Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

SAML Users - Missing info - users real name and email address disappear

nclancy_splunk
Splunk Employee
Splunk Employee
‎04-03-2018 05:45 AM

Authentication via SAML works and on initial login the users real name and email address are visible under the users profile both as viewed by the user and as viewed by an admin under the "Users" screen in the Authentication Settings.

At some (seemingly random) point latter the users real name and email address disappear. The user is still logged in and can continue whatever they were doing but the name displayed at the top of the screen changes from thier real name to thier user id.

As far as my understanding of SAML integration goes there is no continuing communication between splunk and the SAML provider after the initial authentication (until the user session times out, which is not happening here since the user continues working fine)

If the user actively logs out from splunk then immediately returns their real name and email address is restored in splunk once again. Then at some point will once again disappear.

Tags (1)
0 Karma
Reply

nclancy_splunk
Splunk Employee
Splunk Employee
‎04-03-2018 05:53 AM

This occurs for Splunk 6.4.4 possibly related to issue SPL-141089 which is fixed in 6.5 and other releases

Problem evaluation:
Prior to this fix, we didn't have a mechanism of keeping the SAML user attributes such as email and realname on the disk
If the auth system were to be bounced, the cache would get cleared, which would result in the loss of the user attributes
Another scenario identified during the course of this investigation: in a SHC, if the SH, which was used by the LB to log the user in, goes down, a different SH in the cluster wouldn't have the user attributes, resulting in the same problem.

Resolution:
Store the user's real name and email id along with the role list under the userToRoleMap_SAML stanza of authentication.conf.
The role list, real name and email are all separated by "::" delimiter. If any of these string have "::" as part of them, the same is stripped off before storing in authentication.conf
The GET endpoint for admin/SAML-user-role-map is also updated to now return real name and email id along with the real list.

This issue has been fixed in the the following releases:
6.5.6+
6.6.4+
7.0.0+

http://docs.splunk.com/Documentation/Splunk/6.5.6/ReleaseNotes/6.5.6
SPL-141089, SPL-143593, SPL-142248, SPL-143592

SAML - Users realName and email being dropped from the UI on authentication bounce

Support have tested this (on 7.0.2) and when you log in this section is added to authentication.conf to have the name/email mapped:
...
[userToRoleMap_SAML]
user@someaddress.net = admin::Tester::user@someaddress.net

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...