| CARVIEW |
Securing Splunk Enterprise
- Install Splunk Enterprise securely
- Secure your admin account
- About TLS encryption and cipher suites
- Securing Splunk Enterprise with FIPS
- About default certificate authentication
- Secure Splunk Enterprise on your network
- Disable unnecessary Splunk Enterprise components
- Secure Splunk Enterprise service accounts
- Deploy secure passwords across multiple servers
- Harden the network port that App Key Value Store uses
- Some best practices for your servers and operating system
- Use access control to secure Splunk data
- About user authentication
- About configuring role-based user access
- About defining roles with capabilities
- Add and edit roles with Splunk Web
- Add and edit roles with authorize.conf
- Configure access to manager consoles and apps in Splunk Enterprise
- Find existing users and roles
- Delete all user accounts
- Secure access for Splunk knowledge objects
- Use network access control lists to protect your deployment
- Set up user authentication with LDAP
- Manage Splunk user roles with LDAP
- LDAP prerequisites and considerations
- Secure LDAP authentication with transport layer security (TLS) certificates
- How the Splunk platform works with multiple LDAP servers for authentication
- Configure LDAP with Splunk Web
- Map LDAP groups to Splunk roles in Splunk Web
- Configure LDAP with the configuration file
- Map LDAP groups and users to Splunk roles using configuration files
- Test your LDAP configuration on Splunk Enterprise
- Change authentication schemes from native to LDAP on Splunk Enterprise
- Remove an LDAP user safely on Splunk Enterprise
- Configure single sign-on with SAML
- Configure SSO with PingIdentity as your SAML identity provider
- Configure SSO with Okta as your identity provider
- Configure SSO with Microsoft Azure AD or AD FS as your Identity Provider
- Configure SSO with OneLogin as your identity provider
- Configure SSO with Optimal as your identity provider
- Configure SSO in Computer Associates (CA) SiteMinder
- Secure SSO with TLS certificates
- Configuring SAML in a search head cluster
- Configure Ping Identity with leaf or intermediate SSL certificate chains
- Configure SAML SSO for other IdPs
- Configure advanced settings for SSO
- Map groups on a SAML identity provider to Splunk roles
- Modify or remove role mappings
- Configure SAML SSO in the configuration files
- Troubleshoot SAML SSO
- Splunk SAML SSO configuration: Why is SAML config ...
- Unable to Setup SAML with Custom IDP [Unsupported ...
- SSO with SAML in distributed environment : Why is ...
- Splunk Phantom SAML SAML2 authentication error Sig...
- How to re-import the metadata XML file to SAML Con...
- SSO Login to Splunk App (Deployed via InTune)- Why...
- How to enable fully qualified domain name or IP of...
- Download Splunk Conf 2016 Session materials
- Splunk 6.3 & SSO, SAML and Ping Federate
- SavedSearchFetcher Authentication Extension Failur...
Troubleshoot SAML SSO
Here are some common issues and how to resolve them.
Error message: SAML fails to verify assertions
You see the following error message:
Failed to verify the assertion - The 'Audience' field in the saml response from the IdP does not match the configuration
Mitigation
1. The SAML errors are recorded in the splunkd.log on the search head. You can see the complete error message by running a search on that search head:
index=_internal sourcetype=splunkd SAML error
You should see the following:
09-18-2017 14:58:06.939 +0000 ERROR Saml - Failed to verify the assertion - The 'Audience' field in the saml response from the IdP does not match the configuration, Error details=Expected=https://<instance_name>.com, found=https://<wrong_instance_name>.com/
2. Modify authentication.conf with the entityId found in the error message in step 1.
[saml] entityId= https://<instance_name>.com/ (found from ERROR message)
3. Reload authentication.conf from Splunk Web at Settings > Access Controls > Authentication Method > Reload Authentication configuration
Error message: Leaf certificate does not match
You receive the following message:
No leaf certificate matched one from the assertion
This error occurs when the signature certificate on Splunk does not match the certificate that the IdP uses to sign SAML messages.
Mitigation
If your signature verification certificate is a self-signed certificate:
Make sure that the certificate specified in the idpCertPath attribute in authentication.conf is the same as the certificate the IdP uses to sign SAML messages. You can use OpenSSL to determine the details of the certificate that Splunk uses for signature verification.
