- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk SSO with SAML2 SimpleSAMLPHP as Idp and apache2 2.22 as reverse proxy and mod-auth-mellon 0.9 on it as SP not working [SOLVED]
I have been trying the past days to have Splunk SSO working with SimpleSAMLPHP as IdP without success.
I confirm the header X-Remote-User is well set in http://splunk_example_url.com:8000/splunk/en-US/debu/sso when I don't use SAML (so SP mellon and the IdP SimpleSAMLPHP).
Then, if I enable mellon, I am first well routed to my SimpleSAMLPHP auth IdP where I log in.
But then, it is doing a loop on the redirect to http://my_apache_splunk_proxy_example_url/splunk/, rerouting to my IdP and so on and so forth.
Did you already experience this kind of problems?
Maybe I should not even try because I haven't seen any others tutorial than for Okta, OpenAM and LDAP as SAML2 IdP.
Here is my configuration:
I have:
- Splunk 6.2.1 (CentOS): 192.168.111.10
- Apache2 2.22 and mod-auth-mellon 0.9 (Debian): 192.168.111.14 => simplesamlsample.com
- IdP: 192.168.111.2
On splunk side:
/opt/splunk/etc/system/local/server.conf
[general]
trustedIP = 192.168.111.14
/opt/splunk/etc/system/local/web.conf
[settings]
remoteUser = X-Remote-User
SSOMode = strict
tools.proxy.on = true (=> to true, even if it seems it is not necessary anymore with apache2)
trustedIP = 127.0.0.1, 192.168.111.14, 192.168.111.10
allowSsoWithoutChangingServerConf = 1
root_endpoint = /splunk
Test of Apache/Splunk connection OK
On Apache server: /etc/apache2/available-sites/default
ServerName simplesamlsample.com
DocumentRoot /var/www/simplesamlsample.com
Require all granted
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel debug
CustomLog ${APACHE_LOG_DIR}/access.log combinedRequestHeader set X-REMOTE-USER admin
Order deny,allow
Allow from all
ProxyRequests Off
ProxyPreserveHost On
ProxyPassInterpolateEnv On
ProxyPass /splunk/ http://192.168.111.10:8000/splunk/
ProxyPassReverse /splunk/ http://192.168.111.10:8000/splunk/
ProxyPassReverseCookiePath / /
I restarted and I tested this configuration without SAML2 authentication.
That means I connect to http://192.168.111.14/splunk/ and I get routed to Splunk with right X-Remote-User set (confirmed by using http://simplesamlsample.com/splunk/debug/sso url). It works like a charm.
- Test with mod-auth-mellon SP and SimpleSAMLSample IdP
On Apache server:
I installed and enabled mod-auth-mellon.
Thanks to the mellon script, I have generated the certs and metadata for my SP. My metadata:
./mellon_create_metadata.sh urn:splunkweb:simplesamlsample.com http://simplesamlsample.com/secret/endpoint
I modified the endpoint to have the splunk endpoint:
http://simplesamlsample.com/splunk/
// instead of http://simplesamlsample.com/secret/endpoint/
<EntityDescriptor entityID="urn:splunkweb:simplesamlsample.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">…</KeyDescriptor>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://simplesamlsample.com/splunk/"/>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://simplesamlsample.com/splunk/" index="0"/>
</SPSSODescriptor>
</EntityDescriptor>
and then, I’ve submitted the SP metadata to the IdP and I copied these files in the dir I’ve created /etc/apache2/mellon/ with right access ok. In addition to that, I copied my SimpleSAMLPHP IdP's metadata in the same directory as idp-metadata.xml.
I added the mellon configuration to apache2:
/etc/apache2/available-sites/default
<VirtualHost simplesamlsample.com:80>
ServerName simplesamlsample.com
DocumentRoot /var/www/simplesamlsample.com
<Directory /var/www/simplesamlsample.com>
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel debug
CustomLog ${APACHE_LOG_DIR}/access.log combined
RequestHeader set X-REMOTE-USER admin
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyRequests Off
ProxyPreserveHost On
ProxyPassInterpolateEnv On
ProxyPass /splunk/ http://192.168.111.10:8000/splunk/
ProxyPassReverse /splunk/ http://192.168.111.10:8000/splunk/
ProxyPassReverseCookiePath / /
MellonCacheSize 100
MellonLockFile "/var/lock/mod_auth_mellon/lock"
<Location />
# Add information from the auth_mellon session to the request.
MellonEnable "auth"
Require valid-user
AuthType "Mellon"
MellonVariable "mellon-cookie"
MellonSamlResponseDump On
# Configure the SP metadata
# This should be the files which were created when creating SP metadata.
MellonSPPrivateKeyFile /etc/apache2/mellon/urn_splunkweb_simplesamlsample.com.key
