Splunk Cloud Platform
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to re-import the metadata XML file to SAML Configuration of Splunk Cloud?

GoliSH
Engager
‎02-15-2023 12:48 PM

Hi All,

I need to re-import new XML metaddata to the Splunk Cloud SAML Configuration which is generated for Azure SSO users. The current cert is valid until 19/02/2023. The issue is when I try to import the new xml (federationmetadata.xml) into the SAML configuration in the Splunk
It constantly encounters the error “There are multiple cert,idepCertPath,idpCert.pem, must be directory"
Try to remove the idpCert.pem in the ./etc/auth/idpCerts/idpCert.pem, and shows Server Error.

I don't know how I can find the path ( ./etc/auth/idpCerts/idpCert.pem) in the Splunk cloud as it is not on=premises.

I really need your help as the current valid will expired very soon (19/02/2023)and results in users and admins being locked out of Splunk Cloud.

Any way to fix it.

"""urgent to solve"""

Many thanks, Goli

@tlam_splunk @gcusello 

I would greatly appreciate it if anyone could help me!

 

0 Karma
Reply

nsanzar_splunk
Splunk Employee
Splunk Employee
Wednesday

In this situation, it could mean one of two things.  The first is that you're trying to use a cert chain and there is already a single cert in idpCert.pem.  Some IdP's like Ping require you to remove that idpCert.pem.  However, the more likely case here is that you have multiple single certs attached to your IdP metadata.xml file.

Some IdP's such as ADFS and Azure (Entra) allow for Primary and Secondary IdP certs, which allow for seamless transition from expiring to new certs.

However, Splunk does NOT accept two single certs in one metadata.xml file.  Hence, your solution here is as below:

1.  On the IdP, replace the expiring cert with the new cert

2.  Disable secondary cert option

3.  Download the new metadata.xml file

4.  Upload the IdP metadata.xml file to Splunk UI > Save 

 

footnote:  Splunk DOES accept cert chains, but that has to be manually uploaded and in the correct order as per KB below:

https://community.splunk.com/t5/Deployment-Architecture/Problem-with-SAML-cert-quot-ERROR-UiSAML-Ver... 

0 Karma
Reply

nickrob1971
Loves-to-Learn Lots
‎10-17-2023 12:53 AM

Was this ever resolved without the need of Splunk Support?

0 Karma
Reply

bobmccoy
Explorer
‎04-19-2023 10:54 AM

I am having the same issue and I just opened a case with Splunk.   I will respond later today when i find out.  

 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-15-2023 11:29 PM

Hi @GoliSH,

I haven't an answer to your question.

the only hint I have is to open a case to Splunk Support, also because, using Splunk Cloud you (or your customer) have some credits to engage Splunk Professional Services in problems like your.

ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk

Hey Splunk Practitioners and AI Enthusiasts! It’s no secret (or surprise) that AI is at the forefront of ...
Top