Ok it took me long than I wished but here is how to get splunk working with Centos 6 and ADFS 2.0 using mellon for the SAML implementation. I think splunk should integrate this into their software so we don't need to use something like apache as a proxy server.
First, make sure you have apache installed and set up.
Second, you'll need to set up LDAP inside of splunk using Access controls because SAML SSO, right now, only passes the username. There isn't any support for groups or email addresses, that I could find. LDAP is necessary for group information so splunk knows who the user is based on their username and because of their group, what permission in splunk they should have.
Install the mellon apache module.
yum install mod_auth_mellon
Set up mellon by creating a folder and running the mellon metadata script to create keys and an xml file
mkdir /etc/httpd/mellon
/usr/libexec/mod_auth_mellon/mellon_create_metadata.sh urn:splunkweb:splunk.example.org https://splunk.example.org/secret/endpoint
You'll need the federation metadata xml from adfs, the usual url for ADFS 2.0 is https://adfs_hostname.example.org/FederationMetadata/2007-06/FederationMetadata.xml
. Save this file as /etc/httpd/mellon/idp-metadata.xml
Create your apache vhost, in my vhost, I have set up SSL, you don't need SSL but I recommended it.
ServerName splunk.example.org
ServerAlias splunk
Redirect Permanent / https://splunk.example.org
ServerName splunk.example.org
ServerAlias splunk
DocumentRoot /var/www/html
<Directory /var/www/html/>
Require all granted
</Directory>
SSLEngine on
SSLCertificateFile /etc/httpd/ssl/example.org.pem
SSLCertificateKeyFile /etc/httpd/ssl/example.org.pem
SSLCertificateChainFile /etc/httpd/ssl/example.org.chain.pem
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass /secret/ !
ProxyVia On
ProxyRequests Off
<IfModule auth_mellon_module>
<Location />
# Add information from the auth_mellon session to the request.
MellonEnable "auth"
Require valid-user
AuthType "Mellon"
MellonVariable "cookie"
# Configure the SP metadata
# This should be the files which were created when creating SP metadata.
MellonSPPrivateKeyFile /etc/httpd/mellon/urn_splunkweb_splunk_.example.org.key
MellonSPCertFile /etc/httpd/mellon/urn_splunkweb_splunk_.example.org.cert
MellonSPMetadataFile /etc/httpd/mellon/urn_splunkweb_splunk_.example.org.xml
# IdP metadata. This should be the metadata file you downloaded from the IdP.
MellonIdPMetadataFile /etc/httpd/mellon/idp-metadata.xml
# The location all endpoints should be located under.
# It is the URL to this location that is used as the second parameter to the metadata generation script.
# This path is relative to the root of the web server.
MellonEndpointPath /secret/endpoint
RewriteEngine on
# These lines are to take in the username as known by mellon and rewrite it into REMOTE_USER
# ADFS passes the username as DOMAIN/USERNAME, the edit line is pull out just the USERNAME
# Splunk wants only the USERNAME
RequestHeader set REMOTE_USER "%{MELLON_NAME_ID}e"
RequestHeader edit REMOTE_USER "^.*\\\(.*)" "$1"
ProxyPass http://127.0.0.1:8000/
ProxyPassReverse http://127.0.0.1:8000/
</Location>
</IfModule>
Take the file /etc/httpd/mellon/urn_splunkweb_splunk_.example.org.xml
and use it to create an ADFS relaying party trust.
In the properties of this new trust, make sure to set, under the advanced tab, the secure hashing algorithm to SHA-1.
You'll need to set up a claim rule in ADFS. Right click your relaying party trust for splunk, and click edit claim rules.
Add a rule, pick Transform an Incoming Claim, name it anything, for example Transform Windows Name to NameID
Set Incoming type to Windows Account Name
Set Outgoing type to Name ID
Set Outgoing name ID format to Transient Identifier
Click ok
Configure splunk
In the file {SPLUNK_HOME}/etc/system/local/server.conf
add:
trustedIP=127.0.0.1
{SPLUNK_HOME}/etc/system/local/web.conf
, if the file doesn't exist, create it, add:
[settings]
trustedIP = 127.0.0.1
remoteUser = REMOTE_USER
SSOMode = strict
tools.proxy.on = False
tools.proxy.base = link text
Note: I have SSOMode set to strict. That means people can only log in through SSO, if you change it to permissive, then anyone who goes to http://splunk.example.org:8000
will be able to use a local splunk user instead of SSO.
By setting tools.proxy.base to the url of the splunk server, I can turn on tools.proxy.on which lets splunk understand X-Forwarded-For
headers.
Restart splunk.
Restart/Graceful apache
Try to go to splunk.example.com
, if everything worked it should prompt your for ADFS credentials and log you in.
You can try to use https://splunk.example.org/debug/sso
to debug what is going on.
Hopefully this will either just work or get you far enough to figure out the rest. Good Luck
EDIT: fixed some formatting issues
EDIT: Updated the web.conf file with something that actually works.
We're working on the same issue. We're using https://shibboleth.net/ as the SP with Apache infront of Splunk. If you have something working let us know as we're in the middle of it.
We hope to have all this working soon and we'll be glad to share the results.