We had success with role maping with Cloudminder as IdP. There this worked for us (Splunk 6.5.3):
Attribute statement in assertion:
<ns2:AttributeStatement>
<ns2:Attribute Name="NameID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<ns2:AttributeValue>MyName@company.com</ns2:AttributeValue>
</ns2:Attribute>
<ns2:Attribute Name="realName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<ns2:AttributeValue>MyName@company.com</ns2:AttributeValue>
</ns2:Attribute>
<ns2:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<ns2:AttributeValue>MyName@company.com</ns2:AttributeValue>
</ns2:Attribute>
<ns2:Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<ns2:AttributeValue>cn=Splunk User,ou=groups,ou=faas,ou=cam,o=ca</ns2:AttributeValue>
<ns2:AttributeValue>cn=Splunk ESS User,ou=groups,ou=faas,ou=cam,o=ca</ns2:AttributeValue>
</ns2:Attribute>
</ns2:AttributeStatement>
Corresponding authentication.conf
[roleMap_SAML]
user = splunk user
ess_user = Splunk ESS User
... View more