This is maddening but at this point, I know how to work around it but not why I am seeing it. I am setting up SSO and, as far as I can tell, REMOTE_USER is being ignored or scrubbed within splunkweb. Splunk is 4.3.2; I think I saw pretty much the same behaviour when I was first setting up SSO on another host a couple of years ago; it was 4.0 or 4.1 at the time.
I have looked at a number of the other questions related to this topic and some seem to kinda dance around this issue (notice the bits at the bottom about REMOTE-USER):
Does anybody know what's going on here? I have a working setup now, but I believe this is a bug that causes more than a little confusion.
I have Apache with
mod_proxy setup to reverse-proxy the requests to localhost:8000. Through several methods, I have it passing 4 HTTP request headers:
X-Forwarded-User. I have verified this with
# tcpdump -s0 -A -i lo port 8000 ... GET /en-US/debug/sso HTTP/1.1 Host: localhost:8000 Cache-Control: max-age=0 Pragma: no-cache User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.162 Safari/535.19 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: UTF-8,*;q=0.5 Cookie: MOD_AUTH_CAS=***; session_id_8000=*** CAS-User: wcooley REMOTE_USER: wcooley REMOTE-USER: wcooley X-Forwarded-User: wcooley Via: 1.1 splunkhost.example.com X-Forwarded-For: x.x.x.x X-Forwarded-Host: splunkhost.example.com X-Forwarded-Server: splunkhost.example.com Connection: Keep-Alive
trustedIP in both
web.conf are 127.0.0.1.
web.conf is set to
X-Forwarded-User, SSO works. The SSO debug has, for example:
Remote User HTTP Header Cas-User Value of Cas-User wcooley
remoteUser is set to
REMOTE_USER or is unset (yes, I tested both), then SSO does not work:
Remote User HTTP Header REMOTE_USER Value of REMOTE_USER Not set. SSO may not be enabled or you may not be accessing Splunk via your proxy server.
And I am redirected to the login page for other requests. Also, "Other HTTP Headers" has the following:
Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Charset UTF-8,*;q=0.5 Accept-Encoding gzip,deflate,sdch Accept-Language en-US,en;q=0.8 Cas-User wcooley Connection Keep-Alive Cookie ... Host localhost:8000 Remote-Addr 127.0.0.1 Remote-User wcooley User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.162 Safari/535.19 Via 1.1 splunkserver.example.com X-Forwarded-For x.x.x.x X-Forwarded-Host splunkserver.example.com X-Forwarded-Server splunkserver.example.com X-Forwarded-User wcooley
Notice that REMOTEUSER is not set, but REMOTE-USER is. I tried separately disabling REMOTEUSER and REMOTE-USER, but in all three cases (both enabled, only one of each enabled) the result appears to be the same.
Just to ensure that my
mod_auth_cas SSO provider wasn't secretly doing something obnoxious, I switched to basic auth in Apache, with the same results (except, of course, Cas-User wasn't included in the headers).
I can't get REMOTE-USER to work, either. Our config worked before 4.3 .. LDAP works fine, SSO debug page says SSO will be used, but the search app insists user=UNKNOWN_USER. I really want to upgrade to 4.3 but here we are at 4.3.3 with no resolution. Come on Splunk, fix this!
Same problem with splunk 5.0.1. Thanks for the solution, I would never have guessed that REMOTE_HOST does not work (I posted my config at http://splunk-base.splunk.com/answers/75090/sso-configuration-example-of-an-apache-proxy-to-cas, cross-referencing your solution on the way)
My observation is, that Splunk (maybe only in certain version) only accepts HTTP-headers for SSO not containing any special character. At least, it works for me when using something like "SPLUNKUSER"
REMOTE_USER as the HTTP header or something else?
(To save everyone else the trouble of figuring out what "ARR v2.5 and URL rewriter 2.0" are: They're part of Microsoft IIS.)
@Simon: I did not test extensively but if the "special character" not to use would be the underscore, it would clash with splunk's documentation (where REMOTEUSER is mentioned). Unfortunately it appears that it could be the case (I do not know if a header like HELLOWORLD would work or is it just REMOTE_USER which is specifically a problem).
Anyway - this is a bug and I will open a ticket with splunk about that.