- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- How do I make Single Sign On work with mod_proxy
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are trying to deploy splunk with SSO according to documentation found on http://www.splunk.com/base/Documentation/4.1/Admin/Usesinglesign-onwithSplunk but are hitting a wall.
The suspicion is that mod_proxy does not proxy the remote_user variable needed by Splunk. Anyone know if this and true and known a way around this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We don't require that the variable representing the user be remote_user. You can configure the 'remoteUser' variable to say how your proxy server spells it. To try to see what your proxy server might be sending, try accessing http://YourSplunkServer:8000/debug/sso
See also: http://docs.splunk.com/Documentation/Splunk/5.0/Security/ConfigureSplunkSSO
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming your auth module provides a REMOTE_USER variable in the context of the apache request, you probably need to provide a line like this:
RequestHeader set REMOTE_USER %{REMOTE_USER}s
In your reverse proxy configuration.
For example, the following configuration might be used in an SSPI configuration for Apache:
<VirtualHost>
<Location />
Order allow,deny
Allow from all
AuthName "FOO.COM"
AuthType SSPI
SSPIPackage NTLM
SSPIOfferSSPI On
SSPIAuth On
SSPIAuthoritative On
SSPIOmitDomain On
SSPIOfferBasic On
require valid-user
</Location>
# Proxy Configurations
ProxyVia On
ProxyPassInterpolateEnv On
<Proxy *>
Order allow,deny
Allow from all
</Proxy>
ProxyPass / http://foo.com:8000/
ProxyPassReverse / http://foo2.com:8000/
ProxyPassReverseCookieDomain foo.com foo2.com
ProxyPassReverseCookiePath / /
RequestHeader set REMOTE_USER %{REMOTE_USER}s
</VirtualHost>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the REMOTE_USER isn't being passed through, try replacing the RequestHeader line with the following:
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader set REMOTE_USER %{RU}e
You may also have to set the remoteUser setting in web.conf to "REMOTE-USER" (dash rather than underscore):
web.conf:
[settings]
trustedIP = 127.0.0.1
remoteUser = REMOTE-USER
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
+1 for recommending 'REMOTE-USER' vs 'REMOTE_USER' in web.conf. I spent an hour trying to figure this out, tried the RequestHeader set REMOTE_USER %{REMOTE_USER}s trick, etc. I noticed that the SSO debug page at http://localhost/en-US/debug/sso was seeing a header called 'Remote-User' but I could not get REMOTE_USER to work for the life of me.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming you want to authenticate users from Active Directory via an Apache proxy running on Linux, you could easily get this working by using either a free or paid version of Centrify.
The Centrify Suite Application Edition is a paid solution that supports SPNEGO/Kerberos and NTLM for silent authentication as well as BASIC or HTLM forms for username/password authentication.
A free solution would be to configure Splunk for PAM authentication on Linux and use Centrify Express which supports AD authentication from Linux via PAM.
Cool thing about either approach is that you get very robust integration with Active Directory with support for auto-discovery of domain controllers, auto-setup and auto-management of Kerberos and you can even use either solution for authenticating users to the Linux OS.
I might try to see how I can package up the simple PAM + Centrify Express approach and submit it to the splunkbase.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSPI is only available on Windows Apache, any word on how to get this going with Linux Apache?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry to bump this thread.
I tried this exact configuration but the debug page keeps claiming that REMOTE_USER is null. I can see the user in the apache access.log so I know the authenication is indeed working. Whatever I do I cannot seem to populate the REMOTE_STRING. Any idea will be welcomed
Thanks, Roy.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In web.conf try 'REMOTE-USER' (with a dash) instead of 'REMOTE_USER' (with an underscore).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Based on Nates response I got SSO working with the following config in apache. The only difference is that we use ssl to connect and a non standard ssl port on our splunk server:
<VirtualHost *:8082>
<Location />
Order allow,deny
Allow from all
AuthName "mysplunkserver.com"
AuthType SSPI
SSPIPackage NTLM
SSPIOfferSSPI On
SSPIAuth On
SSPIAuthoritative On
SSPIOmitDomain On
SSPIOfferBasic On
require valid-user
</Location>
# Proxy Configurations
ProxyVia On
ProxyPassInterpolateEnv On
<Proxy *>
Order allow,deny
Allow from all
</Proxy>
ProxyPass / https://mysplunkserver.com:8082/
ProxyPassReverse / https://mysplunkserver.com:8082/
ProxyPassReverseCookieDomain mysplunkserver.com publicserver.com
ProxyPassReverseCookiePath / /
RequestHeader set REMOTE-USER %{REMOTE_USER}s
SSLProxyEngine On
AllowCONNECT 8082
</VirtualHost>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming your auth module provides a REMOTE_USER variable in the context of the apache request, you probably need to provide a line like this:
RequestHeader set REMOTE_USER %{REMOTE_USER}s
In your reverse proxy configuration.
For example, the following configuration might be used in an SSPI configuration for Apache:
<VirtualHost>
<Location />
Order allow,deny
Allow from all
AuthName "FOO.COM"
AuthType SSPI
SSPIPackage NTLM
SSPIOfferSSPI On
SSPIAuth On
SSPIAuthoritative On
SSPIOmitDomain On
SSPIOfferBasic On
require valid-user
</Location>
# Proxy Configurations
ProxyVia On
ProxyPassInterpolateEnv On
<Proxy *>
Order allow,deny
Allow from all
</Proxy>
ProxyPass / http://foo.com:8000/
ProxyPassReverse / http://foo2.com:8000/
ProxyPassReverseCookieDomain foo.com foo2.com
ProxyPassReverseCookiePath / /
RequestHeader set REMOTE_USER %{REMOTE_USER}s
</VirtualHost>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We don't require that the variable representing the user be remote_user. You can configure the 'remoteUser' variable to say how your proxy server spells it. To try to see what your proxy server might be sending, try accessing http://YourSplunkServer:8000/debug/sso
See also: http://docs.splunk.com/Documentation/Splunk/5.0/Security/ConfigureSplunkSSO
New Case Study Shows the Value of Partnering with Splunk Academic Alliance
How to Monitor Google Kubernetes Engine (GKE)
Index This | How can you make 45 using only 4?
