This seemed to fix it on one of our domains: Splunk SAML Request Signing does not appear to work with ADFS and the requirement for it must be disabled on the Relying Party Trust. Disabling SAML Request Signing for the Relying Party Trust must be done from a PowerShell command. Open an elevated PowerShell command window and run the following command. Be sure to use the correct Identifier for the Relying Party Trust: Get-AdfsRelyingPartyTrust -Identifier splunkEntityId | Set-AdfsRelyingPartyTrust - SignedSAMLRequestRequired $false Next, the Claims Rules need to be created within the Relying Party Trust. Right-click the newly created Relying Party Trust and choose Edit Claims Rules… Issuance Transform Rules tab > Click Add Rule… Choose Rule Type > In the Claim Rule Template pull down, choose Send LDAP Attributes as Claims, and click Next. Configure Claim Rule > Enter a name, e.g. “Send Name, Mail and Groups”, for the Claim Rule Name and select Active Directory in the Attribute Store pulldown menu. Add the following items to the Mapping of LDAP attributes to outgoing claim types table and click Finish: LDAP Attribute (Select or type to add more) Outgoing Claim Type (Select or type to add more) Display-Name realName E-Mail-Addresses mail Token-Groups – Unqualified Names Role Customize the newly created rule. ADFS will ALWAYS use the Role schema string as if selected from the pulldown, even if the user manually types “role” for the Outgoing Claim Type in the table. Splunk will not recognize this schema string to associate the groups to the “role” label as required. An easy way to get the proper claim rule is to create the claim with the wizard to get the claim language, then copy and modify the claim rule language to create a new custom rule. Afterwards the original rule can be deleted, leaving only the custom version of the rule. Highlight the claim rule that was configured to Send LDAP Attributes and click Edit Rule… Click the View Rule Language at the bottom and copy the entire contents of the claim rule language box. Then click OK. Click Cancel to close the Edit Rule box. Click the Add Rule… button to create a new rule. Choose Rule Type > In the Claim Rule Template pulldown, select Send Claims Using a Custom Rule. Click Next. Configure Claim Rule > Enter a name in the Claim Rule Name box and paste the copied Claim Rule Language into the Custom Rule box. Modify the Claim Rule Language as described below to replace the “Role” schema string: Original Claim Rule Language - c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("realName", "mail", "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = ";displayName,mail,tokenGroups;{0}", param = c.Value); Modified Claim Rule Language - c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("realName", "mail", "role"), query = ";displayName,mail,tokenGroups;{0}", param = c.Value); Click finish. Highlight the originally created claim rule and click Remove Rule…, leaving only the newly created Custom Rule. Create another rule with the Add Rule… button Choose Rule Type > In the Claim Rule Template pull down, choose Transform and Incoming Claim, click Next. Configure Claim Rule > Enter a name, e.g. “NameID”, in the Claim Rule Name field. In the Incoming Claim Type pulldown: Select UPN In the Outgoing Claim Type pulldown, select Name ID In the Outgoing name ID format pulldown, select Transient Identifier Leave the rest of the items as their default selections and click Finish.
... View more