Security

SSO: configuration example of an Apache proxy to CAS

wsw70
Communicator

Hello,

I would like to connect my splunk installation to the enterprise SSO system, based on CAS.
I read the splunk docs about SSO but I do not know how to configure an Apache proxy so that it relays correctly to and from a CAS server (whenever I googled the question I always see people who "have successfully configured their CAS proxy" :))

I would appreciate very much an example of real-life Apache configuration I could readily uise to go ahead with SSO (without reinventing the wheel in the process)

Thank you!

0 Karma
1 Solution

wsw70
Communicator

I finally managed to do this with the configuration below. splunk.example.com:8000 is the actual site to be accessed, cas.example.com is the CAS server. The proxy is on the same machine and will be defined in a VirtualHost.

Apache

The VirtualHost which serves the to-be-SSO-ed application (splunk.example.com:8000) (I did not manage to use below the opening bracket < as it is interpreted as a tag so I replaced it with [)

[VirtualHost splunk.example.com:80>
ServerName splunk.example.com
DocumentRoot /var/www
CASCookiePath /var/cache/apache2/mod_auth_cas/
CASLoginURL https://cas.example.com/cas/login?gateway=true
CASValidateURL  https://cas.example.com/cas/proxyValidate
[Location />
        Authtype CAS
        require valid-user
        CASAuthNHeader Cas-User
[/Location>
ProxyPreserveHost On
ProxyPass        / http://localhost:8000/
ProxyPassReverse / http://localhost:8000/
[/VirtualHost>

CAS

The module to load is mod_auth_cas. The version I had on Debian failed on some crypto module, it is enough to clone the git repository, configure, make and install and it works out of the box

splunk

I did not manage to use REMOTE_USER (this is a bug, also described in another post with great details) and had to use Cas-User per the Apache config

View solution in original post

0 Karma

wsw70
Communicator

I finally managed to do this with the configuration below. splunk.example.com:8000 is the actual site to be accessed, cas.example.com is the CAS server. The proxy is on the same machine and will be defined in a VirtualHost.

Apache

The VirtualHost which serves the to-be-SSO-ed application (splunk.example.com:8000) (I did not manage to use below the opening bracket < as it is interpreted as a tag so I replaced it with [)

[VirtualHost splunk.example.com:80>
ServerName splunk.example.com
DocumentRoot /var/www
CASCookiePath /var/cache/apache2/mod_auth_cas/
CASLoginURL https://cas.example.com/cas/login?gateway=true
CASValidateURL  https://cas.example.com/cas/proxyValidate
[Location />
        Authtype CAS
        require valid-user
        CASAuthNHeader Cas-User
[/Location>
ProxyPreserveHost On
ProxyPass        / http://localhost:8000/
ProxyPassReverse / http://localhost:8000/
[/VirtualHost>

CAS

The module to load is mod_auth_cas. The version I had on Debian failed on some crypto module, it is enough to clone the git repository, configure, make and install and it works out of the box

splunk

I did not manage to use REMOTE_USER (this is a bug, also described in another post with great details) and had to use Cas-User per the Apache config

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...