MellonSPCertFile /etc/apache2/mellon/urn_splunkweb_simplesamlsample.com.cert
MellonSPMetadataFile /etc/apache2/mellon/urn_splunkweb_simplesamlsample.com.xml
# IdP metadata. This should be the metadata file you downloaded from the IdP.
MellonIdPMetadataFile /etc/apache2/mellon/idp-metadata.xml
#MellonUser "email"
# this is the property coming on the SAML assertion set as REMOTE_USER
# MellonUser "username"
# The location all endpoints should be located under.
# It is the URL to this location that is used as the second parameter to the metadata generation script.
# This path is relative to the root of the web server.
MellonEndpointPath /mellon
# Options +FollowSymLinks
RequestHeader set X-REMOTE-USER admin #=> Trying this way first
</Location>
</VirtualHost>
Then, I restarted the apache server. I am well routed to the IdP when I open http://simplesamlsample.com. I do the authentication on it and then I am routed to the address http://simplesamlsample.com/splunk/. For now, I don’t care the attributes I get. That’s why I set X-Remote-User with a supposed to be working hardcoded value.
Unfortunately, after logging on the IdP, I get rerouted to the IdP authentication already done so then the security warning (because still no https). I have an infinite loop on the warning screen.
Would you have an idea?
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is the detailed explanation:
1. Splunk server configuration
1.1. Installed Splunk 6.2.1 with Developer license on 192.168.111.10
1.2. /opt/splunk/etc/system/local/web.conf
Note: with 192.168.111.14 the Apache server’s IP address
# Remote user HTTP header sent by the authenticating proxy server.
# This header should be set to the authenticated user.
remoteUser = X-Remote-User
# SSO mode.
# Allows SSO to behave in either permissive or strict mode.
# Permissive: Users may login to splunkweb using a valid splunk account
# even if they are coming from a non trusted IP.
# Strict: All requests to splunkweb will be restricted to those originating
# from a trusted IP except those to endpoints not requiring authentication.
#
# allowed values: strict, permissive
# default: strict.
#
SSOMode = strict
# Trusted IP. This is the IP address of the authenticating proxy.
# Splunkweb verifies it is receiving data from the proxy host for all
# SSO requests.
# Set in local/web.conf a valid IP address to enable SSO.
#
# trustedIP = 127.0.0.1
trustedIP = 127.0.0.1, 192.168.111.14, 192.168.111.10
# If set to 1, and if appServerPorts is set to a non-zero value, this
# will allow SSO to work even if server.conf doesn't have a trustedIP
# set (it still needs to be set in web.conf)
allowSsoWithoutChangingServerConf = 1
# Top level name for the site
root_endpoint = /splunk
1.3. /opt/splunk/etc/system/local/server.conf
Note: seems being deprecated as allowSsoWithoutChangingServerConf now in web.conf
[general]
trustedIP = 192.168.111.14
1.4. Restart splunk service
2. Apache server configuration
2.1. Install Debian Wheezy 7.8
2.2. Check that the timezone configured is the same than on the PC IdP
2.3. Proxy configuration
Edit /etc/environment...
2.4. Firewall configuration (quite common, but just to make sure the right ports are opened)
Edit /etc/iptables-up.rules
#Common firewall config
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [189:103951]
-A INPUT ! -i eth0 -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED -j ACCEPT
-A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 25,587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000:10010 -j ACCEPT
-A INPUT -j LOG
-A FORWARD -j LOG
COMMIT
*mangle
:PREROUTING ACCEPT [49770:4531554]
:INPUT ACCEPT [49770:4531554]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [48931:39133213]
:POSTROUTING ACCEPT [48931:39133213]
COMMIT
*nat
:PREROUTING ACCEPT [4223:278291]
:INPUT ACCEPT [1650:94585]
:OUTPUT ACCEPT [2836:192019]
:POSTROUTING ACCEPT [2836:192019]
COMMIT
To load these rules to iptables firewall:
iptables-restore < /etc/iptables.up.rules
To save iptables firewall active rules:
iptables-save > /etc/iptables.up.rules
To load these rules to on startup:
nano /etc/network/interfaces
add to eht0 interface:
post-up iptables-restore < /etc/iptables.up.rules
2.5. Repository configuration to be able to load packages and specifically ‘mod-auth-mellon’
(our SAML2 SP)
https://github.com/UNINETT/mod_auth_mellon/wiki/GenericSetup
http://backports.debian.org/Instructions/
To have updates and be able to load packages from wheezy repository:
# to be added in /etc/apt/sources.list :
deb http://ftp.us.debian.org/debian/ wheezy main contrib non-free
deb-src http://ftp.us.debian.org/debian/ wheezy main contrib non-free
To load libapache2-mod-auth-mellon:
# to be added in /etc/apt/sources.list :
deb http://http.debian.net/debian wheezy-backports main
Finally run below command to have this new repository available with command line:
apt-get update
2.6. ssh configuration
apt-get install ssh;
2.7. Load libapache2-mod-auth-mellon
apt-get install -t wheezy-backports libapache2-mod-auth-mellon;
2.8. Mellon SP configuration
Create the mellon directory and copy mellon_create_metadata.sh:
/etc/apache2/mellon
Enable auth-mellon in Apache:
a2enmod auth_mellon
Generate the SP metadata:
cd /etc/apache2/mellon
./mellon_create_metadata.sh urn:splunkweb:simplesamlsample.com http://simplesamlsample.com/secret/endpoint
Note: simplesamlsample.com is the Apache server name which is preserved even after the Splunk redirect.
