Splunk as an SP w/Shibb IdP

[Rich Graves]

I currently have a Splunk installation using their so-called single-sign on, i.e., behind an Apache+Shib SP reverse proxy that forwards a REMOTE_USER header. A long-standing annoyance is that if a Splunk browser tab is left open but the session is invalidated, i.e., laptop violating the consistent source IP address policy (see other recent threads), the Splunk web client's continual AJAX polling can create tens of redirects per second until the user either logs on to shibb or kills the tab. (Not really an operational problem, but annoying when I'm looking at the IdP logs.) Has anyone else experienced and solved this problem?

As an alternative, Splunk recently added limited SAML2 support (mostly targeted at well-known cloud IdPs). Although they don't support it, it looks like this should interoperate with Shibboleth. However, it appears to strictly require all Splunk group authorizations to come in via SAML attribute assertions. Unlike the legacy "SSO" reverse proxy situation above, there does not appear to be a way to assign Splunk authorization roles to SAML-authenticated users via Splunk-local authorization tables or backdoor LDAP lookups to AD. Has anyone else experienced and solved this problem?