Getting Data In

Splunk SSO with SAML2 SimpleSAMLPHP as Idp and apache2 2.22 as reverse proxy and mod-auth-mellon 0.9 on it as SP not working [SOLVED]

mikaelt29
New Member

I have been trying the past days to have Splunk SSO working with SimpleSAMLPHP as IdP without success.
I confirm the header X-Remote-User is well set in http://splunk_example_url.com:8000/splunk/en-US/debu/sso when I don't use SAML (so SP mellon and the IdP SimpleSAMLPHP).
Then, if I enable mellon, I am first well routed to my SimpleSAMLPHP auth IdP where I log in.
But then, it is doing a loop on the redirect to http://my_apache_splunk_proxy_example_url/splunk/, rerouting to my IdP and so on and so forth.

Did you already experience this kind of problems?
Maybe I should not even try because I haven't seen any others tutorial than for Okta, OpenAM and LDAP as SAML2 IdP.

Here is my configuration:

I have:
- Splunk 6.2.1 (CentOS): 192.168.111.10
- Apache2 2.22 and mod-auth-mellon 0.9 (Debian): 192.168.111.14 => simplesamlsample.com
- IdP: 192.168.111.2

On splunk side:

/opt/splunk/etc/system/local/server.conf
[general]
trustedIP = 192.168.111.14

/opt/splunk/etc/system/local/web.conf
[settings]
remoteUser = X-Remote-User
SSOMode = strict
tools.proxy.on = true   (=> to true, even if it seems it is not necessary anymore with apache2)
trustedIP = 127.0.0.1, 192.168.111.14, 192.168.111.10
allowSsoWithoutChangingServerConf = 1
root_endpoint = /splunk     
  1. Test of Apache/Splunk connection OK

    On Apache server:
    /etc/apache2/available-sites/default
    


    ServerName simplesamlsample.com
    DocumentRoot /var/www/simplesamlsample.com

    Require all granted

    ErrorLog ${APACHE_LOG_DIR}/error.log
    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel debug
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    RequestHeader set X-REMOTE-USER admin

    Order deny,allow
    Allow from all

    ProxyRequests Off
    ProxyPreserveHost On
    ProxyPassInterpolateEnv On
    ProxyPass /splunk/ http://192.168.111.10:8000/splunk/
    ProxyPassReverse /splunk/ http://192.168.111.10:8000/splunk/
    ProxyPassReverseCookiePath / /

I restarted and I tested this configuration without SAML2 authentication.
That means I connect to http://192.168.111.14/splunk/ and I get routed to Splunk with right X-Remote-User set (confirmed by using http://simplesamlsample.com/splunk/debug/sso url). It works like a charm.

  1. Test with mod-auth-mellon SP and SimpleSAMLSample IdP

On Apache server:
I installed and enabled mod-auth-mellon.

Thanks to the mellon script, I have generated the certs and metadata for my SP. My metadata:

./mellon_create_metadata.sh urn:splunkweb:simplesamlsample.com  http://simplesamlsample.com/secret/endpoint

I modified the endpoint to have the splunk endpoint:
http://simplesamlsample.com/splunk/
// instead of http://simplesamlsample.com/secret/endpoint/

<EntityDescriptor entityID="urn:splunkweb:simplesamlsample.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <KeyDescriptor use="signing">…</KeyDescriptor>
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://simplesamlsample.com/splunk/"/>
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://simplesamlsample.com/splunk/" index="0"/>
  </SPSSODescriptor>
</EntityDescriptor>

and then, I’ve submitted the SP metadata to the IdP and I copied these files in the dir I’ve created /etc/apache2/mellon/ with right access ok. In addition to that, I copied my SimpleSAMLPHP IdP's metadata in the same directory as idp-metadata.xml.

I added the mellon configuration to apache2:

/etc/apache2/available-sites/default
<VirtualHost simplesamlsample.com:80>
       ServerName simplesamlsample.com
       DocumentRoot /var/www/simplesamlsample.com
       <Directory /var/www/simplesamlsample.com>
              Require all granted 
       </Directory>
       ErrorLog ${APACHE_LOG_DIR}/error.log
       # Possible values include: debug, info, notice, warn, error, crit,
       # alert, emerg.
       LogLevel debug
       CustomLog ${APACHE_LOG_DIR}/access.log combined

       RequestHeader set X-REMOTE-USER admin
       <Proxy *>
        Order deny,allow
        Allow from all
       </Proxy>
       ProxyRequests Off
       ProxyPreserveHost On
       ProxyPassInterpolateEnv On
       ProxyPass /splunk/ http://192.168.111.10:8000/splunk/
       ProxyPassReverse /splunk/ http://192.168.111.10:8000/splunk/ 
       ProxyPassReverseCookiePath / /

       MellonCacheSize 100
       MellonLockFile "/var/lock/mod_auth_mellon/lock"
       <Location />
              # Add information from the auth_mellon session to the request.
              MellonEnable "auth"
              Require valid-user
              AuthType "Mellon"
              MellonVariable "mellon-cookie"
              MellonSamlResponseDump On
              # Configure the SP metadata
              # This should be the files which were created when creating SP metadata.
              MellonSPPrivateKeyFile  /etc/apache2/mellon/urn_splunkweb_simplesamlsample.com.key
              MellonSPCertFile  /etc/apache2/mellon/urn_splunkweb_simplesamlsample.com.cert
              MellonSPMetadataFile /etc/apache2/mellon/urn_splunkweb_simplesamlsample.com.xml
              # IdP metadata. This should be the metadata file you downloaded from the IdP.
              MellonIdPMetadataFile /etc/apache2/mellon/idp-metadata.xml
              #MellonUser "email"  
              # this is the property coming on the SAML assertion set as REMOTE_USER
              # MellonUser "username"
              # The location all endpoints should be located under.
              # It is the URL to this location that is used as the second parameter to the metadata generation script.
              # This path is relative to the root of the web server.
              MellonEndpointPath /mellon
              # Options +FollowSymLinks

              RequestHeader set X-REMOTE-USER admin #=> Trying this way first                     

       </Location>
</VirtualHost>

Then, I restarted the apache server. I am well routed to the IdP when I open http://simplesamlsample.com. I do the authentication on it and then I am routed to the address http://simplesamlsample.com/splunk/. For now, I don’t care the attributes I get. That’s why I set X-Remote-User with a supposed to be working hardcoded value.

Unfortunately, after logging on the IdP, I get rerouted to the IdP authentication already done so then the security warning (because still no https). I have an infinite loop on the warning screen.

Would you have an idea?

Thanks.

Tags (3)
0 Karma

mikaelt29
New Member

Here is the detailed explanation:

1. Splunk server configuration

1.1. Installed Splunk 6.2.1 with Developer license on 192.168.111.10

1.2. /opt/splunk/etc/system/local/web.conf
Note: with 192.168.111.14 the Apache server’s IP address

# Remote user HTTP header sent by the authenticating proxy server.
# This header should be set to the authenticated user.
remoteUser = X-Remote-User

# SSO mode.
# Allows SSO to behave in either permissive or strict mode.
# Permissive: Users may login to splunkweb using a valid splunk account
# even if they are coming from a non trusted IP.
# Strict: All requests to splunkweb will be restricted to those originating
# from a trusted IP except those to endpoints not requiring authentication.
#
# allowed values: strict, permissive
# default: strict.
#
SSOMode = strict

# Trusted IP.  This is the IP address of the authenticating proxy.
# Splunkweb verifies it is receiving data from the proxy host for all
# SSO requests.
# Set in local/web.conf a valid IP address to enable SSO.
#
# trustedIP = 127.0.0.1
trustedIP = 127.0.0.1, 192.168.111.14, 192.168.111.10
# If set to 1, and if appServerPorts is set to a non-zero value, this
# will allow SSO to work even if server.conf doesn't have a trustedIP
# set (it still needs to be set in web.conf)
allowSsoWithoutChangingServerConf = 1

# Top level name for the site
root_endpoint = /splunk

1.3. /opt/splunk/etc/system/local/server.conf
Note: seems being deprecated as allowSsoWithoutChangingServerConf now in web.conf

[general]
trustedIP = 192.168.111.14

1.4. Restart splunk service

2. Apache server configuration

2.1. Install Debian Wheezy 7.8

2.2. Check that the timezone configured is the same than on the PC IdP

2.3. Proxy configuration
Edit /etc/environment...

2.4. Firewall configuration (quite common, but just to make sure the right ports are opened)
Edit /etc/iptables-up.rules

#Common firewall config
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [189:103951]
-A INPUT ! -i eth0 -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED -j ACCEPT
-A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 25,587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000:10010 -j ACCEPT
-A INPUT -j LOG
-A FORWARD -j LOG
COMMIT
*mangle
:PREROUTING ACCEPT [49770:4531554]
:INPUT ACCEPT [49770:4531554]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [48931:39133213]
:POSTROUTING ACCEPT [48931:39133213]
COMMIT
*nat
:PREROUTING ACCEPT [4223:278291]
:INPUT ACCEPT [1650:94585]
:OUTPUT ACCEPT [2836:192019]
:POSTROUTING ACCEPT [2836:192019]
COMMIT

To load these rules to iptables firewall:

iptables-restore &lt; /etc/iptables.up.rules

To save iptables firewall active rules:

iptables-save &gt; /etc/iptables.up.rules

To load these rules to on startup:

nano /etc/network/interfaces

add to eht0 interface:

post-up iptables-restore &lt; /etc/iptables.up.rules

2.5. Repository configuration to be able to load packages and specifically ‘mod-auth-mellon’
(our SAML2 SP)

https://github.com/UNINETT/mod_auth_mellon/wiki/GenericSetup
http://backports.debian.org/Instructions/

To have updates and be able to load packages from wheezy repository:

# to be added in /etc/apt/sources.list :
deb http://ftp.us.debian.org/debian/ wheezy main contrib non-free
deb-src http://ftp.us.debian.org/debian/ wheezy main contrib non-free

To load libapache2-mod-auth-mellon:

# to be added in /etc/apt/sources.list :
deb http://http.debian.net/debian wheezy-backports main

Finally run below command to have this new repository available with command line:

apt-get update

2.6. ssh configuration

apt-get install ssh;

2.7. Load libapache2-mod-auth-mellon

apt-get install -t wheezy-backports libapache2-mod-auth-mellon;

2.8. Mellon SP configuration
Create the mellon directory and copy mellon_create_metadata.sh:

/etc/apache2/mellon

Enable auth-mellon in Apache:

a2enmod auth_mellon

Generate the SP metadata:

cd /etc/apache2/mellon
./mellon_create_metadata.sh urn:splunkweb:simplesamlsample.com http://simplesamlsample.com/secret/endpoint

Note: simplesamlsample.com is the Apache server name which is preserved even after the Splunk redirect.

The files generated are:
- urn_splunkweb_simplesamlsample.com.xml => BE CAREFUL HERE, the urls parsed by SimpleSAMLPHP have to end with logout and postResponse as below:

&lt;EntityDescriptor entityID="urn:splunkweb:simplesamlsample.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"&gt;
  &lt;SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"&gt;
    &lt;KeyDescriptor use="signing"&gt;
      &lt;ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"&gt;
        &lt;ds:X509Data&gt;
          &lt;ds:X509Certificate&gt;MI...RZyv&lt;/ds:X509Certificate&gt;
        &lt;/ds:X509Data&gt;
      &lt;/ds:KeyInfo&gt;
    &lt;/KeyDescriptor&gt;
    &lt;SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://simplesamlsample.com/secret/endpoint/logout"/&gt;
    &lt;AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://simplesamlsample.com/secret/endpoint/postResponse" index="0"/&gt;
  &lt;/SPSSODescriptor&gt;
&lt;/EntityDescriptor&gt;
  • urn_splunkweb_simplesamlsample.com.cert

