Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Using RSA Authentication to Login to Splunk

aferone
Builder
‎07-06-2011 12:24 PM

Hello all,

I have been tasked with using RSA tokens to login to our Splunk environment. I have been asking around, including the vendor, and still don't have good documentation on how to set this up. We have Splunk installed on Ubuntu. I am told it does work, but I have yet to get my hands on any documentation.

Thanks!

Alex

Tags (2)
Reply

msettipane
Splunk Employee
Splunk Employee
‎07-07-2011 10:40 AM

RSA SecurID and Splunk SSO Integration

Problem: RSA SecurID passes the username to Apache with a unique session id attached to the username.

Simple Solution: Pass Apache the username as input by the user in the RSA SecurID login page.

  1. First read Use single sign-on (SSO) with Splunk

  2. Configure Apache as Proxy Server

  3. Add RSA Webagent to Apache httpd.conf

     include /opt/apache/rsawebagent/rsawebagent.conf

  4. Go to the The RSA Authentication Agent and configure the Web Agent to use the same login screen for username and passcode.

  5. Modify the RSA Webagent useridandpasscode.htm

    Add JavaScript to the Page

    function SetCookie(cookieName,cookieValue)
    {
    var today = new Date();
    var expire = new Date();
    expire.setTime(today.getTime() + 3600000*24);
    document.cookie = cookieName+"="+escape(cookieValue) + ";expires="+expire.toGMTString();
    }

    Edit Form Submission

    //myForm.userid.value = myForm2.userid.value;
    SetCookie("SPLUNKUSER",myForm.username.value);

  6. Modify Apache httpd.conf to Capture the Cookie

    <virtualHost …..>
 SetEnvIf Cookie "SPLUNKUSER=([^;]\w+)" rsauser=$1 
 RequestHeader set USERNAMEHEADER %{rsauser}e 
</VirtualHost>

  7. Modify Splunk web.conf in the local directory to accept the new Apache header username

     remoteUser = USERNAMEHEADER

  8. Check the debug page to ensure SPLUNKUSER is being passed to Splunk

     http://YourSplunkServer:8000/debug/sso
Reply

aferone
Builder
‎07-07-2011 11:14 AM

Thank you very much!

Do you know offhand if there is an RSA WebAgent for Ubuntu? I can't seem to find one.

0 Karma
Reply

bnolen
Path Finder
‎07-07-2011 12:17 AM

Another approach (though a little more fiddly) is to configure scripted authentication, with the script calling RADIUS.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎07-06-2011 08:56 PM

The general approach is to configure the RSA authentication agent on Apache, configure Splunk to use the same user directory, proxy Splunk behind the Apache server, configure the RSA agent login page to set a cookie containing the user name, and configure Apache to copy the cookie value to an HTTP header that Splunk is configured to read the username from.

Reply

aferone
Builder
‎07-07-2011 08:39 AM

Thanks for the answer. Did it take a long time for you to implement?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...