I'm trying to configure Proxy SSO authentication, with PingAccess, for Splunk Enterprise v22.214.171.124.
But whatever I try and configure on Splunk side, I obtain this message in the splunkd logs :
DEBUG UiAuth - Value of header returned=<user id> INFO UiAuth - ProxySSO authType not configured, no groups header processing ERROR UiAuth - user=<user id> action=login status=failure reason=sso-failed useragent="Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.91 Safari/537.36" clientip=<proxy sso ip>
Here is my authentication.conf file:
[authentication] authType = ProxySSO [roleMap_proxySSO] user_0 = P_SPLUNK_CONSULT-DATA-ALL_PUBLIC user_1 = P_SPLUNK_CONSULT-DATA-IT_INTERNE user_2 = P_SPLUNK_CONSULT-DATA-IT_CONFIDENT admin = pg_splunk
And my web.conf file:
[settings] SSOMode = permissive trustedIP = 127.0.0.1,<proxy sso ip> remoteUser = REMOTE_USER remoteGroups = REMOTE_GROUPS remoteGroupsQuoted = false allowSsoWithoutChangingServerConf = 1 enableSplunkWebSSL = 0 enableWebDebug = true
The SSO debug page looks well, but the line "Value of REMOTEGROUPS" remains empty (the user is ok).
And at the bottom of the page, in the "other http headers", there is the header "REMOTEGROUPS" which contains the right list of groups, separated by commas, without quotes.
According to the groups list and the group mapping rules, the user should obtain the first 3 roles (user0, user1, user_2).
What did I miss ??
I added a default role in authentication.conf:
[authentication] authSettings = my_proxy authType = ProxySSO [my_proxy] defaultRoleIfMissing = user
And the behaviour is the same, I receive an "unauthorized" error, even with the "defaultRoleIfMissing" configuration !