SAML login with Azure AD failes cause of missing-u...

msteffl · ‎10-14-2024

We setup a SAML login with Azure AD for our self hosted Splunk Enterprise.

When we try to login we are redirected to

https://<instance>.westeurope.cloudapp.azure.com/en-GB/account/login

which displays a blank page with

{"status":1}

So login seems somehow to work but after that it gets stuck in this page and in the splunkd.logs I can see the following Error message:

"ERROR UiAuth [28137 TcpChannelThread] - user= action=login status=failure reason=missing-username"

so it sounds that there is maybe something wrong in the claims mapping ?

here is my local/authentication.conf

[roleMap_SAML]
admin = test

[splunk_auth]
constantLoginTime = 0.000
enablePasswordHistory = 0
expireAlertDays = 15
expirePasswordDays = 90
expireUserAccounts = 0
forceWeakPasswordChange = 0
lockoutAttempts = 5
lockoutMins = 30
lockoutThresholdMins = 5
lockoutUsers = 1
minPasswordDigit = 0
minPasswordLength = 8
minPasswordLowercase = 0
minPasswordSpecial = 0
minPasswordUppercase = 0
passwordHistoryCount = 24
verboseLoginFailMsg = 1

[authentication]
authSettings = saml
authType = SAML

[authenticationResponseAttrMap_SAML]
mail = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
realName = http://schemas.microsoft.com/identity/claims/displayname
role = http://schemas.microsoft.com/ws/2008/06/identity/claims/groups

[saml]
caCertFile = /opt/splunk/etc/auth/cacert.pem
clientCert = /opt/splunk/etc/auth/server.pem
entityId = <instance>.westeurope.cloudapp.azure.com
fqdn = https://<instance>.westeurope.cloudapp.azure.com
idpCertExpirationCheckInterval = 86400s
idpCertExpirationWarningDays = 90
idpCertPath = idpCert.pem
idpSLOUrl = https://login.microsoftonline.com/<tentantid>/saml2
idpSSOUrl = https://login.microsoftonline.com/<tentantid>/saml2
inboundDigestMethod = SHA1;SHA256;SHA384;SHA512
inboundSignatureAlgorithm = RSA-SHA1;RSA-SHA256;RSA-SHA384;RSA-SHA512
issuerId = https://sts.windows.net/<tentantid>/
lockRoleToFullDN = true
nameIdFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
redirectPort = 0
replicateCertificates = true
signAuthnRequest = false
signatureAlgorithm = RSA-SHA1
signedAssertion = true
sloBinding = HTTP-POST
sslPassword = <pw>
ssoBinding = HTTP-POST

does anyone has a hint what could go wrong in our setup?

Thanks in advance!

msteffl · ‎10-14-2024

Hi sainag,

thanks for response.

No we are not using scripted authentication. The pasted authentication.conf above it the complete config.

I am also not able to see the log

Unknown role 'ldap_user"

What I figured out: I changed the default reply URL to

https://<instance>.westeurope.cloudapp.azure.com/saml/acs

instead of https://<instance>.westeurope.cloudapp.azure.com/en-GB/account/login

And now this error is gone: (that is maybe responsible for the evalutaion of the attributes)?

BUT now I get different Error:

10-14-2024 15:31:01.405 +0000 ERROR XmlParser [4858 webui] - func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=342:obj=x509-store:subj=unknown:error=71:certificate verification failed:X509_verify_cert: subject=/CN=SSO-Certificate; issuer=/C
N=SSO-Certificate; err=20; msg=unable to get local issuer certificate
10-14-2024 15:31:01.405 +0000 ERROR XmlParser [4858 webui] - func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=381:obj=x509-store:subj=unknown:error=71:certificate verification failed:subject=/CN=SSO-Certificate; issuer=/CN=SSO-Certif
icate; err=20; msg=unable to get local issuer certificate
10-14-2024 15:31:01.405 +0000 ERROR XmlParser [4858 webui] - func=xmlSecOpenSSLKeyDataX509VerifyAndExtractKey:file=x509.c:line=1505:obj=x509:subj=unknown:error=72:certificate is not found:details=NULL
10-14-2024 15:31:01.405 +0000 ERROR XmlParser [4858 webui] - func=xmlSecOpenSSLKeyDataX509XmlRead:file=x509.c:line=654:obj=x509:subj=xmlSecOpenSSLKeyDataX509VerifyAndExtractKey:error=1:xmlsec library function failed: 
10-14-2024 15:31:01.405 +0000 ERROR XmlParser [4858 webui] - func=xmlSecKeyInfoNodeRead:file=keyinfo.c:line=114:obj=x509:subj=xmlSecKeyDataXmlRead:error=1:xmlsec library function failed:node=X509Data
10-14-2024 15:31:01.405 +0000 ERROR XmlParser [4858 webui] - func=xmlSecKeysMngrGetKey:file=keys.c:line=1227:obj=unknown:subj=xmlSecKeyInfoNodeRead:error=1:xmlsec library function failed:node=KeyInfo
10-14-2024 15:31:01.405 +0000 ERROR XmlParser [4858 webui] - func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=790:obj=unknown:subj=unknown:error=45:key is not found:details=NULL
10-14-2024 15:31:01.405 +0000 ERROR XmlParser [4858 webui] - func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=503:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec library function failed: 
10-14-2024 15:31:01.405 +0000 ERROR XmlParser [4858 webui] - func=xmlSecDSigCtxVerify:file=xmldsig.c:line=341:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec library function failed: 
10-14-2024 15:31:01.405 +0000 ERROR Saml [4858 webui] - Error: failed to verify signature with cert :/opt/splunk/etc/auth/idpCerts/idpCert.pem;
10-14-2024 15:31:01.405 +0000 ERROR Saml [4858 webui] -  Unable to verify Saml document 
10-14-2024 15:31:01.405 +0000 ERROR UiSAML [4858 webui] - Verification of SAML assertion using the IDP's certificate provided failed. Error: failed to verify signature with cert

are these errors somehow related? Any ides how to fix that ?

How can I turn on debug for SAML ?

sainag_splunk · ‎10-14-2024

Hello looks like an issue with the certificate. Please check this out :https://community.splunk.com/t5/Deployment-Architecture/Problem-with-SAML-cert-quot-ERROR-UiSAML-Ver...

If this is a brand new implementation, you can also use Splunk's "ondemand services" for help. The Professional Services ( experts can "shoulder surf" this and help get it resolved.

If this helps, Upvote!!!!
Together we make the Splunk Community stronger 

msteffl · ‎10-15-2024

I checked your post. the IDP certificate is a self signed certificate. So it is not chained. So no root or intermediate certificate available

sainag_splunk · ‎10-15-2024

I personally follow this doc and never had any issues. Can you please try this from scratch again.

https://learn.microsoft.com/en-us/entra/identity/saas-apps/splunkenterpriseandsplunkcloud-tutorial

If this helps, Upvote!!!!
Together we make the Splunk Community stronger 

sainag_splunk · ‎10-14-2024

Hello @msteffl . Are you using the scripted authentication?

Do you also see any warnings like on the splunkd.log ?

" WARN AuthorizationManager [34567 TcpChannelThread] - Unknown role 'ldap_user"

If you also see the the "unknown role" error message, it might be AD group to Splunk Role mapping is failing on because it can't find a Splunk role definition for "ldap_user". Take a look at the "authorize.conf.

To troubleshoot this issue you will need to turn on debug for SAML on the SH and get the user to try and login again. Once they have done that you can run the following to see if any roles are being retuned for the user:

index=_internal sourcetype=splunkd samlp:response

Docs:
https://docs.splunk.com/Documentation/Splunk/9.2.0/Security/ConfigureSSOinSplunkWeb

https://docs.splunk.com/Documentation/Splunk/9.3.1/Security/Mapgroupstoroles
https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/ConfigureauthextensionsforSAMLtoke...

Hope this helps.

If this helps, Upvote!!!!
Together we make the Splunk Community stronger 

SAML login with Azure AD failes cause of missing-username

administration

configuration

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Building Momentum: Splunk Developer Program at .conf25

Are you a member of the Splunk Community?

SAML login with Azure AD failes cause of missing-username

administration

configuration

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Building Momentum: Splunk Developer Program at .conf25