Security

Splunk 6.3.3 SAML SSO with OpenAM

akunkel
New Member

I'm currently trying to implement SAML SSO in Splunk 6.3.3 through our IDP OpenAM. We have a clustered search head deployment, so I've set up the same SAML configuration on each of the search heads. Going to the Splunk URL correctly redirects me to my IDP to authenticate, after which I'm returned to Splunk but then gives me an error, "Failed to decode response from IDP Please provide diag for analysis." Looking at the SAML assertion, it looks like the attributes are all being passed properly. I have mail, role, and realName coming through with the correct values, and the role is mapped in Splunk.

Any help with this would be appreciated.

I'm seeing the SAML assertion in my IDP's logs as well as the browser using a SAML plugin. Here's a sample of the assertion.

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="s2cbfb3124321dsa23b24083a863fefa5a5fb7" InResponseTo="ip-xx-xxx-x-xxx.example.com.2.CAC3A6AC-A13F-4B98-AC89-38F3B6AADAAB" Version="2.0" IssueInstant="2017-02-21T14:59:46Z" Destination="https://splunk.example.com/saml/acs">
  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://openam.example.com:443/openam</saml:Issuer>
  <samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Value="urn:oasis:names:tc:SAML:2.0:status:Success">
    </samlp:StatusCode>
  </samlp:Status>
  <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="s215basdfasde364c0a972c1fdba327cebe6ab461" IssueInstant="2017-02-21T14:59:46Z" Version="2.0">
    <saml:Issuer>https://openam.example.com:443/openam</saml:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
        <ds:Reference URI="#s215basdfasdfsadf972c1fdba327cebe6ab461">
          <ds:Transforms>
            <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          </ds:Transforms>
          <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
          <ds:DigestValue>rP6GNqHIasdfUPINw8SzaDxqh40pU=</ds:DigestValue>
        </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>
      DSFSDFSDFweqerqwer6tfZUzufv2cgdDd4TEYZ1HJyeiyUMTDE9mXx2HOQvJ34NGN9bS1p7ObuER
      Zsy6lFa4lg68SDvXUHy7Y0fc4qMldskzxcvasd209adsf0jl2kl323p0R54eFQiAYhmEvYZa
      z2JkXS1NGiMhVexDrsE=
      </ds:SignatureValue>
      <ds:KeyInfo>
        <ds:X509Data>
          <ds:X509Certificate>
          aqwerDSSFJKasdfasdheqkeewoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
          bGllkddddddddddddddddddddddddddddddddddddddwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w
          ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOsdafcahassdfdfdfwwerTM5WjBnMQsw
          CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK
          BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B
          AQEFAAOBjQAwgYkCgYasdfadsfasdfsatKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0ENshU5vOf+
          RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY
          Js0Vo5+IgjxuEWnjnnVgHqqweryL8CAwEAATANBgkqhkiG9w0BAQshdfgklafqQFAAOBgQB3Pw/U
          QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfuhassYoAdiDA
          cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhabxcvzcxvJDC
          /Ffwasdfasdfasdf
          </ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </ds:Signature>
    <saml:Subject>
      <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://openam.example.com:443/openam" SPNameQualifier="https://splunk-jr.example.com">IuETZqdtV/M/SSKkmTjan2DbI+y7</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
      <saml:SubjectConfirmationData InResponseTo="ip-xx-xxx-x-xxx.example.com.2.CAC3A6AC-A13F-4B98-AC89-38F3B6AADAAB" NotOnOrAfter="2017-02-21T15:09:46Z" Recipient="https://splunk-jr.example.com/saml/acs"/></saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2017-02-21T14:49:46Z" NotOnOrAfter="2017-02-21T15:09:46Z">
      <saml:AudienceRestriction>
        <saml:Audience>https://splunk-jr.example.com</saml:Audience>
      </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant="2017-02-21T14:59:46Z" SessionIndex="s29a35edf1eff225e647507eb4dcb107a03bd90203">
      <saml:AuthnContext>
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
      </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement>
      <saml:Attribute Name="mail">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">myemail@example.com</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="role">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">SPK-AdminRole</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="realName">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">myuid</saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
  </saml:Assertion>
</samlp:Response>
Tags (3)
0 Karma

brreeves_splunk
Splunk Employee
Splunk Employee

The only supported Identity Providers prior to 6.5 were:

  • Ping Identity
  • Okta
  • Azure AD
  • ADFS

http://docs.splunk.com/Documentation/Splunk/6.4.6/Security/HowSAMLSSOworks

6.5.x introduced support for SAML 2.0. Any IdP (Identity Provider) that can generate a SAML 2.0 compliant SAML response can now be used with Splunk, and we'll be glad to assist.

http://docs.splunk.com/Documentation/Splunk/6.5.0/Security/HowSAMLSSOworks

suarezry
Builder

How are you seeing the SAML assertion? Please post a sample.

