Security

Accessing splunk enterprise using ADFS authentication ?

erictalb
Engager

Is there anyway we can use ADFS to gain access to SPLUNK on-premise ?

Tags (2)

agitelzon
Explorer

Ok it took me long than I wished but here is how to get splunk working with Centos 6 and ADFS 2.0 using mellon for the SAML implementation. I think splunk should integrate this into their software so we don't need to use something like apache as a proxy server.

First, make sure you have apache installed and set up.
Second, you'll need to set up LDAP inside of splunk using Access controls because SAML SSO, right now, only passes the username. There isn't any support for groups or email addresses, that I could find. LDAP is necessary for group information so splunk knows who the user is based on their username and because of their group, what permission in splunk they should have.

Install the mellon apache module.

yum install mod_auth_mellon

Set up mellon by creating a folder and running the mellon metadata script to create keys and an xml file

mkdir /etc/httpd/mellon
/usr/libexec/mod_auth_mellon/mellon_create_metadata.sh urn:splunkweb:splunk.example.org https://splunk.example.org/secret/endpoint

You'll need the federation metadata xml from adfs, the usual url for ADFS 2.0 is https://adfs_hostname.example.org/FederationMetadata/2007-06/FederationMetadata.xml. Save this file as /etc/httpd/mellon/idp-metadata.xml

Create your apache vhost, in my vhost, I have set up SSL, you don't need SSL but I recommended it.

Splunk Virtual Host

ServerName splunk.example.org
ServerAlias splunk

Redirect Permanent /  https://splunk.example.org

ServerName splunk.example.org
ServerAlias splunk
DocumentRoot /var/www/html
<Directory /var/www/html/>
       Require all granted
</Directory>
SSLEngine on
SSLCertificateFile /etc/httpd/ssl/example.org.pem
SSLCertificateKeyFile /etc/httpd/ssl/example.org.pem
SSLCertificateChainFile /etc/httpd/ssl/example.org.chain.pem

<Proxy *>
    Order deny,allow
    Allow from all
</Proxy>
ProxyPass /secret/ !
ProxyVia On

ProxyRequests Off

<IfModule auth_mellon_module>
    <Location />
        # Add information from the auth_mellon session to the request.
        MellonEnable "auth"
        Require valid-user
        AuthType "Mellon"
        MellonVariable "cookie"

        # Configure the SP metadata
        # This should be the files which were created when creating SP metadata.
        MellonSPPrivateKeyFile /etc/httpd/mellon/urn_splunkweb_splunk_.example.org.key
        MellonSPCertFile  /etc/httpd/mellon/urn_splunkweb_splunk_.example.org.cert
        MellonSPMetadataFile /etc/httpd/mellon/urn_splunkweb_splunk_.example.org.xml
        # IdP metadata. This should be the metadata file you downloaded from the IdP.
        MellonIdPMetadataFile /etc/httpd/mellon/idp-metadata.xml

        # The location all endpoints should be located under.
        # It is the URL to this location that is used as the second parameter to the metadata generation script.
        # This path is relative to the root of the web server.
        MellonEndpointPath /secret/endpoint

        RewriteEngine on
        # These lines are to take in the username as known by mellon and rewrite it into REMOTE_USER
        # ADFS passes the username as DOMAIN/USERNAME, the edit line is pull out just the USERNAME
        # Splunk wants only the USERNAME
        RequestHeader set REMOTE_USER "%{MELLON_NAME_ID}e"
        RequestHeader edit REMOTE_USER "^.*\\\(.*)" "$1"

        ProxyPass http://127.0.0.1:8000/
        ProxyPassReverse http://127.0.0.1:8000/
    </Location>
</IfModule>


Take the file /etc/httpd/mellon/urn_splunkweb_splunk_.example.org.xml and use it to create an ADFS relaying party trust.
In the properties of this new trust, make sure to set, under the advanced tab, the secure hashing algorithm to SHA-1.

You'll need to set up a claim rule in ADFS. Right click your relaying party trust for splunk, and click edit claim rules.
Add a rule, pick Transform an Incoming Claim, name it anything, for example Transform Windows Name to NameID
Set Incoming type to Windows Account Name
Set Outgoing type to Name ID
Set Outgoing name ID format to Transient Identifier
Click ok

Configure splunk
In the file {SPLUNK_HOME}/etc/system/local/server.conf add:

trustedIP=127.0.0.1

In the file {SPLUNK_HOME}/etc/system/local/web.conf , if the file doesn't exist, create it, add:

[settings]
trustedIP = 127.0.0.1
remoteUser = REMOTE_USER
SSOMode = strict
tools.proxy.on = False
tools.proxy.base = link text

Note: I have SSOMode set to strict. That means people can only log in through SSO, if you change it to permissive, then anyone who goes to http://splunk.example.org:8000 will be able to use a local splunk user instead of SSO.
By setting tools.proxy.base to the url of the splunk server, I can turn on tools.proxy.on which lets splunk understand X-Forwarded-For headers.

Restart splunk.
Restart/Graceful apache

Try to go to splunk.example.com, if everything worked it should prompt your for ADFS credentials and log you in.
You can try to use https://splunk.example.org/debug/sso to debug what is going on.

Hopefully this will either just work or get you far enough to figure out the rest. Good Luck

EDIT: fixed some formatting issues
EDIT: Updated the web.conf file with something that actually works.

hvandenb
Path Finder

We're working on the same issue. We're using https://shibboleth.net/ as the SP with Apache infront of Splunk. If you have something working let us know as we're in the middle of it.

We hope to have all this working soon and we'll be glad to share the results.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...