Reporting

How to implement Splunk SSO with Google Authentication Proxy when the username is not an email address?

eshedra
Explorer

Hi All,
I implemented Splunk SSO with Google Authentication Proxy (GAP) (https://github.com/bitly/google_auth_proxy) by using this tutorial: http://hustoknow.blogspot.co.il/2014/11/implementing-splunk-sso-with-google-apps.html.

Everything works fine except the fact that the username must be an email address. Splunk won't let admins to change usernames and I have a system which is all configured by names as usernames (and not email addresses).

Is it possible to forward from the proxy to Splunk only the user and not the whole email address?
I tried to do that by using X-Forwarded-User instead of X-Forwarded-Mail in web.conf with no success.

Another approach might be changing the usernames. Is it possible? Maybe directly from the server running it?

Thanks

1 Solution

dwaddle
SplunkTrust
SplunkTrust

We use this with a config similar to:

pass_basic_auth = true

## Google Apps Domains to allow authentication for
google_apps_domains = [
     "defpoint.com"
]

On the proxy, and:

[settings]
enableSplunkWebSSL = 0

remoteUser = X-Forwarded-User
trustedIP = 127.0.0.1

In web.conf in Splunk. With this configuration, the proxy only passes usernames with the "@domain.com" part removed. Folks show up in Splunk as "just their user ID" and it works great...

View solution in original post

dwaddle
SplunkTrust
SplunkTrust

We use this with a config similar to:

pass_basic_auth = true

## Google Apps Domains to allow authentication for
google_apps_domains = [
     "defpoint.com"
]

On the proxy, and:

[settings]
enableSplunkWebSSL = 0

remoteUser = X-Forwarded-User
trustedIP = 127.0.0.1

In web.conf in Splunk. With this configuration, the proxy only passes usernames with the "@domain.com" part removed. Folks show up in Splunk as "just their user ID" and it works great...

eshedra
Explorer

Another thing- Could you please copy and paste your web.conf file (not only the relevant parts)?

Thanks

0 Karma

ppablo
Retired

Hi @eshedra

Please be sure that when responding to someone's answer, click on "Add comment" directly below their answer or, if responding to someone's comment, type in the "Add your comment..." box directly below their comment. You typed your last 2 responses in the "Enter your answer here..." box at the very bottom of the page which, instead, posts a brand new answer each time. This will help with a clean continuous flow of the conversation. I already converted your "answers" to comments, so just something to keep in mind from here on out. Thanks and happy Splunking!

0 Karma

eshedra
Explorer

I used tcpdump and see the username passes from the proxy to the splunk server.
I suspect it might version issue (we are using 6.1). Do you think it might be it?

Are you familiar with other parameters that we can try and pass?

Thansk for help,
Eshed

0 Karma

eshedra
Explorer

Hi dwaddle,
I tried you configuration and it doesn't seem to work.
right now when the username in splunk is eshedra@etoro.com it logs me in if I use X-Forwarded-Email.
If I change it to X-Forwarded-User and create a username like "eshedra" it doesn't log me in.
Any ideas?

Thanks for help.
Eshed

0 Karma

dwaddle
SplunkTrust
SplunkTrust

Interesting. It works for us on Splunk 6.2.2. You could try running tcpdump between the google-auth-proxy and Splunk and see if the headers are all coming out right...

0 Karma

eshedra
Explorer

It workks now. Thanks for the help

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...