ybmmm
ybmmm3d ago

Splunk SAML authentication performs a second redirect back to Zitadel before login succeeds

Hello everyone, Environment Zitadel version : v3.2.2 Load Balancer: F5 We're running a self-hosted Zitadel behind an F5 load balancer and latest Splunk Enterprise version. In Zitadel we have a SAML application configured with all the necessary information from the SP Metadata XML which was generated by Splunk in the SAML Configuration section. When a user hits our external link, they get redirected once to Zitadel (this is initiated by F5), successfully log in the first time, but then we get prompted for Zitadel authentication a second time but this time initiated by Splunk. Looking at the session on the F5 it it is missing the "Roles" argument, but on the second request initiated by Splunk contains all of the necessary information, including "Roles" argument. I'm using one of the examples from the action scripts page: 
function setCustomAttribute(ctx, api) {
    const user = ctx.v1.getUser()
    if (ctx.v1.user.grants == undefined || ctx.v1.user.grants.count == 0) {
        return;
    }
    let roles = [];
    ctx.v1.user.grants.grants.forEach(grant => {
        grant.roles.forEach(role => {
            roles.push(role)  
        })
    })
    api.v1.attributes.setCustomAttribute('Roles', '', ...roles)
  }
function setCustomAttribute(ctx, api) {
    const user = ctx.v1.getUser()
    if (ctx.v1.user.grants == undefined || ctx.v1.user.grants.count == 0) {
        return;
    }
    let roles = [];
    ctx.v1.user.grants.grants.forEach(grant => {
        grant.roles.forEach(role => {
            roles.push(role)  
        })
    })
    api.v1.attributes.setCustomAttribute('Roles', '', ...roles)
  }
Has anyone seen Splunk silently drop the first SAML response under these proxy/LB conditions ? Are there specific IdP metadata or assertion flags Zitadel needs for Splunk’s SP to accept the first assertion ? Any tips on settings that ensure Splunk’s session cookie “sticks” so only a single SSO redirect is required? Thanks in advance!
0 Replies
No replies yetBe the first to reply to this messageJoin

Did you find this page helpful?