topic Re: How do I make Single Sign On work with mod_proxy in Security

How do I make Single Sign On work with mod_proxy

Alan_Bradley — Sat, 17 Apr 2010 06:06:12 GMT

We are trying to deploy splunk with SSO according to documentation found on http://www.splunk.com/base/Documentation/4.1/Admin/Usesinglesign-onwithSplunk but are hitting a wall.

The suspicion is that mod_proxy does not proxy the remote_user variable needed by Splunk. Anyone know if this and true and known a way around this?

Re: How do I make Single Sign On work with mod_proxy

jrodman — Sat, 17 Apr 2010 07:06:40 GMT

We don't require that the variable representing the user be remote_user. You can configure the 'remoteUser' variable to say how your proxy server spells it. To try to see what your proxy server might be sending, try accessing http://YourSplunkServer:8000/debug/sso

Re: How do I make Single Sign On work with mod_proxy

Nate — Tue, 27 Apr 2010 03:15:12 GMT

Assuming your auth module provides a REMOTE_USER variable in the context of the apache request, you probably need to provide a line like this:

RequestHeader set REMOTE_USER %{REMOTE_USER}s

In your reverse proxy configuration.

For example, the following configuration might be used in an SSPI configuration for Apache:

<VirtualHost>
<Location />
    Order allow,deny
    Allow from all

    AuthName "FOO.COM"
    AuthType SSPI
    SSPIPackage NTLM
    SSPIOfferSSPI On
    SSPIAuth On
    SSPIAuthoritative On
    SSPIOmitDomain On
    SSPIOfferBasic On
    require valid-user 
</Location> 
# Proxy Configurations
ProxyVia On
ProxyPassInterpolateEnv On
<Proxy *>
    Order allow,deny
    Allow from all
</Proxy>
ProxyPass / http://foo.com:8000/
ProxyPassReverse / http://foo2.com:8000/
ProxyPassReverseCookieDomain foo.com foo2.com
ProxyPassReverseCookiePath / /
RequestHeader set REMOTE_USER %{REMOTE_USER}s   

</VirtualHost>

Re: How do I make Single Sign On work with mod_proxy

chris — Tue, 01 Jun 2010 18:16:07 GMT

Based on Nates response I got SSO working with the following config in apache. The only difference is that we use ssl to connect and a non standard ssl port on our splunk server:

<VirtualHost *:8082>
    <Location />   
        Order allow,deny    
        Allow from all    
        AuthName "mysplunkserver.com"    
        AuthType SSPI    
        SSPIPackage NTLM    
        SSPIOfferSSPI On    
        SSPIAuth On    
        SSPIAuthoritative On    
        SSPIOmitDomain On    
        SSPIOfferBasic On    
        require valid-user 
    </Location> 
    # Proxy Configurations
    ProxyVia On
    ProxyPassInterpolateEnv On
    <Proxy *>    
        Order allow,deny    
        Allow from all
    </Proxy>
    ProxyPass / https://mysplunkserver.com:8082/
    ProxyPassReverse / https://mysplunkserver.com:8082/
    ProxyPassReverseCookieDomain mysplunkserver.com publicserver.com
    ProxyPassReverseCookiePath / /
    RequestHeader set REMOTE-USER %{REMOTE_USER}s
    SSLProxyEngine On   
    AllowCONNECT 8082       
</VirtualHost>

Re: How do I make Single Sign On work with mod_proxy

rosroy — Wed, 21 Jul 2010 15:22:05 GMT

Sorry to bump this thread.

I tried this exact configuration but the debug page keeps claiming that REMOTE_USER is null. I can see the user in the apache access.log so I know the authenication is indeed working. Whatever I do I cannot seem to populate the REMOTE_STRING. Any idea will be welcomed

Thanks, Roy.

Re: How do I make Single Sign On work with mod_proxy

adamw — Tue, 03 Aug 2010 23:48:50 GMT

SSPI is only available on Windows Apache, any word on how to get this going with Linux Apache?

Re: How do I make Single Sign On work with mod_proxy

Corey — Wed, 18 Aug 2010 00:30:00 GMT

Assuming you want to authenticate users from Active Directory via an Apache proxy running on Linux, you could easily get this working by using either a free or paid version of Centrify.

The Centrify Suite Application Edition is a paid solution that supports SPNEGO/Kerberos and NTLM for silent authentication as well as BASIC or HTLM forms for username/password authentication.

A free solution would be to configure Splunk for PAM authentication on Linux and use Centrify Express which supports AD authentication from Linux via PAM.

Cool thing about either approach is that you get very robust integration with Active Directory with support for auto-discovery of domain controllers, auto-setup and auto-management of Kerberos and you can even use either solution for authenticating users to the Linux OS.

I might try to see how I can package up the simple PAM + Centrify Express approach and submit it to the splunkbase.

Re: How do I make Single Sign On work with mod_proxy

gareth — Sat, 04 Dec 2010 07:41:28 GMT

If the REMOTE_USER isn't being passed through, try replacing the RequestHeader line with the following:

RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader set REMOTE_USER %{RU}e

You may also have to set the remoteUser setting in web.conf to "REMOTE-USER" (dash rather than underscore):

web.conf:

[settings]
trustedIP = 127.0.0.1
remoteUser = REMOTE-USER

Re: How do I make Single Sign On work with mod_proxy

stefanlasiewski — Mon, 28 Sep 2020 10:07:47 GMT

+1 for recommending 'REMOTE-USER' vs 'REMOTE_USER' in web.conf. I spent an hour trying to figure this out, tried the RequestHeader set REMOTE_USER %{REMOTE_USER}s trick, etc. I noticed that the SSO debug page at http://localhost/en-US/debug/sso was seeing a header called 'Remote-User' but I could not get REMOTE_USER to work for the life of me.

Re: How do I make Single Sign On work with mod_proxy

stefanlasiewski — Sat, 19 Nov 2011 01:24:35 GMT

In web.conf try 'REMOTE-USER' (with a dash) instead of 'REMOTE_USER' (with an underscore).