topic Re: How to enable SSO? in Security

How to enable SSO?

JoshWhaley — Tue, 21 Jul 2015 17:22:43 GMT

I am working on enabling SSO with a Splunk Enterprise instance, and have set up the reverse proxy on our Windows server. When viewing the /debug/sso page, I am correctly receiving the Remote-User parameter, but it is showing that SSO is not enabled ( SSO Enabled: No ). I have the following in system/local/web.conf:

SSOMode = permissive # I've tried strict as well, which doesn't seem to be affecting anything (even after a restart). I'm still taken to a login page, which shouldn't happen.
remoteUser = Remote-User
trustedIP = <ip of my reverse proxy>,127.0.0.1
tools.proxy.on = false # true takes me to a page saying "Forbidden: Strict SSO" when trying to view anything other than debug pages
                       # I get this same error even if SSOMode is set to permissive

system/local/server.conf:

trustedIP = 127.0.0.1,<ip of reverse proxy>

What else needs to be changed in order to enable SSO on my Splunk instance? To me, it seems like my SSOMode option is being totally ignored by Splunk.

Here's a screenshot of what /debug/sso looks like:

EDIT: For clarification, I added more info from my web.conf, and from server.conf as well.

Re: How to enable SSO?

jworthington_sp — Tue, 21 Jul 2015 17:33:33 GMT

You might be missing an attribute. And if that doesn't work, you might try setting SSOMode=strict. Also make sure you have the trusted IP listed in server.conf.

Here's a code sample for web.conf from the Security Manual:

SSOMode = strict
trustedIP = 127.0.0.1,10.3.1.61,10.1.8.81
remoteUser = X-Remote-User
tools.proxy.on = True

The following topic in the Securing Splunk manual might be helpful:

http://docs.splunk.com/Documentation/Splunk/6.2.4/Security/ConfigureSplunkSSO

Hope this helps!

Re: How to enable SSO?

JoshWhaley — Tue, 21 Jul 2015 18:14:59 GMT

See my updated question. None of these have worked, and I'm still seeing SSO Enabled: No.

Re: How to enable SSO?

jokajak — Thu, 17 Sep 2015 12:21:45 GMT

I was having the same problem. I ended up fixing it by adding the following lines to web.conf. I did not add any trustedIP to server.conf because I could not determine what section it should fall in.

  # If set to 1, and if appServerPorts is set to a non-zero value, this
  # will allow SSO to work even if server.conf doesn't have a trustedIP
  # set (it still needs to be set in web.conf)
  allowSsoWithoutChangingServerConf = 1

,I had the same problem. I added the following lines to my web.conf:

# If set to 1, and if appServerPorts is set to a non-zero value, this
# will allow SSO to work even if server.conf doesn't have a trustedIP
# set (it still needs to be set in web.conf)
allowSsoWithoutChangingServerConf = 1

I did not set anything in server.conf

Re: How to enable SSO?

JoshWhaley — Thu, 17 Sep 2015 14:25:35 GMT

Maybe the fact that you didn't add anything to the trustedIP in server.conf is what fixed it for you, believe it or not. I ended up resolving the issue when I realize that, unlike web.conf, server.conf's trustedIP only allows a single IP address. Removing the second IP address (leaving only localhost) from server.conf's trustedIP field resolved the issue for us.

Re: How to enable SSO?

JoshWhaley — Thu, 17 Sep 2015 14:28:03 GMT

I was finally able to resolve this issue once I realized that, unlike web.conf, server.conf's trustedIP only allows for a single IP address. Removing the second IP address, leaving only localhost (127.0.0.1), fixed the problem, and SSO began to work as expected.

Re: How to enable SSO?

vidyadharms — Mon, 26 Sep 2016 14:02:06 GMT

Can you please share the steps to Edit the properties on your proxy server to authenticate against your external authentication system? We are using IIS 8.5 as Reverse Proxy....But only redirection happens but SSO didn't work. We got see only Splunk login page. No value for X-Remote-User variable when checked in Splunk SSO debug page.