ybmmm
ybmmm
PostsComments
ZZITADEL
Created by ybmmm on 6/3/2025 in #questions-help-bugs
Splunk SAML authentication performs a second redirect back to Zitadel before login succeeds
Hello everyone, Environment Zitadel version : v3.2.2 Load Balancer: F5 We're running a self-hosted Zitadel behind an F5 load balancer and latest Splunk Enterprise version. In Zitadel we have a SAML application configured with all the necessary information from the SP Metadata XML which was generated by Splunk in the SAML Configuration section. When a user hits our external link, they get redirected once to Zitadel (this is initiated by F5), successfully log in the first time, but then we get prompted for Zitadel authentication a second time but this time initiated by Splunk. Looking at the session on the F5 it it is missing the "Roles" argument, but on the second request initiated by Splunk contains all of the necessary information, including "Roles" argument. I'm using one of the examples from the action scripts page: 
function setCustomAttribute(ctx, api) {
    const user = ctx.v1.getUser()
    if (ctx.v1.user.grants == undefined || ctx.v1.user.grants.count == 0) {
        return;
    }
    let roles = [];
    ctx.v1.user.grants.grants.forEach(grant => {
        grant.roles.forEach(role => {
            roles.push(role)  
        })
    })
    api.v1.attributes.setCustomAttribute('Roles', '', ...roles)
  }
function setCustomAttribute(ctx, api) {
    const user = ctx.v1.getUser()
    if (ctx.v1.user.grants == undefined || ctx.v1.user.grants.count == 0) {
        return;
    }
    let roles = [];
    ctx.v1.user.grants.grants.forEach(grant => {
        grant.roles.forEach(role => {
            roles.push(role)  
        })
    })
    api.v1.attributes.setCustomAttribute('Roles', '', ...roles)
  }
Has anyone seen Splunk silently drop the first SAML response under these proxy/LB conditions ? Are there specific IdP metadata or assertion flags Zitadel needs for Splunk’s SP to accept the first assertion ? Any tips on settings that ensure Splunk’s session cookie “sticks” so only a single SSO redirect is required? Thanks in advance!
1 replies