Dashboards & Visualizations

Using RSA Authentication to Login to Splunk

aferone
Builder

Hello all,

I have been tasked with using RSA tokens to login to our Splunk environment. I have been asking around, including the vendor, and still don't have good documentation on how to set this up. We have Splunk installed on Ubuntu. I am told it does work, but I have yet to get my hands on any documentation.

Thanks!

Alex

Tags (2)

msettipane
Splunk Employee
Splunk Employee

RSA SecurID and Splunk SSO Integration

Problem: RSA SecurID passes the username to Apache with a unique session id attached to the username.

Simple Solution: Pass Apache the username as input by the user in the RSA SecurID login page.

  1. First read Use single sign-on (SSO) with Splunk

  2. Configure Apache as Proxy Server

  3. Add RSA Webagent to Apache httpd.conf

     include /opt/apache/rsawebagent/rsawebagent.conf
    
  4. Go to the The RSA Authentication Agent and configure the Web Agent to use the same login screen for username and passcode.

  5. Modify the RSA Webagent useridandpasscode.htm

    Add JavaScript to the Page

    function SetCookie(cookieName,cookieValue)
    {
    var today = new Date();
    var expire = new Date();
    expire.setTime(today.getTime() + 3600000*24);
    document.cookie = cookieName+"="+escape(cookieValue) + ";expires="+expire.toGMTString();
    }

    Edit Form Submission

    //myForm.userid.value = myForm2.userid.value;
    SetCookie("SPLUNKUSER",myForm.username.value);

  6. Modify Apache httpd.conf to Capture the Cookie

    <virtualHost …..>
     SetEnvIf Cookie "SPLUNKUSER=([^;]\w+)" rsauser=$1 
     RequestHeader set USERNAMEHEADER %{rsauser}e 
    </VirtualHost>
    
  7. Modify Splunk web.conf in the local directory to accept the new Apache header username

     remoteUser = USERNAMEHEADER
    
  8. Check the debug page to ensure SPLUNKUSER is being passed to Splunk

     http://YourSplunkServer:8000/debug/sso
    

aferone
Builder

Thank you very much!

Do you know offhand if there is an RSA WebAgent for Ubuntu? I can't seem to find one.

0 Karma

bnolen
Path Finder

Another approach (though a little more fiddly) is to configure scripted authentication, with the script calling RADIUS.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

The general approach is to configure the RSA authentication agent on Apache, configure Splunk to use the same user directory, proxy Splunk behind the Apache server, configure the RSA agent login page to set a cookie containing the user name, and configure Apache to copy the cookie value to an HTTP header that Splunk is configured to read the username from.

aferone
Builder

Thanks for the answer. Did it take a long time for you to implement?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...