Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Using RSA Authentication to Login to Splunk

aferone
Builder
‎07-06-2011 12:24 PM

Hello all,

I have been tasked with using RSA tokens to login to our Splunk environment. I have been asking around, including the vendor, and still don't have good documentation on how to set this up. We have Splunk installed on Ubuntu. I am told it does work, but I have yet to get my hands on any documentation.

Thanks!

Alex

Tags (2)
Reply

msettipane
Splunk Employee
Splunk Employee
‎07-07-2011 10:40 AM

RSA SecurID and Splunk SSO Integration

Problem: RSA SecurID passes the username to Apache with a unique session id attached to the username.

Simple Solution: Pass Apache the username as input by the user in the RSA SecurID login page.

  1. First read Use single sign-on (SSO) with Splunk

  2. Configure Apache as Proxy Server

  3. Add RSA Webagent to Apache httpd.conf

     include /opt/apache/rsawebagent/rsawebagent.conf

  4. Go to the The RSA Authentication Agent and configure the Web Agent to use the same login screen for username and passcode.

  5. Modify the RSA Webagent useridandpasscode.htm

    Add JavaScript to the Page

    function SetCookie(cookieName,cookieValue)
    {
    var today = new Date();
    var expire = new Date();
    expire.setTime(today.getTime() + 3600000*24);
    document.cookie = cookieName+"="+escape(cookieValue) + ";expires="+expire.toGMTString();
    }

    Edit Form Submission

    //myForm.userid.value = myForm2.userid.value;
    SetCookie("SPLUNKUSER",myForm.username.value);

  6. Modify Apache httpd.conf to Capture the Cookie

    <virtualHost …..>
 SetEnvIf Cookie "SPLUNKUSER=([^;]\w+)" rsauser=$1 
 RequestHeader set USERNAMEHEADER %{rsauser}e 
</VirtualHost>

  7. Modify Splunk web.conf in the local directory to accept the new Apache header username

     remoteUser = USERNAMEHEADER

  8. Check the debug page to ensure SPLUNKUSER is being passed to Splunk

     http://YourSplunkServer:8000/debug/sso
Reply

aferone
Builder
‎07-07-2011 11:14 AM

Thank you very much!

Do you know offhand if there is an RSA WebAgent for Ubuntu? I can't seem to find one.

0 Karma
Reply

bnolen
Path Finder
‎07-07-2011 12:17 AM

Another approach (though a little more fiddly) is to configure scripted authentication, with the script calling RADIUS.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎07-06-2011 08:56 PM

The general approach is to configure the RSA authentication agent on Apache, configure Splunk to use the same user directory, proxy Splunk behind the Apache server, configure the RSA agent login page to set a cookie containing the user name, and configure Apache to copy the cookie value to an HTTP header that Splunk is configured to read the username from.

Reply

aferone
Builder
‎07-07-2011 08:39 AM

Thanks for the answer. Did it take a long time for you to implement?

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...