration has an option to "allow nested groups". You'll want to submit a support request to have that enabled.
Funny story! I have googled and searched for answers and I mentioned this very thing to my manager for a solution (using LDAP). but was told we cannot set it up on top of our SAML setup. I'll send in a support ticket to see what they think though. Thanks 🙂
Oh I missed that part, yeah it's SSO or LDAP out of the box. If it was on prem you could setup scripted auth which could handle both. I'm not sure if they can do that in splunk cloud though. Best of luck!
Thanks! Yeah, its a tricky situation, which I am definitely scratching my head about. I put in a support ticket so I can update here what the fix is, if any, just in case someone else starts to scratch their head about it. 🙂