Thanks for that, much appreciated. Indeed attributes role, realName and mail are part of the user attributes on the idP.
And those are sent back to Splunk as part of the SAMLResponse parameter.
Here a decode of the SAMLResponse parameter sent from the idP to Splunk :
Could it be because of the Attribute format used in our implementation ? : NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
Thanks for the support
<saml:NameID SPNameQualifier="entityid" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email">
[email protected]</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2016-02-10T10:22:52Z" Recipient="http://splunk.exemple.org:8000/saml/acs" InResponseTo="entityid.1.1EB5E003-8144-49C4-AEB5-5AC9EB9BFF3"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2016-02-10T10:17:22Z" NotOnOrAfter="2016-02-10T10:22:52Z">
<saml:AudienceRestriction><saml:Audience>entityid</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2016-02-10T10:17:52Z" SessionNotOnOrAfter="2016-02-10T18:17:52Z" SessionIndex="_b3313f75da4f84105e36e74242315fbfeca32d442c">
<saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">
[email protected]</saml:AttributeValue></saml:Attribute>
<saml:Attribute Name="realName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">John Doe</saml:AttributeValue></saml:Attribute>
<saml:Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">admin</saml:AttributeValue></saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
... View more