Splunk Cloud Platform
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to re-import the metadata XML file to SAML Configuration of Splunk Cloud?

GoliSH
Engager
‎02-15-2023 12:48 PM

Hi All,

I need to re-import new XML metaddata to the Splunk Cloud SAML Configuration which is generated for Azure SSO users. The current cert is valid until 19/02/2023. The issue is when I try to import the new xml (federationmetadata.xml) into the SAML configuration in the Splunk
It constantly encounters the error “There are multiple cert,idepCertPath,idpCert.pem, must be directory"
Try to remove the idpCert.pem in the ./etc/auth/idpCerts/idpCert.pem, and shows Server Error.

I don't know how I can find the path ( ./etc/auth/idpCerts/idpCert.pem) in the Splunk cloud as it is not on=premises.

I really need your help as the current valid will expired very soon (19/02/2023)and results in users and admins being locked out of Splunk Cloud.

Any way to fix it.

"""urgent to solve"""

Many thanks, Goli

@tlam_splunk @gcusello 

I would greatly appreciate it if anyone could help me!

 

0 Karma
Reply

nsanzar_splunk
Splunk Employee
Splunk Employee
‎04-02-2025 07:14 AM

In this situation, it could mean one of two things.  The first is that you're trying to use a cert chain and there is already a single cert in idpCert.pem.  Some IdP's like Ping require you to remove that idpCert.pem.  However, the more likely case here is that you have multiple single certs attached to your IdP metadata.xml file.

Some IdP's such as ADFS and Azure (Entra) allow for Primary and Secondary IdP certs, which allow for seamless transition from expiring to new certs.

However, Splunk does NOT accept two single certs in one metadata.xml file.  Hence, your solution here is as below:

1.  On the IdP, replace the expiring cert with the new cert

2.  Disable secondary cert option

3.  Download the new metadata.xml file

4.  Upload the IdP metadata.xml file to Splunk UI > Save 

 

footnote:  Splunk DOES accept cert chains, but that has to be manually uploaded and in the correct order as per KB below:

https://community.splunk.com/t5/Deployment-Architecture/Problem-with-SAML-cert-quot-ERROR-UiSAML-Ver... 

0 Karma
Reply

nickrob1971
Loves-to-Learn Lots
‎10-17-2023 12:53 AM

Was this ever resolved without the need of Splunk Support?

0 Karma
Reply

bobmccoy
Explorer
‎04-19-2023 10:54 AM

I am having the same issue and I just opened a case with Splunk.   I will respond later today when i find out.  

 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-15-2023 11:29 PM

Hi @GoliSH,

I haven't an answer to your question.

the only hint I have is to open a case to Splunk Support, also because, using Splunk Cloud you (or your customer) have some credits to engage Splunk Professional Services in problems like your.

ciao.

Giuseppe

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Enhance Security Operations with Automated Threat Analysis in the Splunk EcosystemAre you leveraging ...

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...