Our Enterprise Splunk instance is SSO enabled using Ping Fed. Will this work and if so does the user just put in "domain/userid" and their AD "password" into the setup?
Also we are running a Search Head Cluster so I would assume we point this at the VIP we have setup for the F5.
No, Splunk ODBC will not use Single Sign-On. You will need to configure ODBC to connect with either admin or another local account you created in splunk.
Is the splunk management port 8089 open through your F5? If so then yes you can point it at your VIP.
I'll have to do some checking as the way SSO is setup any time we hit that VIP name it sends it to Ping Fed. Also if the individual server names are used it's rerouted through SSO so there is basically no way, that I know of, to use a local account. I'm not sure if all of that is true hitting the management port but I'll find out.
Thanks for the info, I figured that was the case but hadn't found anything that specifically says that.
SSO is done through the splunk web port (8000 by default). This is open at your VIP if it's already working. Local authentication still works even if SSO is enabled, ie:
Splunk ODBC talks to the search head using splunk api through the management port 8089. This may or may not be open at the F5, you will need to confirm.