Security

simpleSAMLphp and Splunk 6.3: Why are we getting error "No valid Splunk role found in the local mapping or assertion"

ema67
New Member

Hello,

We are trying to have our users authenticated on our idP running simpleSAMLphp before they can have access to Splunk Apps.
The authentication part is working fine, as our users get redirected and authenticated successfully on our idP, before being redirected back to Splunk for accessing the Apps.

At this point, we end up with an error message:

No valid Splunk role found in the local mapping or assertion

Our users belong to a group named "role" on the idP, but for an unknown reason, it seems that this attribute is not taken into account by Splunk.

Is there a specific format that the idP needs to use in order to pass on the attributes to Splunk?
Is there simplesamlphp config file examples available?

Any help would be much appreciated,

Regards

0 Karma

mydog8it
Builder

On your Splunk Search Head you must configure the SAML roles to map to Splunk roles.

Click "Settings" - "Access controls" - "Authentication method" - "SAML settings"

In the upper right corner, click the "New Group" button.
Given the information you provided, name your new group "admin" and then assign it the Splunk role of "admin"

Make sure the cookies a cleared before retest.

I didn't look at the SAML response close enough to determine if you need to remap an attribute. Provided everything else is good this should work.

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

Currently, only Ping Identity is certified as an IDP for Splunk SAML. Unfortunately, the SAML standard leaves room for interpretation when it comes to implementing attribute calls, which is why you may see your issues.
I am not exactly sure what simpleSAMLphp is, but I think your users must be configured to be part of a group that is returned to Splunk as the 'role' attribute. You also need realName and mail attributes.
You may or may not be able to get this to work. I would suggest you create a P4 case with Splunk support and make your desire to have your IdP supported known.

0 Karma

ema67
New Member

Thanks for that, much appreciated. Indeed attributes role, realName and mail are part of the user attributes on the idP.
And those are sent back to Splunk as part of the SAMLResponse parameter.

Here a decode of the SAMLResponse parameter sent from the idP to Splunk :

Could it be because of the Attribute format used in our implementation ? : NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"

Thanks for the support

<saml:NameID SPNameQualifier="entityid" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email">mail@exemple.org</saml:NameID>

<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2016-02-10T10:22:52Z" Recipient="http://splunk.exemple.org:8000/saml/acs" InResponseTo="entityid.1.1EB5E003-8144-49C4-AEB5-5AC9EB9BFF3"/>
</saml:SubjectConfirmation>
</saml:Subject>

<saml:Conditions NotBefore="2016-02-10T10:17:22Z" NotOnOrAfter="2016-02-10T10:22:52Z">
<saml:AudienceRestriction><saml:Audience>entityid</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>

<saml:AuthnStatement AuthnInstant="2016-02-10T10:17:52Z" SessionNotOnOrAfter="2016-02-10T18:17:52Z" SessionIndex="_b3313f75da4f84105e36e74242315fbfeca32d442c">
<saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement>

<saml:AttributeStatement>
<saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">mail@exemple.org</saml:AttributeValue></saml:Attribute>
<saml:Attribute Name="realName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">John Doe</saml:AttributeValue></saml:Attribute>
<saml:Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">admin</saml:AttributeValue></saml:Attribute>
</saml:AttributeStatement>

</saml:Assertion>
</samlp:Response>
0 Karma

rgopalan
Splunk Employee
Splunk Employee

For Splunk version 6.3, we require the 'role' attribute to be in the DN format - something like "CN=admin, OU=splunk, OU=com" or atleast one key=value pair like "CN=admin".

But the saml response above will work with Splunk 6.4 where this restriction has been removed.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...