Splunk Cloud Platform
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to re-import the metadata XML file to SAML Configuration of Splunk Cloud?

GoliSH
Engager
‎02-15-2023 12:48 PM

Hi All,

I need to re-import new XML metaddata to the Splunk Cloud SAML Configuration which is generated for Azure SSO users. The current cert is valid until 19/02/2023. The issue is when I try to import the new xml (federationmetadata.xml) into the SAML configuration in the Splunk
It constantly encounters the error “There are multiple cert,idepCertPath,idpCert.pem, must be directory"
Try to remove the idpCert.pem in the ./etc/auth/idpCerts/idpCert.pem, and shows Server Error.

I don't know how I can find the path ( ./etc/auth/idpCerts/idpCert.pem) in the Splunk cloud as it is not on=premises.

I really need your help as the current valid will expired very soon (19/02/2023)and results in users and admins being locked out of Splunk Cloud.

Any way to fix it.

"""urgent to solve"""

Many thanks, Goli

@tlam_splunk @gcusello 

I would greatly appreciate it if anyone could help me!

 

0 Karma
Reply

nsanzar_splunk
Splunk Employee
Splunk Employee
‎04-02-2025 07:14 AM

In this situation, it could mean one of two things.  The first is that you're trying to use a cert chain and there is already a single cert in idpCert.pem.  Some IdP's like Ping require you to remove that idpCert.pem.  However, the more likely case here is that you have multiple single certs attached to your IdP metadata.xml file.

Some IdP's such as ADFS and Azure (Entra) allow for Primary and Secondary IdP certs, which allow for seamless transition from expiring to new certs.

However, Splunk does NOT accept two single certs in one metadata.xml file.  Hence, your solution here is as below:

1.  On the IdP, replace the expiring cert with the new cert

2.  Disable secondary cert option

3.  Download the new metadata.xml file

4.  Upload the IdP metadata.xml file to Splunk UI > Save 

 

footnote:  Splunk DOES accept cert chains, but that has to be manually uploaded and in the correct order as per KB below:

https://community.splunk.com/t5/Deployment-Architecture/Problem-with-SAML-cert-quot-ERROR-UiSAML-Ver... 

0 Karma
Reply

nickrob1971
Loves-to-Learn Lots
‎10-17-2023 12:53 AM

Was this ever resolved without the need of Splunk Support?

0 Karma
Reply

bobmccoy
Explorer
‎04-19-2023 10:54 AM

I am having the same issue and I just opened a case with Splunk.   I will respond later today when i find out.  

 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-15-2023 11:29 PM

Hi @GoliSH,

I haven't an answer to your question.

the only hint I have is to open a case to Splunk Support, also because, using Splunk Cloud you (or your customer) have some credits to engage Splunk Professional Services in problems like your.

ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...

Stay Connected: Your Guide to October Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...