  • urn_splunkweb_simplesamlsample.com.key

To create the Circle Of Trust between the SP and the IdP:
- Provide the SP metadata file ‘urn_splunkweb_simplesamlsample.com.xml’ to the PC IdP
- Get the PC IdP and copy it in /etc/apache2/mellon with for instance the name: idp-metadata.xml

Load the rewrite module:

cp  –f  /etc/apache2/mods-available/rewrite.load   /etc/apache2/mods-enabled/

Load the headers module:

cp  –f  /etc/apache2/mods-available/headers.load   /etc/apache2/mods-enabled/

Load the proxy modules:

cp  –f  /etc/apache2/mods-available/proxy*   /etc/apache2/mods-enabled/

Update /etc/apache2/sites-available/default => BE CAREFUL here, mellon prefixes all the attributes received from the idp with 'MELLON_'. In my case, I wanted to use the email so MELLON_email:

&lt;VirtualHost simplesamlsample.com:80&gt;
    ErrorLog ${APACHE_LOG_DIR}/error.log
    #values: debug, info, notice, warn, error, crit, alert, emerg.
    LogLevel debug 
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    ProxyRequests Off
    ProxyPass /secret/ !
        ProxyPassInterpolateEnv On
        MellonCacheSize 100
    MellonLockFile "/var/lock/mod_auth_mellon/lock"
    &lt;Location /&gt;
        MellonEnable "auth"
        Require valid-user
        AuthType "Mellon"
        MellonVariable "cookie"
        MellonSPPrivateKeyFile  /etc/apache2/mellon/urn_splunkweb_simplesamlsample.com.key
        MellonSPCertFile  /etc/apache2/mellon/urn_splunkweb_simplesamlsample.com.cert
        MellonSPMetadataFile /etc/apache2/mellon/urn_splunkweb_simplesamlsample.com.xml
        MellonIdPMetadataFile /etc/apache2/mellon/idp-metadata.xml
        #MellonUser "email" 
        MellonEndpointPath /secret/endpoint
        MellonDefaultLoginPath /en-US/
        #RequestHeader set X-REMOTE-USER admin  
        RequestHeader set X-REMOTE-USER %{MELLON_email}e
        MellonSamlResponseDump On

        ProxyPass http://192.168.111.10:8000/
            ProxyPassReverse http://192.168.111.10:8000/
            ProxyPassInterpolateEnv On
    &lt;/Location&gt;
&lt;/VirtualHost&gt;

Restart Apache:

service apache2 restart

Open url http://simplesamlphp.com and check the SAML Authn request (SP to Idp) and SAML Authn response (IdP to SP) thanks to the great SAML plugin of Firefox

&lt;samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                ID="_6e....99c"
                Version="2.0"
                IssueInstant="2015-04-02T23:26:07Z"
                Destination="http://simplesamlsample.com/secret/endpoint/postResponse"
                InResponseTo="_A75...C2"
                &gt;
    &lt;saml:Issuer&gt;https://myidpurl.com/saml2/idp/metadata.php&lt;/saml:Issuer&gt;
    &lt;ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"&gt;
        &lt;ds:SignedInfo&gt;
            &lt;ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /&gt;
            &lt;ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /&gt;
            &lt;ds:Reference URI="#_6e355ee2e7c2ff009445a9402c9b3291ba4018199c"&gt;
                &lt;ds:Transforms&gt;
                    &lt;ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /&gt;
                    &lt;ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /&gt;
                &lt;/ds:Transforms&gt;
                &lt;ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /&gt;
                &lt;ds:DigestValue&gt;eEzfF....2QJB0=&lt;/ds:DigestValue&gt;
            &lt;/ds:Reference&gt;
        &lt;/ds:SignedInfo&gt;
        &lt;ds:SignatureValue&gt;By4yfd6G...G8/RY=&lt;/ds:SignatureValue&gt;
        &lt;ds:KeyInfo&gt;
            &lt;ds:X509Data&gt;
                &lt;ds:X509Certificate&gt;MII...mO4=&lt;/ds:X509Certificate&gt;
            &lt;/ds:X509Data&gt;
        &lt;/ds:KeyInfo&gt;
    &lt;/ds:Signature&gt;
    &lt;samlp:Status&gt;
        &lt;samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /&gt;
    &lt;/samlp:Status&gt;
    &lt;saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                    xmlns:xs="http://www.w3.org/2001/XMLSchema"
                    ID="_029....8604"
                    Version="2.0"
                    IssueInstant="201...7Z"
                    &gt;
        &lt;saml:Issuer&gt;https://myidpurl.com/saml2/idp/metadata.php&lt;/saml:Issuer&gt;
        &lt;ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"&gt;
            &lt;ds:SignedInfo&gt;
                &lt;ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /&gt;
                &lt;ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /&gt;
                &lt;ds:Reference URI="#_029...04"&gt;
                    &lt;ds:Transforms&gt;
                        &lt;ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /&gt;
                        &lt;ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /&gt;
                    &lt;/ds:Transforms&gt;
                    &lt;ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /&gt;
                    &lt;ds:DigestValue&gt;c3N../kbk=&lt;/ds:DigestValue&gt;
                &lt;/ds:Reference&gt;
            &lt;/ds:SignedInfo&gt;
            &lt;ds:SignatureValue&gt;JVJq....QZI=&lt;/ds:SignatureValue&gt;
            &lt;ds:KeyInfo&gt;
                &lt;ds:X509Data&gt;
                    &lt;ds:X509Certificate&gt;MIIC...VmO4=&lt;/ds:X509Certificate&gt;
                &lt;/ds:X509Data&gt;
            &lt;/ds:KeyInfo&gt;
        &lt;/ds:Signature&gt;
        &lt;saml:Subject&gt;
            &lt;saml:NameID SPNameQualifier="urn:splunkweb:simplesamlsample.com"
                         Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
                         &gt;_24ef464490ec9d84315d794d4d21950d4769d9c842&lt;/saml:NameID&gt;
            &lt;saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"&gt;
                &lt;saml:SubjectConfirmationData NotOnOrAfter="2015-04-02T23:31:07Z"
                                              Recipient="http://simplesamlsample.com/secret/endpoint/postResponse"
                                              InResponseTo="_A75E41690FE1541537F680159A38A3C2"
                                              /&gt;
            &lt;/saml:SubjectConfirmation&gt;
        &lt;/saml:Subject&gt;
        &lt;saml:Conditions NotBefore="2015-04-02T23:25:37Z"
                         NotOnOrAfter="2015-04-02T23:31:07Z"
                         &gt;
            &lt;saml:AudienceRestriction&gt;
                &lt;saml:Audience&gt;urn:splunkweb:simplesamlsample.com&lt;/saml:Audience&gt;
            &lt;/saml:AudienceRestriction&gt;
        &lt;/saml:Conditions&gt;
        &lt;saml:AuthnStatement AuthnInstant="2015-04-02T23:26:07Z"
                             SessionNotOnOrAfter="2015-04-03T07:26:07Z"
                             SessionIndex="_d996...41c"
                             &gt;
            &lt;saml:AuthnContext&gt;                &lt;saml:AuthnContextClassRef&gt;urn:oasis:names:tc:SAML:2.0:ac:classes:Password&lt;/saml:AuthnContextClassRef&gt;
            &lt;/saml:AuthnContext&gt;
        &lt;/saml:AuthnStatement&gt;
        &lt;saml:AttributeStatement&gt;
            &lt;saml:Attribute Name="email"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                            &gt;
                &lt;saml:AttributeValue xsi:type="xs:string"&gt;myemail@mydomain.com&lt;/saml:AttributeValue&gt;
            &lt;/saml:Attribute&gt;
        &lt;/saml:AttributeStatement&gt;
    &lt;/saml:Assertion&gt;
&lt;/samlp:Response&gt;

You should get routed to Splunk, in my case, http://simplesamlsample.com/splunk/en-US...

0 Karma

rohitp92
New Member

Can you please post how you got it working? Facing same issue,Can you tell how was this done?I am having same issue

0 Karma

mikaelt29
New Member

I finally made it worked!! I will post the details of my config very soon.

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...