Getting Data In

Splunk SSO with SAML2 SimpleSAMLPHP as Idp and apache2 2.22 as reverse proxy and mod-auth-mellon 0.9 on it as SP not working [SOLVED]

mikaelt29
New Member

I have been trying the past days to have Splunk SSO working with SimpleSAMLPHP as IdP without success.
I confirm the header X-Remote-User is well set in http://splunk_example_url.com:8000/splunk/en-US/debu/sso when I don't use SAML (so SP mellon and the IdP SimpleSAMLPHP).
Then, if I enable mellon, I am first well routed to my SimpleSAMLPHP auth IdP where I log in.
But then, it is doing a loop on the redirect to http://my_apache_splunk_proxy_example_url/splunk/, rerouting to my IdP and so on and so forth.

Did you already experience this kind of problems?
Maybe I should not even try because I haven't seen any others tutorial than for Okta, OpenAM and LDAP as SAML2 IdP.

Here is my configuration:

I have:
- Splunk 6.2.1 (CentOS): 192.168.111.10
- Apache2 2.22 and mod-auth-mellon 0.9 (Debian): 192.168.111.14 => simplesamlsample.com
- IdP: 192.168.111.2

On splunk side:

/opt/splunk/etc/system/local/server.conf
[general]
trustedIP = 192.168.111.14

/opt/splunk/etc/system/local/web.conf
[settings]
remoteUser = X-Remote-User
SSOMode = strict
tools.proxy.on = true   (=> to true, even if it seems it is not necessary anymore with apache2)
trustedIP = 127.0.0.1, 192.168.111.14, 192.168.111.10
allowSsoWithoutChangingServerConf = 1
root_endpoint = /splunk     
  1. Test of Apache/Splunk connection OK

    On Apache server:
    /etc/apache2/available-sites/default
    


    ServerName simplesamlsample.com
    DocumentRoot /var/www/simplesamlsample.com

    Require all granted

    ErrorLog ${APACHE_LOG_DIR}/error.log
    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel debug
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    RequestHeader set X-REMOTE-USER admin

    Order deny,allow
    Allow from all

    ProxyRequests Off
    ProxyPreserveHost On
    ProxyPassInterpolateEnv On
    ProxyPass /splunk/ http://192.168.111.10:8000/splunk/
    ProxyPassReverse /splunk/ http://192.168.111.10:8000/splunk/
    ProxyPassReverseCookiePath / /

I restarted and I tested this configuration without SAML2 authentication.
That means I connect to http://192.168.111.14/splunk/ and I get routed to Splunk with right X-Remote-User set (confirmed by using http://simplesamlsample.com/splunk/debug/sso url). It works like a charm.

  1. Test with mod-auth-mellon SP and SimpleSAMLSample IdP

On Apache server:
I installed and enabled mod-auth-mellon.

Thanks to the mellon script, I have generated the certs and metadata for my SP. My metadata:

./mellon_create_metadata.sh urn:splunkweb:simplesamlsample.com  http://simplesamlsample.com/secret/endpoint

I modified the endpoint to have the splunk endpoint:
http://simplesamlsample.com/splunk/
// instead of http://simplesamlsample.com/secret/endpoint/

<EntityDescriptor entityID="urn:splunkweb:simplesamlsample.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <KeyDescriptor use="signing">…</KeyDescriptor>
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://simplesamlsample.com/splunk/"/>
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://simplesamlsample.com/splunk/" index="0"/>
  </SPSSODescriptor>
</EntityDescriptor>

and then, I’ve submitted the SP metadata to the IdP and I copied these files in the dir I’ve created /etc/apache2/mellon/ with right access ok. In addition to that, I copied my SimpleSAMLPHP IdP's metadata in the same directory as idp-metadata.xml.

I added the mellon configuration to apache2:

/etc/apache2/available-sites/default
<VirtualHost simplesamlsample.com:80>
       ServerName simplesamlsample.com
       DocumentRoot /var/www/simplesamlsample.com
       <Directory /var/www/simplesamlsample.com>
              Require all granted 
       </Directory>
       ErrorLog ${APACHE_LOG_DIR}/error.log
       # Possible values include: debug, info, notice, warn, error, crit,
       # alert, emerg.
       LogLevel debug
       CustomLog ${APACHE_LOG_DIR}/access.log combined

       RequestHeader set X-REMOTE-USER admin
       <Proxy *>
        Order deny,allow
        Allow from all
       </Proxy>
       ProxyRequests Off
       ProxyPreserveHost On
       ProxyPassInterpolateEnv On
       ProxyPass /splunk/ http://192.168.111.10:8000/splunk/
       ProxyPassReverse /splunk/ http://192.168.111.10:8000/splunk/ 
       ProxyPassReverseCookiePath / /

       MellonCacheSize 100
       MellonLockFile "/var/lock/mod_auth_mellon/lock"
       <Location />
              # Add information from the auth_mellon session to the request.
              MellonEnable "auth"
              Require valid-user
              AuthType "Mellon"
              MellonVariable "mellon-cookie"
              MellonSamlResponseDump On
              # Configure the SP metadata
              # This should be the files which were created when creating SP metadata.
              MellonSPPrivateKeyFile  /etc/apache2/mellon/urn_splunkweb_simplesamlsample.com.key
              MellonSPCertFile  /etc/apache2/mellon/urn_splunkweb_simplesamlsample.com.cert
              MellonSPMetadataFile /etc/apache2/mellon/urn_splunkweb_simplesamlsample.com.xml
              # IdP metadata. This should be the metadata file you downloaded from the IdP.
              MellonIdPMetadataFile /etc/apache2/mellon/idp-metadata.xml
              #MellonUser "email"  
              # this is the property coming on the SAML assertion set as REMOTE_USER
              # MellonUser "username"
              # The location all endpoints should be located under.
              # It is the URL to this location that is used as the second parameter to the metadata generation script.
              # This path is relative to the root of the web server.
              MellonEndpointPath /mellon
              # Options +FollowSymLinks

              RequestHeader set X-REMOTE-USER admin #=> Trying this way first                     

       </Location>
</VirtualHost>

Then, I restarted the apache server. I am well routed to the IdP when I open http://simplesamlsample.com. I do the authentication on it and then I am routed to the address http://simplesamlsample.com/splunk/. For now, I don’t care the attributes I get. That’s why I set X-Remote-User with a supposed to be working hardcoded value.

Unfortunately, after logging on the IdP, I get rerouted to the IdP authentication already done so then the security warning (because still no https). I have an infinite loop on the warning screen.

Would you have an idea?

Thanks.

Tags (3)
0 Karma

mikaelt29
New Member

Here is the detailed explanation:

1. Splunk server configuration

1.1. Installed Splunk 6.2.1 with Developer license on 192.168.111.10

1.2. /opt/splunk/etc/system/local/web.conf
Note: with 192.168.111.14 the Apache server’s IP address

# Remote user HTTP header sent by the authenticating proxy server.
# This header should be set to the authenticated user.
remoteUser = X-Remote-User

# SSO mode.
# Allows SSO to behave in either permissive or strict mode.
# Permissive: Users may login to splunkweb using a valid splunk account
# even if they are coming from a non trusted IP.
# Strict: All requests to splunkweb will be restricted to those originating
# from a trusted IP except those to endpoints not requiring authentication.
#
# allowed values: strict, permissive
# default: strict.
#
SSOMode = strict

# Trusted IP.  This is the IP address of the authenticating proxy.
# Splunkweb verifies it is receiving data from the proxy host for all
# SSO requests.
# Set in local/web.conf a valid IP address to enable SSO.
#
# trustedIP = 127.0.0.1
trustedIP = 127.0.0.1, 192.168.111.14, 192.168.111.10
# If set to 1, and if appServerPorts is set to a non-zero value, this
# will allow SSO to work even if server.conf doesn't have a trustedIP
# set (it still needs to be set in web.conf)
allowSsoWithoutChangingServerConf = 1

# Top level name for the site
root_endpoint = /splunk

1.3. /opt/splunk/etc/system/local/server.conf
Note: seems being deprecated as allowSsoWithoutChangingServerConf now in web.conf

[general]
trustedIP = 192.168.111.14

1.4. Restart splunk service

2. Apache server configuration

2.1. Install Debian Wheezy 7.8

2.2. Check that the timezone configured is the same than on the PC IdP

2.3. Proxy configuration
Edit /etc/environment...

2.4. Firewall configuration (quite common, but just to make sure the right ports are opened)
Edit /etc/iptables-up.rules

#Common firewall config
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [189:103951]
-A INPUT ! -i eth0 -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED -j ACCEPT
-A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 25,587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000:10010 -j ACCEPT
-A INPUT -j LOG
-A FORWARD -j LOG
COMMIT
*mangle
:PREROUTING ACCEPT [49770:4531554]
:INPUT ACCEPT [49770:4531554]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [48931:39133213]
:POSTROUTING ACCEPT [48931:39133213]
COMMIT
*nat
:PREROUTING ACCEPT [4223:278291]
:INPUT ACCEPT [1650:94585]
:OUTPUT ACCEPT [2836:192019]
:POSTROUTING ACCEPT [2836:192019]
COMMIT

To load these rules to iptables firewall:

iptables-restore &lt; /etc/iptables.up.rules

To save iptables firewall active rules:

iptables-save &gt; /etc/iptables.up.rules

To load these rules to on startup:

nano /etc/network/interfaces

add to eht0 interface:

post-up iptables-restore &lt; /etc/iptables.up.rules

2.5. Repository configuration to be able to load packages and specifically ‘mod-auth-mellon’
(our SAML2 SP)

https://github.com/UNINETT/mod_auth_mellon/wiki/GenericSetup
http://backports.debian.org/Instructions/

To have updates and be able to load packages from wheezy repository:

# to be added in /etc/apt/sources.list :
deb http://ftp.us.debian.org/debian/ wheezy main contrib non-free
deb-src http://ftp.us.debian.org/debian/ wheezy main contrib non-free

To load libapache2-mod-auth-mellon:

# to be added in /etc/apt/sources.list :
deb http://http.debian.net/debian wheezy-backports main

Finally run below command to have this new repository available with command line:

apt-get update

2.6. ssh configuration

apt-get install ssh;

2.7. Load libapache2-mod-auth-mellon

apt-get install -t wheezy-backports libapache2-mod-auth-mellon;

2.8. Mellon SP configuration
Create the mellon directory and copy mellon_create_metadata.sh:

/etc/apache2/mellon

Enable auth-mellon in Apache:

a2enmod auth_mellon

Generate the SP metadata:

cd /etc/apache2/mellon
./mellon_create_metadata.sh urn:splunkweb:simplesamlsample.com http://simplesamlsample.com/secret/endpoint

Note: simplesamlsample.com is the Apache server name which is preserved even after the Splunk redirect.

The files generated are:
- urn_splunkweb_simplesamlsample.com.xml => BE CAREFUL HERE, the urls parsed by SimpleSAMLPHP have to end with logout and postResponse as below:

&lt;EntityDescriptor entityID="urn:splunkweb:simplesamlsample.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"&gt;
  &lt;SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"&gt;
    &lt;KeyDescriptor use="signing"&gt;
      &lt;ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"&gt;
        &lt;ds:X509Data&gt;
          &lt;ds:X509Certificate&gt;MI...RZyv&lt;/ds:X509Certificate&gt;
        &lt;/ds:X509Data&gt;
      &lt;/ds:KeyInfo&gt;
    &lt;/KeyDescriptor&gt;
    &lt;SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://simplesamlsample.com/secret/endpoint/logout"/&gt;
    &lt;AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://simplesamlsample.com/secret/endpoint/postResponse" index="0"/&gt;
  &lt;/SPSSODescriptor&gt;
&lt;/EntityDescriptor&gt;
  • urn_splunkweb_simplesamlsample.com.cert

  • urn_splunkweb_simplesamlsample.com.key

To create the Circle Of Trust between the SP and the IdP:
- Provide the SP metadata file ‘urn_splunkweb_simplesamlsample.com.xml’ to the PC IdP
- Get the PC IdP and copy it in /etc/apache2/mellon with for instance the name: idp-metadata.xml

Load the rewrite module:

cp  –f  /etc/apache2/mods-available/rewrite.load   /etc/apache2/mods-enabled/

Load the headers module:

cp  –f  /etc/apache2/mods-available/headers.load   /etc/apache2/mods-enabled/

Load the proxy modules:

cp  –f  /etc/apache2/mods-available/proxy*   /etc/apache2/mods-enabled/

Update /etc/apache2/sites-available/default => BE CAREFUL here, mellon prefixes all the attributes received from the idp with 'MELLON_'. In my case, I wanted to use the email so MELLON_email:

&lt;VirtualHost simplesamlsample.com:80&gt;
    ErrorLog ${APACHE_LOG_DIR}/error.log
    #values: debug, info, notice, warn, error, crit, alert, emerg.
    LogLevel debug 
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    ProxyRequests Off
    ProxyPass /secret/ !
        ProxyPassInterpolateEnv On
        MellonCacheSize 100
    MellonLockFile "/var/lock/mod_auth_mellon/lock"
    &lt;Location /&gt;
        MellonEnable "auth"
        Require valid-user
        AuthType "Mellon"
        MellonVariable "cookie"
        MellonSPPrivateKeyFile  /etc/apache2/mellon/urn_splunkweb_simplesamlsample.com.key
        MellonSPCertFile  /etc/apache2/mellon/urn_splunkweb_simplesamlsample.com.cert
        MellonSPMetadataFile /etc/apache2/mellon/urn_splunkweb_simplesamlsample.com.xml
        MellonIdPMetadataFile /etc/apache2/mellon/idp-metadata.xml
        #MellonUser "email" 
        MellonEndpointPath /secret/endpoint
        MellonDefaultLoginPath /en-US/
        #RequestHeader set X-REMOTE-USER admin  
        RequestHeader set X-REMOTE-USER %{MELLON_email}e
        MellonSamlResponseDump On

        ProxyPass http://192.168.111.10:8000/
            ProxyPassReverse http://192.168.111.10:8000/
            ProxyPassInterpolateEnv On
    &lt;/Location&gt;
&lt;/VirtualHost&gt;

Restart Apache:

service apache2 restart

Open url http://simplesamlphp.com and check the SAML Authn request (SP to Idp) and SAML Authn response (IdP to SP) thanks to the great SAML plugin of Firefox

