- Find Answers
- :
- Splunk Platform
- :
- Splunk Enterprise
- :
- Re: SAML Login problem: Saml response does not con...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SAML Login problem: Saml response does not contain group information.
Hello. I am trying to get SAML authentication working on Splunk Enterprise using our local IdP, which is SAML 2.0 compliant.
I can successfully authenticate against the IdP, which returns the assertion, but Splunk won't let me in. I get this error: "Saml response does not contain group information."
I know Splunk looks for a 'role' variable, but our assertion does not return that. Instead, it returns "memberOf", and I added that to authentication.conf:
[authenticationResponseAttrMap_SAML]
role = memberOfI also map the role under roleMap_SAML.
It seems like no matter what I do, no matter what I put, I get the "Saml response does not contain group information." response.
I have a ticket open with tech support, but at the moment, they're not sure what the issue is. Here's a snippet (masked) of the assertion response:
<saml2:Attribute FriendlyName="memberOf" Name="urn:oid:1.2.xxx.xxxxxx.1.2.102"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">
xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:some-group
</saml2:AttributeValue>
</saml2:Attribute>
Feeling out of options, I asked ChatGPT (I know, I know), and it said that the namespace our assertion is using may be the issue. It said that Splunk uses the "saml" namespace, but our IdP is returning "saml2". I don't know if that's the actual issue nor, if it is, what to do about it.
splunkd.log shows the error message that I'm seeing in the web interface:
12-12-2024 15:14:24.611 -0500 ERROR Saml [847764 webui] - No value found in SamlResponse for match key=saml:AttributeStatement/saml:Attribute attrName=memberOf err=No nodes found for xpath=saml:AttributeStatement/saml:AttributeI've looked at the Splunk SAML docs, but don't see anything about namespacing, so maybe ChatGPT just made that up.
What exactly is Splunk looking for that I'm not providing?
If anyone has any suggestions or insight, please let me know.
Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your response.
The answer is "yes" to both questions. I've tried mapping the role to Name, memberOf, and FriendlyName.
It looks like the response uses "DN format," and the example in the docs is similar to the response I'm receiving.
One difference I did notice from the doc, however, is the value it's returning. In the doc, it appears to be returning LDAP memberships: CN=Employee, OU=SAML Test, DC=qa, etc... Our back-end uses Grouper for authorization, and the value looks more like org:sections:managed:employee:saml-test:qa:etc... I wonder if that's confusing Splunk...? I'm grasping at this point.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried to map the "Name" to the "role" variable?
Have you checked the supported group information formats in the docs and verified it?
Configure SAML SSO using configuration files on Splunk Enterprise - Splunk Documentation
Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...
Preparing your Splunk Environment for OpenSSL3
Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector
