Security

How do I make Single Sign On work with mod_proxy

Path Finder

We are trying to deploy splunk with SSO according to documentation found on http://www.splunk.com/base/Documentation/4.1/Admin/Usesinglesign-onwithSplunk but are hitting a wall.

The suspicion is that mod_proxy does not proxy the remote_user variable needed by Splunk. Anyone know if this and true and known a way around this?

2 Solutions

Splunk Employee
Splunk Employee

We don't require that the variable representing the user be remote_user. You can configure the 'remoteUser' variable to say how your proxy server spells it. To try to see what your proxy server might be sending, try accessing http://YourSplunkServer:8000/debug/sso

See also: http://docs.splunk.com/Documentation/Splunk/5.0/Security/ConfigureSplunkSSO

View solution in original post

Splunk Employee
Splunk Employee

Assuming your auth module provides a REMOTE_USER variable in the context of the apache request, you probably need to provide a line like this:

RequestHeader set REMOTE_USER %{REMOTE_USER}s   

In your reverse proxy configuration.

For example, the following configuration might be used in an SSPI configuration for Apache:

<VirtualHost>
<Location />
    Order allow,deny
    Allow from all

    AuthName "FOO.COM"
    AuthType SSPI
    SSPIPackage NTLM
    SSPIOfferSSPI On
    SSPIAuth On
    SSPIAuthoritative On
    SSPIOmitDomain On
    SSPIOfferBasic On
    require valid-user 
</Location> 
# Proxy Configurations
ProxyVia On
ProxyPassInterpolateEnv On
<Proxy *>
    Order allow,deny
    Allow from all
</Proxy>
ProxyPass / http://foo.com:8000/
ProxyPassReverse / http://foo2.com:8000/
ProxyPassReverseCookieDomain foo.com foo2.com
ProxyPassReverseCookiePath / /
RequestHeader set REMOTE_USER %{REMOTE_USER}s   

</VirtualHost>

View solution in original post

Splunk Employee
Splunk Employee

If the REMOTE_USER isn't being passed through, try replacing the RequestHeader line with the following:

RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader set REMOTE_USER %{RU}e

You may also have to set the remoteUser setting in web.conf to "REMOTE-USER" (dash rather than underscore):

web.conf:

[settings]
trustedIP = 127.0.0.1
remoteUser = REMOTE-USER

Contributor

+1 for recommending 'REMOTE-USER' vs 'REMOTEUSER' in web.conf. I spent an hour trying to figure this out, tried the `RequestHeader set REMOTEUSER %{REMOTEUSER}s` trick, etc. I noticed that the SSO debug page at http://localhost/en-US/debug/sso was seeing a header called 'Remote-User' but I could not get REMOTEUSER to work for the life of me.

0 Karma

Explorer

Assuming you want to authenticate users from Active Directory via an Apache proxy running on Linux, you could easily get this working by using either a free or paid version of Centrify.

The Centrify Suite Application Edition is a paid solution that supports SPNEGO/Kerberos and NTLM for silent authentication as well as BASIC or HTLM forms for username/password authentication.

A free solution would be to configure Splunk for PAM authentication on Linux and use Centrify Express which supports AD authentication from Linux via PAM.

Cool thing about either approach is that you get very robust integration with Active Directory with support for auto-discovery of domain controllers, auto-setup and auto-management of Kerberos and you can even use either solution for authenticating users to the Linux OS.

I might try to see how I can package up the simple PAM + Centrify Express approach and submit it to the splunkbase.

Communicator

SSPI is only available on Windows Apache, any word on how to get this going with Linux Apache?

0 Karma

Engager

Sorry to bump this thread.

I tried this exact configuration but the debug page keeps claiming that REMOTE_USER is null. I can see the user in the apache access.log so I know the authenication is indeed working. Whatever I do I cannot seem to populate the REMOTE_STRING. Any idea will be welcomed

Thanks, Roy.

Contributor

In web.conf try 'REMOTE-USER' (with a dash) instead of 'REMOTE_USER' (with an underscore).

0 Karma

Motivator

Based on Nates response I got SSO working with the following config in apache. The only difference is that we use ssl to connect and a non standard ssl port on our splunk server:

<VirtualHost *:8082>
    <Location />   
        Order allow,deny    
        Allow from all    
        AuthName "mysplunkserver.com"    
        AuthType SSPI    
        SSPIPackage NTLM    
        SSPIOfferSSPI On    
        SSPIAuth On    
        SSPIAuthoritative On    
        SSPIOmitDomain On    
        SSPIOfferBasic On    
        require valid-user 
    </Location> 
    # Proxy Configurations
    ProxyVia On
    ProxyPassInterpolateEnv On
    <Proxy *>    
        Order allow,deny    
        Allow from all
    </Proxy>
    ProxyPass / https://mysplunkserver.com:8082/
    ProxyPassReverse / https://mysplunkserver.com:8082/
    ProxyPassReverseCookieDomain mysplunkserver.com publicserver.com
    ProxyPassReverseCookiePath / /
    RequestHeader set REMOTE-USER %{REMOTE_USER}s
    SSLProxyEngine On   
    AllowCONNECT 8082       
</VirtualHost>

Splunk Employee
Splunk Employee

Assuming your auth module provides a REMOTE_USER variable in the context of the apache request, you probably need to provide a line like this:

RequestHeader set REMOTE_USER %{REMOTE_USER}s   

In your reverse proxy configuration.

For example, the following configuration might be used in an SSPI configuration for Apache:

<VirtualHost>
<Location />
    Order allow,deny
    Allow from all

    AuthName "FOO.COM"
    AuthType SSPI
    SSPIPackage NTLM
    SSPIOfferSSPI On
    SSPIAuth On
    SSPIAuthoritative On
    SSPIOmitDomain On
    SSPIOfferBasic On
    require valid-user 
</Location> 
# Proxy Configurations
ProxyVia On
ProxyPassInterpolateEnv On
<Proxy *>
    Order allow,deny
    Allow from all
</Proxy>
ProxyPass / http://foo.com:8000/
ProxyPassReverse / http://foo2.com:8000/
ProxyPassReverseCookieDomain foo.com foo2.com
ProxyPassReverseCookiePath / /
RequestHeader set REMOTE_USER %{REMOTE_USER}s   

</VirtualHost>

View solution in original post

Splunk Employee
Splunk Employee

We don't require that the variable representing the user be remote_user. You can configure the 'remoteUser' variable to say how your proxy server spells it. To try to see what your proxy server might be sending, try accessing http://YourSplunkServer:8000/debug/sso

See also: http://docs.splunk.com/Documentation/Splunk/5.0/Security/ConfigureSplunkSSO

View solution in original post