Security

I am trying to use auth0 as an IDp for Splunk and I get the "Saml response does not contain group information." error, any help is greatly appreciated.

ghlogger
Explorer

I think this is a sample snip of the auth0 xml response
but there is no attribute to use that has group information (see below)

tried authentication.conf role = Group (first line)
splunkd.log:04-03-2020 17:39:57.331 +0000 ERROR Saml - No value found in SamlRes
ponse for match key=saml:AttributeStatement/saml:Attribute attrName=role = Group
s err=No nodes found for xpath=saml:AttributeStatement/saml:Attribute
splunkd.log:04-07-2020 16:30:37.575 +0000 ERROR Saml - No value found in SamlResponse for match key=saml:AttributeStatement/saml:Attribute attrName=Groups err=No nodes found for xpath=saml:AttributeStatement/saml:Attribute

there is an auth0 api that has group info, how do i get splunk to access it "myname.auth0.com/api/v2/users/{id}/roles"

Response snip




Tags (1)

jawaharas
Motivator

@ghlogger 
Try below config in 'authentication.conf' file. 

 

[authenticationResponseAttrMap_SAML]
role = http://schemas.auth0.com/roles

 

The attribute value is fetched using 'SAML Tracer' addon. 

Also, make sure to create a 'Auth Pipeline' rule in Auth0 with below code to pull the roles during authorization.

function (user, context, callback) {
  // Get the user roles from the Authorization context
  const assignedRoles = (context.authorization || {}).roles;
  // Update the user object.
  user.roles = assignedRoles;
  callback(null, user, context);
}

 

0 Karma

ghlogger
Explorer

This is the snip that did not seem to make it into the post, removed the less than and slash greater than chars.

Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="E-Mail Address" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Given Name" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Name" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Surname" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Name ID" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
0 Karma

ghlogger
Explorer

I have been able to configure Auth0 to output all required fields but none are being used by Splunk. What exactly do I need to supply the identity data in the response so that Splunk will. use it ?

If I add the this to authentication.conf I can login but no SAML data is available, name, email address, groups - roles.
[saml]
defaultRoleIfMissing = splunk_user

If I do not add above authentication is successful but login is refused with a group error: "Saml response does not contain group information."

This is a snip of the response, if I use Auth0 -> Splunk the response has all of the identity data, if I use the AD connector in Auth0: AD -> Auth0 -> Splunk, this is the response. Both methods return user identity data but it is ignored by Splunk.

<saml:Subject>
  <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">ad|Splunk-to-AD-LDAP|xxxxxx-xxxxxxxxx</saml:NameID>
  <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
    <saml:SubjectConfirmationData NotOnOrAfter="2020-04-27T21:30:17.217Z" Recipient="https://1.2.3.4:8000/saml/acs" InResponseTo="mysplunk.6.xxxxxxxxxxxxxxxxx"/>
  </saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2020-04-27T20:30:17.217Z" NotOnOrAfter="2020-04-27T21:30:17.217Z">
  <saml:AudienceRestriction>
    <saml:Audience>mysplunk</saml:Audience>
  </saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2020-04-27T20:30:17.217Z" SessionIndex="_xxxxxxxxx_xxxx">
  <saml:AuthnContext>
     <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
  </saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml:AttributeValue xsi:type="xs:string">ad|Splunk-to-AD-LDAP|xxxxxxxx</saml:AttributeValue>
  </saml:Attribute>
  <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml:AttributeValue xsi:type="xs:string">first.last@fl.mydomain.com</saml:AttributeValue>
  </saml:Attribute>
  <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml:AttributeValue xsi:type="xs:string">first last</saml:AttributeValue>
  </saml:Attribute>
  <saml:Attribute Name="http://mydomain.auth0.com/identity/claims/groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml:AttributeValue xsi:type="xs:string">splunk_user</saml:AttributeValue>
  </saml:Attribute>
  <saml:Attribute Name="http://schemas.auth0.com/identities/default/provider" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml:AttributeValue xsi:type="xs:string">ad</saml:AttributeValue>
  </saml:Attribute>
  <saml:Attribute Name="http://schemas.auth0.com/identities/default/connection" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml:AttributeValue xsi:type="xs:string">Splunk-to-AD-LDAP</saml:AttributeValue>
  </saml:Attribute>
  <saml:Attribute Name="http://schemas.auth0.com/identities/default/isSocial" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml:AttributeValue xsi:type="xs:boolean">false</saml:AttributeValue>
  </saml:Attribute>
</saml:AttributeStatement>
0 Karma

ghlogger
Explorer

The xml above is from the plunkd.log but scrubbed.

0 Karma
Get Updates on the Splunk Community!

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...