We are using Apache HTTP to proxy to Splunk. The short version is that we extract creds and put them in the "Remote-User" header. I can provide more complete info if it might help.
Through Splunk Web, I created a user 'myname'. Going to https://apache-server/splunk/en-US/debug/sso displays that SSO is enabled, Value of Remote-User is 'myname', and SSO will be used to authenticate this request.
However, navigating to https://apache-server/splunk/ Prompts me to login.
We have a nearly identical setup where this is working properly. The major difference is that the working version proxies to localhost (127.0.0.1). The other version uses a private address (a trustedIP) to contact Splunk.
Could this network mismatch have any impact?
Does the host name enter into SSO in a different way than /debug/sso shows? Is there an internal log I can search against that provides better information?
Using: Splunk 4.1.1 Apache 2.x https proxying to http Linux Magic Ponies
Output of "https://apache-server/splunk/en-US/debug/sso" Could help debugging.
If the trusted IP & SSO settings are correct,
You should see under "Remote User HTTP Header" section:
Remote User HTTP Header Remote-User
Value of Remote-User myname
Depending on the proxy you are using, check whether you are getting REMOTE-USER or REMOTE_USER field in the request header at the Splunk side and make sure thats what Splunk expects.
Just some suggestions...
Those parameters are being shown in the /debug/sso page.
The "Value of Remote-User" is 'myname'.
As best I can tell, Splunk is getting what it needs. My next debug process would be to see if Splunk is rejecting SSO creds, or if it thinks it never gets them. Anybody know if I can turn logging to a different level or anything?
Yes, the IP does matter. Did you set
trustedIP and verify that it matches what is coming into Splunk (e.g., not changed by NAT or something)?
The default is that Splunk will only trust 127.0.0.1 for SSO requests, and require login for requests from anywhere else. This is so that someone can't just set up their own proxy or browser plugin to send a header with a username and get into Splunk without providing a password.
So, you need to configure the ip address of your Apache server into
trustedIP to let Splunk know that requests from those addresses do not need further authentication, and the IP there must match what Splunk sees in
Actually, you may need to configure it into
This post led me to the right configuration. I misunderstood the purpose of the two trustedIP properties. In actuality, the web.conf needed my web proxy 10.1.1.x as a trustedIP to say that splunkweb trusted the proxy.
The server.conf needed the splunkweb ip (127.0.0.1) as a trustedIP to say the daemon trusted the web, which was running locally.
trustedIP = 127.0.0.1