Known Issue: Changes to how the Splunk platform automatically maps SAML groups to Splunk roles
In Splunk Cloud Platform versions 9.2.2403.102 to 9.2.2403.104, Splunk changed the way that the Splunk platform auto-maps groups that have been defined on a Security Assertion Markup Language (SAML) protocol identity provider (IdP) to Splunk roles.
Product: Splunk Cloud Platform
Version(s): 9.2.2403.102 to 9.2.2403.104
Component: Authentication, Security Assertion Markup Language (SAML) protocol
Problem Class: Authentication failure, incorrect authorization
Problem
When you attempt to log into a Splunk Cloud Platform instance that uses the SAML protocol as an authentication scheme, you might receive an error message "No valid Splunk role found in local mapping." You might also log in successfully, but your account might not receive the roles you expect.
Cause
Splunk implemented a change on some Splunk Cloud Platform deployments where the Splunk platform no longer auto-maps SAML groups to Splunk roles by default. For more information on why Splunk made this change, see the "Background" section of this topic.
Prior to the change, the Splunk platform performed auto-mapping of groups that it retrieved from a SAML identity provider to Splunk roles with the same name. For example, if there is an "admin" group on the SAML IdP, the Splunk platform maps that group to the "admin" Splunk role, and any SAML user who is a member of the "admin" SAML group receives administrator-equivalent privileges on the Splunk platform instance through its "admin" role by virtue of the automatic role mapping.
If you used SAML for authentication previously in your Splunk Cloud Platform deployment, and Splunk subsequently upgraded the deployment to versions 9.2.2403.102 to 9.2.2403.104, auto-mapping of groups to roles no longer occurs, which can result in authentication failures for SAML users in the deployment, as described in the "Problem" section of this topic.
This change only affects Splunk Cloud Platform instances that use SAML as an authentication scheme. It does not affect native Splunk users on the platform. Those users can continue to log in and have access to all Splunk roles you have assigned to them.
Splunk is reversing this change in Splunk Cloud Platform version 9.2.2403.105 and higher based on customer feedback. If you are currently experiencing the login problems that this topic describes, and Splunk has not yet reversed the change on your deployment, you can reverse it yourself by following the procedure in the "Solutions" section of the topic.
Background
In version 9.1.2312 of Splunk Cloud Platform, Splunk changed which SAML groups that the Splunk platform automatically mapped to Splunk roles by default. It eliminated auto-mapping of the "admin" and "power" Splunk roles and advised customers to either create unique alternative role maps or turn auto-mapping back on if it was necessary. It also provided an option in Splunk Web to turn auto-mapping on or off.
In version 9.2.2403 of Splunk Cloud Platform, Splunk eliminated auto-mapping of SAML groups to Splunk roles by default entirely. Splunk is reversing this change on Splunk Cloud Platform due to customer feedback.
Splunk implemented both of these changes to address concerns that multiple parties raised as a result of routine security assessments.
Solution
To restore the auto-mapping of SAML groups to Splunk roles, you can turn on auto-mapping of SAML groups to Splunk roles in Splunk Web.
- Log into the Splunk Cloud Platform instance as sc_admin.
- From the system bar, select Settings > Authentication Methods.
- In the Authentication Methods page, under External, select SAML.
- Select the Configure Splunk to use SAML link.
- In the SAML Configuration dialog box that appears, under General settings, select Enable Auto Mapped Roles.
- Select Save.
- Reload the authentication configuration. From the system bar, select Settings > Authentication Methods, and in the Authentication Methods page that appears, select Reload authentication configuration.
Splunk Cloud Platform Field alias behavior change | Cloud Monitoring Console |
This documentation applies to the following versions of Splunk Cloud Platform™: 9.2.2403, 9.2.2406 (latest FedRAMP release)
Feedback submitted, thanks!