Security

SSO: configuration example of an Apache proxy to CAS

wsw70
Communicator

Hello,

I would like to connect my splunk installation to the enterprise SSO system, based on CAS.
I read the splunk docs about SSO but I do not know how to configure an Apache proxy so that it relays correctly to and from a CAS server (whenever I googled the question I always see people who "have successfully configured their CAS proxy" :))

I would appreciate very much an example of real-life Apache configuration I could readily uise to go ahead with SSO (without reinventing the wheel in the process)

Thank you!

0 Karma
1 Solution

wsw70
Communicator

I finally managed to do this with the configuration below. splunk.example.com:8000 is the actual site to be accessed, cas.example.com is the CAS server. The proxy is on the same machine and will be defined in a VirtualHost.

Apache

The VirtualHost which serves the to-be-SSO-ed application (splunk.example.com:8000) (I did not manage to use below the opening bracket < as it is interpreted as a tag so I replaced it with [)

[VirtualHost splunk.example.com:80>
ServerName splunk.example.com
DocumentRoot /var/www
CASCookiePath /var/cache/apache2/mod_auth_cas/
CASLoginURL https://cas.example.com/cas/login?gateway=true
CASValidateURL  https://cas.example.com/cas/proxyValidate
[Location />
        Authtype CAS
        require valid-user
        CASAuthNHeader Cas-User
[/Location>
ProxyPreserveHost On
ProxyPass        / http://localhost:8000/
ProxyPassReverse / http://localhost:8000/
[/VirtualHost>

CAS

The module to load is mod_auth_cas. The version I had on Debian failed on some crypto module, it is enough to clone the git repository, configure, make and install and it works out of the box

splunk

I did not manage to use REMOTE_USER (this is a bug, also described in another post with great details) and had to use Cas-User per the Apache config

View solution in original post

0 Karma

wsw70
Communicator

I finally managed to do this with the configuration below. splunk.example.com:8000 is the actual site to be accessed, cas.example.com is the CAS server. The proxy is on the same machine and will be defined in a VirtualHost.

Apache

The VirtualHost which serves the to-be-SSO-ed application (splunk.example.com:8000) (I did not manage to use below the opening bracket < as it is interpreted as a tag so I replaced it with [)

[VirtualHost splunk.example.com:80>
ServerName splunk.example.com
DocumentRoot /var/www
CASCookiePath /var/cache/apache2/mod_auth_cas/
CASLoginURL https://cas.example.com/cas/login?gateway=true
CASValidateURL  https://cas.example.com/cas/proxyValidate
[Location />
        Authtype CAS
        require valid-user
        CASAuthNHeader Cas-User
[/Location>
ProxyPreserveHost On
ProxyPass        / http://localhost:8000/
ProxyPassReverse / http://localhost:8000/
[/VirtualHost>

CAS

The module to load is mod_auth_cas. The version I had on Debian failed on some crypto module, it is enough to clone the git repository, configure, make and install and it works out of the box

splunk

I did not manage to use REMOTE_USER (this is a bug, also described in another post with great details) and had to use Cas-User per the Apache config

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...