Dashboards & Visualizations

Using RSA Authentication to Login to Splunk

Builder

Hello all,

I have been tasked with using RSA tokens to login to our Splunk environment. I have been asking around, including the vendor, and still don't have good documentation on how to set this up. We have Splunk installed on Ubuntu. I am told it does work, but I have yet to get my hands on any documentation.

Thanks!

Alex

Tags (2)

Splunk Employee
Splunk Employee

RSA SecurID and Splunk SSO Integration

Problem: RSA SecurID passes the username to Apache with a unique session id attached to the username.

Simple Solution: Pass Apache the username as input by the user in the RSA SecurID login page.

  1. First read Use single sign-on (SSO) with Splunk

  2. Configure Apache as Proxy Server

  3. Add RSA Webagent to Apache httpd.conf

     include /opt/apache/rsawebagent/rsawebagent.conf
    
  4. Go to the The RSA Authentication Agent and configure the Web Agent to use the same login screen for username and passcode.

  5. Modify the RSA Webagent useridandpasscode.htm

    Add JavaScript to the Page

    function SetCookie(cookieName,cookieValue)
    {
    var today = new Date();
    var expire = new Date();
    expire.setTime(today.getTime() + 3600000*24);
    document.cookie = cookieName+"="+escape(cookieValue) + ";expires="+expire.toGMTString();
    }

    Edit Form Submission

    //myForm.userid.value = myForm2.userid.value;
    SetCookie("SPLUNKUSER",myForm.username.value);

  6. Modify Apache httpd.conf to Capture the Cookie

    <virtualHost …..>
     SetEnvIf Cookie "SPLUNKUSER=([^;]\w+)" rsauser=$1 
     RequestHeader set USERNAMEHEADER %{rsauser}e 
    </VirtualHost>
    
  7. Modify Splunk web.conf in the local directory to accept the new Apache header username

     remoteUser = USERNAMEHEADER
    
  8. Check the debug page to ensure SPLUNKUSER is being passed to Splunk

     http://YourSplunkServer:8000/debug/sso
    

Builder

Thank you very much!

Do you know offhand if there is an RSA WebAgent for Ubuntu? I can't seem to find one.

0 Karma

Path Finder

Another approach (though a little more fiddly) is to configure scripted authentication, with the script calling RADIUS.

0 Karma

Splunk Employee
Splunk Employee

The general approach is to configure the RSA authentication agent on Apache, configure Splunk to use the same user directory, proxy Splunk behind the Apache server, configure the RSA agent login page to set a cookie containing the user name, and configure Apache to copy the cookie value to an HTTP header that Splunk is configured to read the username from.

Builder

Thanks for the answer. Did it take a long time for you to implement?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!