topic Re: True SSO: Bypass login page with Centrify Active Directory Integration for Splunk? in Security

True SSO: Bypass login page with Centrify Active Directory Integration for Splunk?

gryan — Sun, 22 Apr 2012 15:21:20 GMT

I'm using the Centrify Active Directory Integration for Splunk and want to know if a user's account credentials can be passed from their intranet-based workstation and logged into splunk seamlessly; that is, without being presented with a login page... like a true SSO solution.

How would this be accomplished?

Re: True SSO: Bypass login page with Centrify Active Directory Integration for Splunk?

dwaddle — Sun, 22 Apr 2012 21:26:07 GMT

It should be possible, but it will require you to do a bit of work. Splunk supports "true" single signon by being front-ended by a single-signon aware proxy server. Splunk will implicitly allow logins in this mode using a header variable provided by the proxy server. Centrify (according to their website) does support single-signon into Apache. Apache can then be configured to proxy into Splunk, passing along the userid which logged in to Apache.

Splunk documentation covers this at http://docs.splunk.com/Documentation/Splunk/latest/Admin/Usesinglesign-onwithSplunk

Re: True SSO: Bypass login page with Centrify Active Directory Integration for Splunk?

gryan — Sun, 22 Apr 2012 21:30:45 GMT

Thanks for your reply. The Centrify module for Apache is not free... therefore it's not an option.

I have an apache2 proxy built, however I have been unable to get it to populate the REMOTE_USER variable. Additionally, it's unclear as to what auth module is recommended for domain lookups into AD. Can you shed some light on that?

I'm looking for the shortest/cheapest path toward true SSO and the Centrify addon looked like it would accomplish that, but unfortunately it only got me half way there.

I do appreciate your time and your recommendations.

Thanks,
G

Re: True SSO: Bypass login page with Centrify Active Directory Integration for Splunk?

gryan — Sun, 22 Apr 2012 21:31:17 GMT

Thanks for your reply. The Centrify module for Apache is not free... therefore it's not an option.

I'm looking for the shortest/cheapest path toward true SSO and the Centrify addon looked like it would accomplish that, but unfortunately it only got me half way there.

I do appreciate your time and your recommendations.

Thanks,
G

Re: True SSO: Bypass login page with Centrify Active Directory Integration for Splunk?

Corey — Sun, 22 Apr 2012 23:28:32 GMT

Dwaddle is correct. An additional bit of information is that I have tested the Centrify Apache module in a reverse proxy mode to front end other applications like SAP and Peoplesoft in addition to Splunk. It works as expected and supports WIA via Kerberos/NTLM over SPNEGO (also works with ADFS for a federated SSO).

I understand gryan is not able to use the Centrify Apache module due to it not being free, but for other readers I thought this might useful information.

Corey - A Centrify product manager

Re: True SSO: Bypass login page with Centrify Active Directory Integration for Splunk?

dwaddle — Mon, 23 Apr 2012 17:40:50 GMT

Unfortunately, you need some active code (like an Apache module) to inject that header variable. Most single signon solutions provide such a plugin that will either (A) pick up on the existence of a valid SSO session cookie, and insert the REMOTE_USER header or (B) not seeing a valid cookie, redirect you to the SSO portal. I know next-to-nothing about Centrify, but expect this is how their Apache module functionally works. To avoid using it, you'll probably have to dive down into writing your own Apache modules.

Re: True SSO: Bypass login page with Centrify Active Directory Integration for Splunk?

agitelzon — Tue, 29 Sep 2020 06:49:02 GMT

I had to do something similar to get apache to populate the REMOTE_USER variable from mod_auth_mellon. You can see what I did here, http://answers.splunk.com/answers/177936/accessing-splunk-enterprise-using-adfs-authenticat.html#answer-289858