Trying to get Splunk doing SAML auth against ADFS today. Was getting this error in splunkd.log.
05-15-2020 00:43:39.673 +0000 ERROR Saml - Failed to parse issuer. Could not evaluate xpath expression /samlp:Response/samlp:Status/samlp:StatusMessage or no matching nodes found. No value found in SamlResponse for key=/samlp:Response/samlp:Status/samlp:StatusMessageCould not evaluate xpath expression /samlp:Response/samlp:Status/samlp:StatusDetail/Cause or no matching nodes found. No value found in SamlResponse for key=/samlp:Response/samlp:Status/samlp:StatusDetail/CauseCould not evaluate xpath expression //saml:Assertion/saml:Issuer or no matching nodes found. No value found in SamlResponse for key=//saml:Assertion/saml:Issuer
05-15-2020 00:43:39.673 +0000 ERROR UiSAML - IDP failed to authenticate request. Status Message="" Status Code="Responder"
Turned off Authentication request signing and it came good. I can’t store the frontend cert in the ADFS config because it changes as often as the LetsEncrypt issuance period, so this’ll do for now.
[saml_profile]
signAuthnRequest = false