0 Karma

akunkel
New Member

I edited the question to include SAML response.

0 Karma

suarezry
Builder

I don't see any problems with the assertion.

My best guess is you'd see this error if the SAML certs are different between two search heads. One sends the request but the IdP assertion goes to a different one. Can you generate the SP metadata from each search head and compare? Confirm that the SP metadata is the same across all the search heads.

0 Karma

akunkel
New Member

The certs are in fact different, I'll have to make changes for that, so thanks for pointing that out. For now, for debugging, I stopped two of the instances so that it only redirects me to the instance whose metadata I imported into my IdP. I've also disabled authn request and assertion signing and I'm still getting the same error.

This is the error I'm seeing in splunkd.log.

02-21-2017 13:09:33.282 -0500 INFO  Saml - AuthNRequests will not be signed.
02-21-2017 13:09:34.236 -0500 WARN  UiSAML - SAML - Failed to decode=[PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6\r\ncHJvdG9jb2wiIElEPSJzMmQzODExZGU5MDJjMTIzM2UxYTE5Njc2NzdiMmE2NTdhMmIzN2YwNjgi\r\nIEluUmVzcG9uc2VUbz0iaXAtMTAtMTc2LTEtMjM3LmhlbGl4LmdzYS5nb3YuMTIuMzA0OUIyODEt\r\nM0M0Ny00N0M0LUFFRTUtRUUwODlEQzdEQTdBIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0i\r\nMjAxNy0wMi0yMV ...... ] from IDP.
0 Karma

suarezry
Builder

post the authentication.conf from this search head

0 Karma

akunkel
New Member
[authentication]
authSettings = saml
authType = SAML

[rolemap_SAML]
admin = SPK-AdminRole

[saml]
allowSslCompression = true
attributeQueryRequestSigned = false
attributeQueryResponseSigned = false
attributeQuerySoapPassword = $1$lcTpy+ipR2ra
attributeQuerySoapUsername = ackunkel
attributeQueryTTL = 3600
caCertFile = /opt/splunk/etc/auth/server.pem
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH
entityId = https://splunk.example.com
fqdn = https://splunk.example.com
idpAttributeQueryUrl = https://openam.example.com:443/openam/ArtifactResolver/metaAlias/idp
idpCertPath = /opt/splunk/etc/system/local/openam_pub.crt
idpSSOUrl = https://openam.example.com:443/openam/SSORedirect/metaAlias/idp
redirectAfterLogoutToUrl = https://internal.example.com
redirectPort = 0
signAuthnRequest = false
signedAssertion = false
sslKeysfile = /opt/splunk/etc/auth/server.pem
sslKeysfilePassword = $1$lcTpy+ipR2ra
sslVerifyServerCert = false
sslVersions = SSL3,TLS1.0,TLS1.1,TLS1.2
0 Karma

suarezry
Builder
signedAssertion = [true|false]
* OPTIONAL
* This tells Splunk if the SAML assertion has been signed by the IDP
* If set to false, Splunk will not verify the signature of the assertion
  using the certificate of the IDP.
* Currently, we accept only signed assertions.
* Defaults to true.

I am unclear if "* Currently, we accept only signed assertions." means that splunk will always try to verify the signature. Anyway, my working config has "signedAssertion = true"

idpCertPath = /opt/splunk/etc/system/local/openam_pub.crt

idpCertPath = <Pathname>
* This value is relative to $SPLUNK_HOME/etc/auth/idpCerts.
* If it is empty, Splunk will automatically verify with certificates in all subdirectories present in $SPLUNK_HOME/etc/auth/idpCerts.

I think this is part of your problem, it's looking for your IdP cert in $SPLUNK_HOME/etc/auth/idpCerts/opt/splunk/etc/system/local/openam_pub.crt. Change this config to "idpCertPath = openam_pub.crt" and put this in $SPLUNK_HOME/etc/auth/idpCerts/openam_pub.crt. Also change "signedAssertion = true".

0 Karma

akunkel
New Member

Getting the same error. By working config, do you mean with OpenAM, or another IdP?

0 Karma

suarezry
Builder

I use a different IdP. I'm not sure what the problem is then. Perhaps you should engage support. Please post the fix if you determine the cause, I'd be interested to know. Thanks.

0 Karma

akunkel
New Member

I'm talking to support now. Thanks for the help. I'll keep it updated.

0 Karma

markbarber21
Path Finder

Were you ever able to get OpenAM support working? My Org is about to start this process.

0 Karma

akunkel
New Member

I wasn't able to get it working with the built-in SAML functionality, but I was able to get it working with an Apache Reverse Proxy Setup. Similar to https://www.splunk.com/blog/2013/03/28/splunkweb-sso-samlv2/.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...