For example, the following command:
openssl x509 -in etc/auth/idpCerts/idpCert.pem -text -noout | grep 'Serial\|Issuer:\|Subject:'
Should produce information similar to this:
Serial Number: 1478287046063 (0x15830c635af) Issuer: C=US, ST=CA, L=San Francisco, O=Splunk, OU=Splunk Service, CN=5165ffd1bf1a0363c8a5cd8062337fb4 Subject: C=US, ST=CA, L=San Francisco, O=Splunk, OU=Splunk Service, CN=5165ffd1bf1a0363c8a5cd8062337fb4
If the signature verification certificate is part of a certificate chain
Make sure that the signing certificates match and are consistently named. For example, a simple chain would have three files in the following order:
- the root CA, for example: "
cert_1.pem" - the intermediate certificate, for example: "
cert_2.pem" - the leaf certificate or the signing certificate, for example: "
cert_3.pem"
In this example, make sure that the "cert_3.pem" (the leaf) is the same certificate that the IdP uses to sign responses.
If you have multiple chains, or chains with more than one intermediate CA
In most cases, the certificate chain consist of a single root certificate, a single intermediate certificate, and a single signing certificate. However, you may have multiple chains configured, or more than one intermediate CA.
If you have multiple chains configured, structure your certificate chain as follows:
$SPLUNK_HOME/etc/auth/idpCerts idpCertChain_1 idpCertChain_2 $SPLUNK_HOME/etc/auth/idpCerts/idpCertChain_1 cert_1.pem cert_2.pem cert_3.pem $SPLUNK_HOME/etc/auth/idpCerts/idpCertChain_2 cert_1.pem cert_2.pem cert_3.pem
If you have more than one intermediate CA
If you have more than one intermediate CA, structure your certificate chain as follows:
$SPLUNK_HOME/etc/auth/idpCerts idpCertChain_1 $SPLUNK_HOME/etc/auth/idpCerts/idpCertChain_1 cert_1.pem cert_2.pem cert_3.pem cert_4.pem cert_5.pem
Error message: Attribute query request error
Issue: You experience the following message
ERROR AuthenticationManagerSAML - Requesting user info from ID returned an error. Error in Attribute query request, AttributeQueryTransaction err=Cannot resolve hostname, AttributeQueryTransaction descr=Error resolving: Name or service not known, AttributeQueryTransaction statusCode=502
Mitigation
- Make sure that the
cipherSuiteis specified correctly in the SAML stanza. For example:cipherSuite = TLSv1+MEDIUM:@STRENGTHcipherSuite = ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
- Make sure all SOAP password requirements are met.
- Make sure your SSL settings for SAML are configured correctly in
authentication.conf.
Issue: You experience the following message:
ERROR AuthenticationManagerSAML - Attribute query request failed. Status code=urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal, Status msg=No attributes found for requested subject
Mitigation
- Make sure that the
role,mail, andrealNameattributes are mapped to be returned back as part ofAuthnRequestand the Attribute Query Request.
Error message: SAML user missing roles
You experience the following message:
ERROR UserManagerPro - user="samluser1" had no roles
Mitigation
Make sure that rolemap_SAML contains the correct role mapping with ";" at the end of each role name.
User cannot login
User cannot log in after successful assertion validation. No valid Splunk role is found in the local mapping or in the assertion.
Mitigation
- Make sure that
rolemap_SAMLstanza contains proper mapping between roles returned from IdP and the appropriate Splunk role.
- Make sure there are no spaces between, before, or after each role defined in
authentication.conf. For example:
user = User;Employee
User cannot access SAML login page
Authentication is configured as SAML and the settings appear to be correct, but the login screen shows the page for Splunk authentication instead.
Mitigation
- Make sure that in
web.conf,appServerPortsis set to a valid port and not '0'.
- Make sure
web.confdoes not contain a value fortrustedIP.
Error message: Failed to validate SAML logout response
When you log out of Splunk Enterprise or Splunk Cloud, you see the following error message:
Failed to validate SAML logout response received from IdP
Mitigation
This might be caused by case-sensitive IdPs that expect Splunk software to preserve uppercase letters in usernames. You can change the username to lowercase in the IdP or configure the IdP to accept the lowercase version of a username.
Cannot authenticate users for CLI commands
Unable to authenticate SSO users for CLI commands
Mitigation
You can add the SAML users as native Splunk users.
API and CLI commands cannot be performed by users that are defined only in SAML. This is because the user password is never sent in the SAML assertion.
| Configure SAML SSO in the configuration files | About proxy single sign-on |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10
Comments
Download manual
Troubleshoot SAML SSO
- Error message: SAML fails to verify assertions
- Error message: Leaf certificate does not match
- Error message: Attribute query request error
- Error message: SAML user missing roles
- User cannot login
- User cannot access SAML login page
- Error message: Failed to validate SAML logout response
- Cannot authenticate users for CLI commands
You must be logged into splunk.com in order to post comments. Log in now.
Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.
Your Comment Has Been Posted Above
Feedback submitted, thanks!