Saviynt Forums

AtrayeeDutta · ‎10/31/2023

Hi Team,

We followed Saviynt SIEM Integration (saviyntcloud.com) Splunk documentation to enable Integration between Saviynt and Splunk and the integration is working as expected in non-prod environment. We are able to get reports from both from API and in Splunk.

However , we are facing issues with Production when we migrated same changes. The only difference between dev and prod is SSO. Prod is configured with SSO.

To debug the issue for prod, we ran the get token from API for the Splunk user and we are able to get token successfully. However, when we use the token to run analytics we are seeing following result. Details are below.

1. API - https://domain.saviyntcloud.com/ECM/api/v5/fetchRuntimeControlsDataV2

2. Result

<head>

</head>

<p>

<strong>Note:</strong> Since your browser does not support JavaScript,

you must press the Continue button once to proceed.

</p>

</noscript>

<form action="https://login.microsoftonline.com/b5b8b483-5597-4ae7-8e27-fcc464a3b584/saml2"

method="post">

<div>

</div>

<div>

</div>

</noscript>

</form>

</body>

</html>

Any suggestions ?

[This message has been edited by moderator to remove url]

SB · ‎11/02/2023

Can you share the postman payload for the call you are trying to make.

Also, can you confirm if you are able to run any other call (like get user/ accounts etc)

Regards,
Sahil

rushikeshvartak · ‎11/03/2023

Share postman screenshot

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

AtrayeeDutta · ‎11/21/2023

Here is the Payload:

{

"analyticsname": "Identity_Object_Splunk_Report",

"analyticsid":"1694",

"attributes":

{

"timeFrame": "1440"

}

Attached Post man response screenshot

AtrayeeDutta · ‎11/21/2023

And also, when i decode the SAML request (which is in Postman response) .. it is redirecting to SSO authentication.

Following are the values for the splunk_api_user:

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest AssertionConsumerServiceURL="https://domain.saviyntcloud.com/ECM/saml/SSO/alias/SAVIYNTPROD" Destination="https://login.microsoftonline.com/12345/saml2" ForceAuthn="false" ID="12345" IsPassive="false" IssueInstant="2023-11-21T15:38:16.145Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">SAVIYNTPROD</saml2:Issuer></saml2p:AuthnRequest>

sk · ‎11/21/2023

@AtrayeeDutta : Are you able to get the token using splunk_api_user? Because I see localauthenabled is set to false.

Looking at behaviour, I believe you need to enable localauthenabled for this user

Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

AtrayeeDutta · ‎11/21/2023

Yes, We are able to get the token using splunk_api_user (both time when localauthenabled set to 1 or 0) .

We made localauthenabled to false for splunk_api_user in prod (initially it was true) to make sure it is matching dev since localauthenabled in dev is false and where it is working as expected.

rushikeshvartak · ‎11/21/2023

Its working for me

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

AtrayeeDutta · ‎11/24/2023

Can you confirm if your environment is configured SSO and enabled.

Saviynt Forums

Unable to run analytics through API