Security

SSO: configuration example of an Apache proxy to CAS

Communicator

Hello,

I would like to connect my splunk installation to the enterprise SSO system, based on CAS.
I read the splunk docs about SSO but I do not know how to configure an Apache proxy so that it relays correctly to and from a CAS server (whenever I googled the question I always see people who "have successfully configured their CAS proxy" :))

I would appreciate very much an example of real-life Apache configuration I could readily uise to go ahead with SSO (without reinventing the wheel in the process)

Thank you!

0 Karma
1 Solution

Communicator

I finally managed to do this with the configuration below. splunk.example.com:8000 is the actual site to be accessed, cas.example.com is the CAS server. The proxy is on the same machine and will be defined in a VirtualHost.

Apache

The VirtualHost which serves the to-be-SSO-ed application (splunk.example.com:8000) (I did not manage to use below the opening bracket < as it is interpreted as a tag so I replaced it with [)

[VirtualHost splunk.example.com:80>
ServerName splunk.example.com
DocumentRoot /var/www
CASCookiePath /var/cache/apache2/mod_auth_cas/
CASLoginURL https://cas.example.com/cas/login?gateway=true
CASValidateURL  https://cas.example.com/cas/proxyValidate
[Location />
        Authtype CAS
        require valid-user
        CASAuthNHeader Cas-User
[/Location>
ProxyPreserveHost On
ProxyPass        / http://localhost:8000/
ProxyPassReverse / http://localhost:8000/
[/VirtualHost>

CAS

The module to load is mod_auth_cas. The version I had on Debian failed on some crypto module, it is enough to clone the git repository, configure, make and install and it works out of the box

splunk

I did not manage to use REMOTE_USER (this is a bug, also described in another post with great details) and had to use Cas-User per the Apache config

View solution in original post

0 Karma

Communicator

I finally managed to do this with the configuration below. splunk.example.com:8000 is the actual site to be accessed, cas.example.com is the CAS server. The proxy is on the same machine and will be defined in a VirtualHost.

Apache

The VirtualHost which serves the to-be-SSO-ed application (splunk.example.com:8000) (I did not manage to use below the opening bracket < as it is interpreted as a tag so I replaced it with [)

[VirtualHost splunk.example.com:80>
ServerName splunk.example.com
DocumentRoot /var/www
CASCookiePath /var/cache/apache2/mod_auth_cas/
CASLoginURL https://cas.example.com/cas/login?gateway=true
CASValidateURL  https://cas.example.com/cas/proxyValidate
[Location />
        Authtype CAS
        require valid-user
        CASAuthNHeader Cas-User
[/Location>
ProxyPreserveHost On
ProxyPass        / http://localhost:8000/
ProxyPassReverse / http://localhost:8000/
[/VirtualHost>

CAS

The module to load is mod_auth_cas. The version I had on Debian failed on some crypto module, it is enough to clone the git repository, configure, make and install and it works out of the box

splunk

I did not manage to use REMOTE_USER (this is a bug, also described in another post with great details) and had to use Cas-User per the Apache config

View solution in original post

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes and swag!