Security

SSO and user session timeout

yoho
Contributor

For people using already Splunk with SSO, I was wondering : what happens if your user session times out ? Was the timeout simply removed ? Are you redirected to the login page ?

Many thanks for your answers

Tags (3)
0 Karma

josesolis
Splunk Employee
Splunk Employee

One issue users may be facing is:

The proxy is not able to timeout due to the dashboard pinging the search jobs every 3 minutes or so.

Solution is to listen for the ui inactivity timeout and cancel the jobs once we have reached the ui inactivity timeout to allow the proxy to timeout.

There are two options
1. Edit their existing HTML dashboards to require 'helpers/Session’ and for each search job listen for Session timeout and cancel the jobs as shown below.

require([
"splunkjs/mvc",
"splunkjs/mvc/utils",
"splunkjs/mvc/tokenutils",
"underscore",
"jquery",
"splunkjs/mvc/simplexml",
"splunkjs/mvc/headerview",
"splunkjs/mvc/footerview",
"splunkjs/mvc/simplexml/dashboardview",
"splunkjs/mvc/simplexml/dashboard/panelref",
"splunkjs/mvc/simplexml/element/chart",
"splunkjs/mvc/simplexml/element/event",
"splunkjs/mvc/simplexml/element/html",
"splunkjs/mvc/simplexml/element/list",
"splunkjs/mvc/simplexml/element/map",
"splunkjs/mvc/simplexml/element/single",
"splunkjs/mvc/simplexml/element/table",
"splunkjs/mvc/simpleform/formutils",
"splunkjs/mvc/simplexml/eventhandler",
"splunkjs/mvc/simpleform/input/dropdown",
"splunkjs/mvc/simpleform/input/radiogroup",
"splunkjs/mvc/simpleform/input/multiselect",
"splunkjs/mvc/simpleform/input/checkboxgroup",
"splunkjs/mvc/simpleform/input/text",
"splunkjs/mvc/simpleform/input/timerange",
"splunkjs/mvc/simpleform/input/submit",
"splunkjs/mvc/searchmanager",
"splunkjs/mvc/savedsearchmanager",
"splunkjs/mvc/postprocessmanager",
"splunkjs/mvc/simplexml/urltokenmodel",
'helpers/Session'
// Add comma-separated libraries and modules manually here, for example:
// ..."splunkjs/mvc/simplexml/urltokenmodel",
// "splunkjs/mvc/checkboxview"
],
function(
mvc,
utils,
TokenUtils,
_,
$,
DashboardController,
HeaderView,
FooterView,
Dashboard,
PanelRef,
ChartElement,
EventElement,
HtmlElement,
ListElement,
MapElement,
SingleElement,
TableElement,
FormUtils,
EventHandler,
DropdownInput,
RadioGroupInput,
MultiSelectInput,
CheckboxGroupInput,
TextInput,
TimeRangeInput,
SubmitButton,
SearchManager,
SavedSearchManager,
PostProcessManager,
UrlTokenModel,
Session

search1.on('search:done', function() {
Session.on('timeout', function ()
{ search1.cancel(); }
, this);
});

  1. Use the cancel_search_managers.js script pasted below and this script will iterate over all search jobs and cancel them once ui inactivity timeout has been reached in order to allow the proxy to timeout.
    To use this script you will need to include this script in the appserver/static directory for all of the apps they want searches to be cancelled on timeout. You would include the file in etc/apps/app/appserver/static/

    require([
        'splunkjs/mvc/searchmanager',
        'splunkjs/mvc',
        'helpers/Session',
        'underscore',
        'splunkjs/mvc/simplexml/ready!'],function(
        SearchManager,
        mvc,
        Session,
        _
        ){
        Session.on('timeout', function () {
        _(splunkjs.mvc.Components.toJSON()).chain().filter(
            function(cmp) { 
                return cmp instanceof SearchManager; 
            }
        ).each(
            function(mgr){ 
                mgr.cancel(); 
            }
        );
        }, this);
    });
    

Next update the simple xml dashboards and add the script attribute to the form or dashboard element. for example:

<form script="cancel_search_managers.js">
0 Karma

linu1988
Champion

Hello Yoho,
As splunk documentation mentions about session management in SSO the user session will not be over by default.

Session management:
Since there is no simple log out for a session and Splunk will preserve a session as long as the correct header information is contained in the proxy header, you should set your proxy's session timeout value with this in mind.

Keep in mind it will not redirect you to login page OR if it does you not be able to use any credential as it's SSO , you are already authenticated through LDAP.

If you have any problem with the web, Just close the browser and re-open. Splunk will create a new session if there isn't one existing for the same IP/USER. Thanks, hope it helps.

linu1988
Champion

Yes it should do the logout from splunk side as well what i can think of, because we are cancelling the current sessionid. I am not sure of it fully but, as Splunk suggests you can end an session forcibly through REST ,your question may be correct.

Please see the document for more clarity:
http://docs.splunk.com/Documentation/Splunk/latest/Security/ConfigureSplunkSSO

0 Karma

yoho
Contributor

Thanks.

So does it mean proxy timeout should be lower than (or equal to) Splunk's one to avoid getting the splunk login page ?

Am I correct to say the second sentence in the doc suggests the proxy should log out the user on splunk side when it's logged out on the proxy side (either by timeout or by logging out deliberately) ?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...