Search
  • Todd Waller

SSO, Basic Troubleshooting and Splunk

Hello Everyone


Today we are going to, quickly, touch on setup of Single Sign On (SSO) for ADFS in Splunk but MORE IMPORTANTLY ways I found to test SSO and what’s being passed, how to decode the base-64 encoded messages.


So I did use a few links to base my setup on, it’s pretty straightforward though.


The Splunk doc for SSO configuration: https://docs.splunk.com/Documentation/Splunk/7.3.1/Security/ConfigureSSOAzureADandADFS


I used Chrome to debug so screenshots here will be in Chrome. You can do this in IE as well as Firefox, the only difference is where the payload is located in the debug browser.


I went to Splunk web on the Search Head Captain then to: Settings -> Access Controls -> Authentication Method

In the “External” section select: SAML

Select “SAML Settings”




On the SAML Groups page select “SAML Configuration”

You need to get your metadata file from ADFS and either upload it or paste the code in. Once you metadata is there click “Apply” and if everything is correct it will populate the needed fields:





Now you need to get the Alias fields, you can find the fields in ADFS that correspond, we used the links for the fields. NOTE: use “Mail Alias” as well if available.

We use a load balanced URL so we entered that in the advanced settings and the port used and left the rest as defaults:




Here is here we hit a few issues.

1. First we tried to save but it failed because the “IdP certificate path” didn’t exist so we had to create it on each search head in the cluster (we have a distributed search head cluster).

The path is at: $SPLUNK_HOME/etc/auth/idpCerts



2. We had an issue with “Attribute query request failed.” Messages. We resolved this by entering in the “Email Alias” field in the setup fields.

The message found was similar to: ERROR AuthenticationManagerSAML - Attribute query request failed. Status

msg=No attributes found for requested subject



3. There were times that I needed to verify mapping names that are sent or to make sure requests and responses contain the necessary data. To do this I had to decode Base64 encoded messages. I found that the easiest tool to do this was Notepad++.

So for example say we wanted to see the response sent by ADFS:

1. Hit F12 on the computer before navigating to Splunk web URL




2. Navigate to your Splunk web URL and in the F12 pane on the “Network” tab click on the record for “acs”.




3. The details pane will open and click on “Headers”, scroll to the bottom and you will find a “SAML Response” field with Base64 encoded data

It will look something like this:


4. Then you can open Notepad++ and paste it in, “Select All” and then go to “Plugins” -> “MIME Tools” -> “Base64 Decode”

My sample decoded message:



That’s all for now, there may be more on this topic coming up.

If you have any additional testing methods please feel free to comment them here!

I welcome the discussion!

Cheers!

Todd

63 views0 comments

Recent Posts

See All

How do I learn Splunk administration?

Had an old coworker hit me up a week ago. He took a job as a SOC analyst where part of his job is going to be supporting Splunk. He's a smart guy but Splunk is more complex than it looks. Given I've a