Splunk Cloud Platform
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to re-import the metadata XML file to SAML Configuration of Splunk Cloud?

GoliSH
Engager
‎02-15-2023 12:48 PM

Hi All,

I need to re-import new XML metaddata to the Splunk Cloud SAML Configuration which is generated for Azure SSO users. The current cert is valid until 19/02/2023. The issue is when I try to import the new xml (federationmetadata.xml) into the SAML configuration in the Splunk
It constantly encounters the error “There are multiple cert,idepCertPath,idpCert.pem, must be directory"
Try to remove the idpCert.pem in the ./etc/auth/idpCerts/idpCert.pem, and shows Server Error.

I don't know how I can find the path ( ./etc/auth/idpCerts/idpCert.pem) in the Splunk cloud as it is not on=premises.

I really need your help as the current valid will expired very soon (19/02/2023)and results in users and admins being locked out of Splunk Cloud.

Any way to fix it.

"""urgent to solve"""

Many thanks, Goli

@tlam_splunk @gcusello 

I would greatly appreciate it if anyone could help me!

 

0 Karma
Reply

nsanzar_splunk
Splunk Employee
Splunk Employee
‎04-02-2025 07:14 AM

In this situation, it could mean one of two things.  The first is that you're trying to use a cert chain and there is already a single cert in idpCert.pem.  Some IdP's like Ping require you to remove that idpCert.pem.  However, the more likely case here is that you have multiple single certs attached to your IdP metadata.xml file.

Some IdP's such as ADFS and Azure (Entra) allow for Primary and Secondary IdP certs, which allow for seamless transition from expiring to new certs.

However, Splunk does NOT accept two single certs in one metadata.xml file.  Hence, your solution here is as below:

1.  On the IdP, replace the expiring cert with the new cert

2.  Disable secondary cert option

3.  Download the new metadata.xml file

4.  Upload the IdP metadata.xml file to Splunk UI > Save 

 

footnote:  Splunk DOES accept cert chains, but that has to be manually uploaded and in the correct order as per KB below:

https://community.splunk.com/t5/Deployment-Architecture/Problem-with-SAML-cert-quot-ERROR-UiSAML-Ver... 

0 Karma
Reply

nickrob1971
Loves-to-Learn Lots
‎10-17-2023 12:53 AM

Was this ever resolved without the need of Splunk Support?

0 Karma
Reply

bobmccoy
Explorer
‎04-19-2023 10:54 AM

I am having the same issue and I just opened a case with Splunk.   I will respond later today when i find out.  

 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-15-2023 11:29 PM

Hi @GoliSH,

I haven't an answer to your question.

the only hint I have is to open a case to Splunk Support, also because, using Splunk Cloud you (or your customer) have some credits to engage Splunk Professional Services in problems like your.

ciao.

Giuseppe

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...