&lt;samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                ID="_6e....99c"
                Version="2.0"
                IssueInstant="2015-04-02T23:26:07Z"
                Destination="http://simplesamlsample.com/secret/endpoint/postResponse"
                InResponseTo="_A75...C2"
                &gt;
    &lt;saml:Issuer&gt;https://myidpurl.com/saml2/idp/metadata.php&lt;/saml:Issuer&gt;
    &lt;ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"&gt;
        &lt;ds:SignedInfo&gt;
            &lt;ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /&gt;
            &lt;ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /&gt;
            &lt;ds:Reference URI="#_6e355ee2e7c2ff009445a9402c9b3291ba4018199c"&gt;
                &lt;ds:Transforms&gt;
                    &lt;ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /&gt;
                    &lt;ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /&gt;
                &lt;/ds:Transforms&gt;
                &lt;ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /&gt;
                &lt;ds:DigestValue&gt;eEzfF....2QJB0=&lt;/ds:DigestValue&gt;
            &lt;/ds:Reference&gt;
        &lt;/ds:SignedInfo&gt;
        &lt;ds:SignatureValue&gt;By4yfd6G...G8/RY=&lt;/ds:SignatureValue&gt;
        &lt;ds:KeyInfo&gt;
            &lt;ds:X509Data&gt;
                &lt;ds:X509Certificate&gt;MII...mO4=&lt;/ds:X509Certificate&gt;
            &lt;/ds:X509Data&gt;
        &lt;/ds:KeyInfo&gt;
    &lt;/ds:Signature&gt;
    &lt;samlp:Status&gt;
        &lt;samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /&gt;
    &lt;/samlp:Status&gt;
    &lt;saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                    xmlns:xs="http://www.w3.org/2001/XMLSchema"
                    ID="_029....8604"
                    Version="2.0"
                    IssueInstant="201...7Z"
                    &gt;
        &lt;saml:Issuer&gt;https://myidpurl.com/saml2/idp/metadata.php&lt;/saml:Issuer&gt;
        &lt;ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"&gt;
            &lt;ds:SignedInfo&gt;
                &lt;ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /&gt;
                &lt;ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /&gt;
                &lt;ds:Reference URI="#_029...04"&gt;
                    &lt;ds:Transforms&gt;
                        &lt;ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /&gt;
                        &lt;ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /&gt;
                    &lt;/ds:Transforms&gt;
                    &lt;ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /&gt;
                    &lt;ds:DigestValue&gt;c3N../kbk=&lt;/ds:DigestValue&gt;
                &lt;/ds:Reference&gt;
            &lt;/ds:SignedInfo&gt;
            &lt;ds:SignatureValue&gt;JVJq....QZI=&lt;/ds:SignatureValue&gt;
            &lt;ds:KeyInfo&gt;
                &lt;ds:X509Data&gt;
                    &lt;ds:X509Certificate&gt;MIIC...VmO4=&lt;/ds:X509Certificate&gt;
                &lt;/ds:X509Data&gt;
            &lt;/ds:KeyInfo&gt;
        &lt;/ds:Signature&gt;
        &lt;saml:Subject&gt;
            &lt;saml:NameID SPNameQualifier="urn:splunkweb:simplesamlsample.com"
                         Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
                         &gt;_24ef464490ec9d84315d794d4d21950d4769d9c842&lt;/saml:NameID&gt;
            &lt;saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"&gt;
                &lt;saml:SubjectConfirmationData NotOnOrAfter="2015-04-02T23:31:07Z"
                                              Recipient="http://simplesamlsample.com/secret/endpoint/postResponse"
                                              InResponseTo="_A75E41690FE1541537F680159A38A3C2"
                                              /&gt;
            &lt;/saml:SubjectConfirmation&gt;
        &lt;/saml:Subject&gt;
        &lt;saml:Conditions NotBefore="2015-04-02T23:25:37Z"
                         NotOnOrAfter="2015-04-02T23:31:07Z"
                         &gt;
            &lt;saml:AudienceRestriction&gt;
                &lt;saml:Audience&gt;urn:splunkweb:simplesamlsample.com&lt;/saml:Audience&gt;
            &lt;/saml:AudienceRestriction&gt;
        &lt;/saml:Conditions&gt;
        &lt;saml:AuthnStatement AuthnInstant="2015-04-02T23:26:07Z"
                             SessionNotOnOrAfter="2015-04-03T07:26:07Z"
                             SessionIndex="_d996...41c"
                             &gt;
            &lt;saml:AuthnContext&gt;                &lt;saml:AuthnContextClassRef&gt;urn:oasis:names:tc:SAML:2.0:ac:classes:Password&lt;/saml:AuthnContextClassRef&gt;
            &lt;/saml:AuthnContext&gt;
        &lt;/saml:AuthnStatement&gt;
        &lt;saml:AttributeStatement&gt;
            &lt;saml:Attribute Name="email"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                            &gt;
                &lt;saml:AttributeValue xsi:type="xs:string"&gt;myemail@mydomain.com&lt;/saml:AttributeValue&gt;
            &lt;/saml:Attribute&gt;
        &lt;/saml:AttributeStatement&gt;
    &lt;/saml:Assertion&gt;
&lt;/samlp:Response&gt;

You should get routed to Splunk, in my case, http://simplesamlsample.com/splunk/en-US...

0 Karma

rohitp92
New Member

Can you please post how you got it working? Facing same issue,Can you tell how was this done?I am having same issue

0 Karma

mikaelt29
New Member

I finally made it worked!! I will post the details of my config very soon.

0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...