Thanks ... See Idp Response below (exported from saml tracer)
Instead of "role","realName" and "mail" which I believe Splunk expects : Idp returns "Groups","FederationKey", and "Email" in the response.
I believe I need to map these to role,realName, mail in the SAML config, which I did try doing that but same "No arguments found" error resulted. Thinking its probably something basic at this point ...
<samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_37173e23-c4d4-46d6-85c5-0786e1d651f0"
Version="2.0"
IssueInstant="2017-02-10T16:53:10Z"
Destination="http://www.test.com:8000//saml/acs"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>
<saml:Issuer>www.auth.test.com</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#_37173e23-c4d4-46d6-85c5-0786e1d651f0">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>FrMXOU9JKV2KMVT70BhsZMBm330=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue> removed signature here==</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate> removed cert here...</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion Version="2.0"
ID="_a4f4ebeb-42d4-47aa-9290-7ddbf2d39884"
IssueInstant="2017-02-10T16:53:10Z"
>
<saml:Issuer>www.auth.test.com</saml:Issuer>
<saml:Subject>
<saml:NameID NameQualifier="www.auth.test.com">chrism@test.com</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2017-02-10T16:58:10Z"
Recipient="http://www.test.com:8000//saml/acs"
/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2017-02-10T16:48:10Z"
NotOnOrAfter="2017-02-10T16:58:10Z"
>
<saml:AudienceRestriction>
<saml:Audience>http://www.test.com:8000//saml/acs</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2017-02-10T16:53:10Z"
SessionIndex="1885244480"
>
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="FederationKey"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
FriendlyName="header"
>
<saml:AttributeValue xmlns:q1="http://www.w3.org/2001/XMLSchema"
p7:type="q1:string"
xmlns:p7="http://www.w3.org/2001/XMLSchema-instance"
>chrism@test.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Groups"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
>
<saml:AttributeValue xmlns:q2="http://www.w3.org/2001/XMLSchema"
p7:type="q2:string"
xmlns:p7="http://www.w3.org/2001/XMLSchema-instance"
>"HRUserGroup","TEST_EMP","TEST_MGR"</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="FirstName"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
>
<saml:AttributeValue xmlns:q3="http://www.w3.org/2001/XMLSchema"
p7:type="q3:string"
xmlns:p7="http://www.w3.org/2001/XMLSchema-instance"
>CHRISTOPHER</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Email"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
>
<saml:AttributeValue xmlns:q4="http://www.w3.org/2001/XMLSchema"
p7:type="q4:string"
xmlns:p7="http://www.w3.org/2001/XMLSchema-instance"
>chrism@test.com</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
... View more