I'm trying to configure Proxy SSO authentication, with PingAccess, for Splunk Enterprise v126.96.36.199.
But whatever I try and configure on Splunk side, I obtain this message in the splunkd logs :
DEBUG UiAuth - Value of header returned=<user id> INFO UiAuth - ProxySSO authType not configured, no groups header processing ERROR UiAuth - user=<user id> action=login status=failure reason=sso-failed useragent="Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.91 Safari/537.36" clientip=<proxy sso ip>
Here is my authentication.conf file:
[authentication] authType = ProxySSO [roleMap_proxySSO] user_0 = P_SPLUNK_CONSULT-DATA-ALL_PUBLIC user_1 = P_SPLUNK_CONSULT-DATA-IT_INTERNE user_2 = P_SPLUNK_CONSULT-DATA-IT_CONFIDENT admin = pg_splunk
And my web.conf file:
[settings] SSOMode = permissive trustedIP = 127.0.0.1,<proxy sso ip> remoteUser = REMOTE_USER remoteGroups = REMOTE_GROUPS remoteGroupsQuoted = false allowSsoWithoutChangingServerConf = 1 enableSplunkWebSSL = 0 enableWebDebug = true
The SSO debug page looks well, but the line "Value of REMOTE_GROUPS" remains empty (the user is ok).
And at the bottom of the page, in the "other http headers", there is the header "REMOTE_GROUPS" which contains the right list of groups, separated by commas, without quotes.
According to the groups list and the group mapping rules, the user should obtain the first 3 roles (user_0, user_1, user_2).
What did I miss ??
I added a default role in authentication.conf:
[authentication] authSettings = my_proxy authType = ProxySSO [my_proxy] defaultRoleIfMissing = user
And the behaviour is the same, I receive an "unauthorized" error, even with the "defaultRoleIfMissing" configuration !