I'm currently trying to implement SAML SSO in Splunk 6.3.3 through our IDP OpenAM. We have a clustered search head deployment, so I've set up the same SAML configuration on each of the search heads. Going to the Splunk URL correctly redirects me to my IDP to authenticate, after which I'm returned to Splunk but then gives me an error, "Failed to decode response from IDP Please provide diag for analysis." Looking at the SAML assertion, it looks like the attributes are all being passed properly. I have mail, role, and realName coming through with the correct values, and the role is mapped in Splunk.
Any help with this would be appreciated.
I'm seeing the SAML assertion in my IDP's logs as well as the browser using a SAML plugin. Here's a sample of the assertion.
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="s2cbfb3124321dsa23b24083a863fefa5a5fb7" InResponseTo="ip-xx-xxx-x-xxx.example.com.2.CAC3A6AC-A13F-4B98-AC89-38F3B6AADAAB" Version="2.0" IssueInstant="2017-02-21T14:59:46Z" Destination="https://splunk.example.com/saml/acs">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://openam.example.com:443/openam</saml:Issuer>
<samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Value="urn:oasis:names:tc:SAML:2.0:status:Success">
</samlp:StatusCode>
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="s215basdfasde364c0a972c1fdba327cebe6ab461" IssueInstant="2017-02-21T14:59:46Z" Version="2.0">
<saml:Issuer>https://openam.example.com:443/openam</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#s215basdfasdfsadf972c1fdba327cebe6ab461">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>rP6GNqHIasdfUPINw8SzaDxqh40pU=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
DSFSDFSDFweqerqwer6tfZUzufv2cgdDd4TEYZ1HJyeiyUMTDE9mXx2HOQvJ34NGN9bS1p7ObuER
Zsy6lFa4lg68SDvXUHy7Y0fc4qMldskzxcvasd209adsf0jl2kl323p0R54eFQiAYhmEvYZa
z2JkXS1NGiMhVexDrsE=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
aqwerDSSFJKasdfasdheqkeewoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
bGllkddddddddddddddddddddddddddddddddddddddwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w
ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOsdafcahassdfdfdfwwerTM5WjBnMQsw
CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK
BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYasdfadsfasdfsatKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0ENshU5vOf+
RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY
Js0Vo5+IgjxuEWnjnnVgHqqweryL8CAwEAATANBgkqhkiG9w0BAQshdfgklafqQFAAOBgQB3Pw/U
QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfuhassYoAdiDA
cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhabxcvzcxvJDC
/Ffwasdfasdfasdf
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://openam.example.com:443/openam" SPNameQualifier="https://splunk-jr.example.com">IuETZqdtV/M/SSKkmTjan2DbI+y7</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="ip-xx-xxx-x-xxx.example.com.2.CAC3A6AC-A13F-4B98-AC89-38F3B6AADAAB" NotOnOrAfter="2017-02-21T15:09:46Z" Recipient="https://splunk-jr.example.com/saml/acs"/></saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2017-02-21T14:49:46Z" NotOnOrAfter="2017-02-21T15:09:46Z">
<saml:AudienceRestriction>
<saml:Audience>https://splunk-jr.example.com</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2017-02-21T14:59:46Z" SessionIndex="s29a35edf1eff225e647507eb4dcb107a03bd90203">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="mail">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">myemail@example.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="role">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">SPK-AdminRole</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="realName">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">myuid</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
... View more