Splunk SAML authentication performs a second redirect back to Zitadel before login succeeds
Hello everyone,
Environment
Zitadel version : v3.2.2
Load Balancer: F5
We're running a self-hosted Zitadel behind an F5 load balancer and latest Splunk Enterprise version. In Zitadel we have a SAML application configured with all the necessary information from the SP Metadata XML which was generated by Splunk in the SAML Configuration section.
When a user hits our external link, they get redirected once to Zitadel (this is initiated by F5), successfully log in the first time, but then we get prompted for Zitadel authentication a second time but this time initiated by Splunk. Looking at the session on the F5 it it is missing the "Roles" argument, but on the second request initiated by Splunk contains all of the necessary information, including "Roles" argument. I'm using one of the examples from the action scripts page:
Has anyone seen Splunk silently drop the first SAML response under these proxy/LB conditions ? Are there specific IdP metadata or assertion flags Zitadel needs for Splunk’s SP to accept the first assertion ? Any tips on settings that ensure Splunk’s session cookie “sticks” so only a single SSO redirect is required? Thanks in advance!
5 Replies
hey @ybmmm it’s very likely due to F5 not putting the SAML session cookie or missing role attributes in the first assertion. Let me look into this more and will get back to you.
Hi @Rajat, thanks for your reply, would you have any idea what the problem might be ?
Because I'm struggling to understand why is the initial request from the F5 is missing the "Roles" attribute, but the second one, initiated by Splunk does have it ? Thought that if the second request has the "Roles" attribute, that it shouldn't be a problem with the "Actions" script, but I'm having doubts about it. I've tried changing up the script by adding/removing in attributes, but that didn't have any effect on the F5s request, would mainly end up having an error on Splunk that's it's missing SAML group attributes and that's it.
What I'm struggling to understand is where this problem is at, is it with the "Actions" script being incorrect and not passing the attributes, is it with the F5 being miss-configured.
I'll be waiting on your response, thanks !
Hi @Rajat did you have time to take a look in to my issue ? Would really appreciate some input, thanks !
Happy Tuesday @ybmmm, I'll bring @fcoppede into the fold here to help aid support with Rajat out of the office. Thanks!
👋 Hello @ybmmm
To better troubleshoot this issue, could you please share with me a network trace of the complete login flow? Please make sure you start to record the network trace before clicking on "login".
Sample steps to create a network trace using Chrome:
Step 1: Open Chrome Developer Tools
Navigate to the page where you want to start the trace.
Press:
F12 or
Ctrl + Shift + I (Windows/Linux) or
Cmd + Option + I (Mac)
Step 2: Go to the "Network" Tab
In DevTools, click the “Network” tab (top of the panel).
Make sure the red recording dot 🔴 is active.
Step 3: Enable “Preserve Log” Option
Check the “Preserve log” box at the top.
Step 4: Start the Trace
Click the Clear button (⛔ symbol or right-click > Clear) to remove previous entries.
Perform the action you want to capture
Step 5: Save the HAR File
Important: HAR files can include PII, you can remove this by editing the HAR file as a text file and removing passwords or any other data that could be recorded.
Hi @fcoppede 👋
Sorry for such a delay in responding, as requested I've attached the redacted HAR file going through this login flow of two authentications. Let me know if you see anything strange in there.
I've also looked into the configuration for our F5 and nothing seemed out of the ordinary, because I already have another system set up the same way and it has no issues like we're encountering with Splunk.
Looking forward to a response and many thanks !