and more in a single search tool across platforms. Read the announcement here. |
10/31/2023 01:08 AM - last edited on 10/31/2023 01:21 AM by Sunil
Hi Team,
We followed Saviynt SIEM Integration (saviyntcloud.com) Splunk documentation to enable Integration between Saviynt and Splunk and the integration is working as expected in non-prod environment. We are able to get reports from both from API and in Splunk.
However , we are facing issues with Production when we migrated same changes. The only difference between dev and prod is SSO. Prod is configured with SSO.
To debug the issue for prod, we ran the get token from API for the Splunk user and we are able to get token successfully. However, when we use the token to run analytics we are seeing following result. Details are below.
1. API - https://domain.saviyntcloud.com/ECM/api/v5/fetchRuntimeControlsDataV2
2. Result
Any suggestions ?
[This message has been edited by moderator to remove url]
11/02/2023 06:05 AM
Can you share the postman payload for the call you are trying to make.
Also, can you confirm if you are able to run any other call (like get user/ accounts etc)
11/03/2023 08:55 PM
Share postman screenshot
11/21/2023 02:17 AM
Here is the Payload:
11/21/2023 07:45 AM
And also, when i decode the SAML request (which is in Postman response) .. it is redirecting to SSO authentication.
Following are the values for the splunk_api_user:
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest AssertionConsumerServiceURL="https://domain.saviyntcloud.com/ECM/saml/SSO/alias/SAVIYNTPROD" Destination="https://login.microsoftonline.com/12345/saml2" ForceAuthn="false" ID="12345" IsPassive="false" IssueInstant="2023-11-21T15:38:16.145Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">SAVIYNTPROD</saml2:Issuer></saml2p:AuthnRequest>
11/21/2023 08:08 AM
@AtrayeeDutta : Are you able to get the token using splunk_api_user? Because I see localauthenabled is set to false.
Looking at behaviour, I believe you need to enable localauthenabled for this user
11/21/2023 09:42 PM
Yes, We are able to get the token using splunk_api_user (both time when localauthenabled set to 1 or 0) .
We made localauthenabled to false for splunk_api_user in prod (initially it was true) to make sure it is matching dev since localauthenabled in dev is false and where it is working as expected.
11/21/2023 09:51 PM
Its working for me
11/24/2023 04:14 AM
Can you confirm if your environment is configured SSO and enabled.