The files generated are:
- urn_splunkweb_simplesamlsample.com.xml => BE CAREFUL HERE, the urls parsed by SimpleSAMLPHP have to end with logout and postResponse as below:
<EntityDescriptor entityID="urn:splunkweb:simplesamlsample.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MI...RZyv</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://simplesamlsample.com/secret/endpoint/logout"/>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://simplesamlsample.com/secret/endpoint/postResponse" index="0"/>
</SPSSODescriptor>
</EntityDescriptor>
urn_splunkweb_simplesamlsample.com.cert
urn_splunkweb_simplesamlsample.com.key
To create the Circle Of Trust between the SP and the IdP:
- Provide the SP metadata file ‘urn_splunkweb_simplesamlsample.com.xml’ to the PC IdP
- Get the PC IdP and copy it in /etc/apache2/mellon with for instance the name: idp-metadata.xml
Load the rewrite module:
cp –f /etc/apache2/mods-available/rewrite.load /etc/apache2/mods-enabled/
Load the headers module:
cp –f /etc/apache2/mods-available/headers.load /etc/apache2/mods-enabled/
Load the proxy modules:
cp –f /etc/apache2/mods-available/proxy* /etc/apache2/mods-enabled/
Update /etc/apache2/sites-available/default => BE CAREFUL here, mellon prefixes all the attributes received from the idp with 'MELLON_'. In my case, I wanted to use the email so MELLON_email:
<VirtualHost simplesamlsample.com:80>
ErrorLog ${APACHE_LOG_DIR}/error.log
#values: debug, info, notice, warn, error, crit, alert, emerg.
LogLevel debug
CustomLog ${APACHE_LOG_DIR}/access.log combined
ProxyRequests Off
ProxyPass /secret/ !
ProxyPassInterpolateEnv On
MellonCacheSize 100
MellonLockFile "/var/lock/mod_auth_mellon/lock"
<Location />
MellonEnable "auth"
Require valid-user
AuthType "Mellon"
MellonVariable "cookie"
MellonSPPrivateKeyFile /etc/apache2/mellon/urn_splunkweb_simplesamlsample.com.key
MellonSPCertFile /etc/apache2/mellon/urn_splunkweb_simplesamlsample.com.cert
MellonSPMetadataFile /etc/apache2/mellon/urn_splunkweb_simplesamlsample.com.xml
MellonIdPMetadataFile /etc/apache2/mellon/idp-metadata.xml
#MellonUser "email"
MellonEndpointPath /secret/endpoint
MellonDefaultLoginPath /en-US/
#RequestHeader set X-REMOTE-USER admin
RequestHeader set X-REMOTE-USER %{MELLON_email}e
MellonSamlResponseDump On
ProxyPass http://192.168.111.10:8000/
ProxyPassReverse http://192.168.111.10:8000/
ProxyPassInterpolateEnv On
</Location>
</VirtualHost>
Restart Apache:
service apache2 restart
Open url http://simplesamlphp.com and check the SAML Authn request (SP to Idp) and SAML Authn response (IdP to SP) thanks to the great SAML plugin of Firefox
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_6e....99c"
Version="2.0"
IssueInstant="2015-04-02T23:26:07Z"
Destination="http://simplesamlsample.com/secret/endpoint/postResponse"
InResponseTo="_A75...C2"
>
<saml:Issuer>https://myidpurl.com/saml2/idp/metadata.php</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#_6e355ee2e7c2ff009445a9402c9b3291ba4018199c">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>eEzfF....2QJB0=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>By4yfd6G...G8/RY=</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MII...mO4=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
ID="_029....8604"
Version="2.0"
IssueInstant="201...7Z"
>
<saml:Issuer>https://myidpurl.com/saml2/idp/metadata.php</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#_029...04">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>c3N../kbk=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>JVJq....QZI=</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIC...VmO4=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml:Subject>
<saml:NameID SPNameQualifier="urn:splunkweb:simplesamlsample.com"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
>_24ef464490ec9d84315d794d4d21950d4769d9c842</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2015-04-02T23:31:07Z"
Recipient="http://simplesamlsample.com/secret/endpoint/postResponse"
InResponseTo="_A75E41690FE1541537F680159A38A3C2"
/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2015-04-02T23:25:37Z"
NotOnOrAfter="2015-04-02T23:31:07Z"
>
<saml:AudienceRestriction>
<saml:Audience>urn:splunkweb:simplesamlsample.com</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2015-04-02T23:26:07Z"
SessionNotOnOrAfter="2015-04-03T07:26:07Z"
SessionIndex="_d996...41c"
>
<saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="email"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
>
<saml:AttributeValue xsi:type="xs:string">myemail@mydomain.com</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
You should get routed to Splunk, in my case, http://simplesamlsample.com/splunk/en-US...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you please post how you got it working? Facing same issue,Can you tell how was this done?I am having same issue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I finally made it worked!! I will post the details of my config very soon.