- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- SSO not functioning. Does hostname matter?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are using Apache HTTP to proxy to Splunk. The short version is that we extract creds and put them in the "Remote-User" header. I can provide more complete info if it might help.
Through Splunk Web, I created a user 'myname'. Going to https://apache-server/splunk/en-US/debug/sso displays that SSO is enabled, Value of Remote-User is 'myname', and SSO will be used to authenticate this request.
However, navigating to https://apache-server/splunk/ Prompts me to login.
We have a nearly identical setup where this is working properly. The major difference is that the working version proxies to localhost (127.0.0.1). The other version uses a private address (a trustedIP) to contact Splunk.
Could this network mismatch have any impact?
Does the host name enter into SSO in a different way than /debug/sso shows?
Is there an internal log I can search against that provides better information?
Using: Splunk 4.1.1 Apache 2.x https proxying to http Linux Magic Ponies
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, the IP does matter. Did you set trustedIP and verify that it matches what is coming into Splunk (e.g., not changed by NAT or something)?
The default is that Splunk will only trust 127.0.0.1 for SSO requests, and require login for requests from anywhere else. This is so that someone can't just set up their own proxy or browser plugin to send a header with a username and get into Splunk without providing a password.
So, you need to configure the ip address of your Apache server into server.conf, under [general], trustedIP to let Splunk know that requests from those addresses do not need further authentication, and the IP there must match what Splunk sees in /debug/sso.
Update:
Actually, you may need to configure it into web.conf under [settings] too.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, the IP does matter. Did you set trustedIP and verify that it matches what is coming into Splunk (e.g., not changed by NAT or something)?
The default is that Splunk will only trust 127.0.0.1 for SSO requests, and require login for requests from anywhere else. This is so that someone can't just set up their own proxy or browser plugin to send a header with a username and get into Splunk without providing a password.
So, you need to configure the ip address of your Apache server into server.conf, under [general], trustedIP to let Splunk know that requests from those addresses do not need further authentication, and the IP there must match what Splunk sees in /debug/sso.
Update:
Actually, you may need to configure it into web.conf under [settings] too.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This post led me to the right configuration. I misunderstood the purpose of the two trustedIP properties. In actuality, the web.conf needed my web proxy 10.1.1.x as a trustedIP to say that splunkweb trusted the proxy.
The server.conf needed the splunkweb ip (127.0.0.1) as a trustedIP to say the daemon trusted the web, which was running locally.
In short:
(server.conf)
The location of splunk web
trustedIP = 127.0.0.1
(web.conf)
The location of the web proxy
10.1.1.x
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Output of "https://apache-server/splunk/en-US/debug/sso" Could help debugging.
Meanwhile..
If the trusted IP & SSO settings are correct,
You should see under "Remote User HTTP Header" section:
Remote User HTTP Header Remote-User
Value of Remote-User myname
Depending on the proxy you are using, check whether you are getting REMOTE-USER or REMOTE_USER field in the request header at the Splunk side and make sure thats what Splunk expects.
Just some suggestions...
-Kris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Those parameters are being shown in the /debug/sso page.
The "Value of Remote-User" is 'myname'.
As best I can tell, Splunk is getting what it needs. My next debug process would be to see if Splunk is rejecting SSO creds, or if it thinks it never gets them. Anybody know if I can turn logging to a different level or anything?
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation
