This is maddening but at this point, I know how to work around it but not why I am seeing it. I am setting up SSO and, as far as I can tell, REMOTE_USER is being ignored or scrubbed within splunkweb. Splunk is 4.3.2; I think I saw pretty much the same behaviour when I was first setting up SSO on another host a couple of years ago; it was 4.0 or 4.1 at the time.

I have looked at a number of the other questions related to this topic and some seem to kinda dance around this issue (notice the bits at the bottom about REMOTE-USER):

how-do-i-make-single-sign-on-work-with-mod_proxy

Does anybody know what's going on here? I have a working setup now, but I believe this is a bug that causes more than a little confusion.

I have Apache with mod_proxy setup to reverse-proxy the requests to localhost:8000. Through several methods, I have it passing 4 HTTP request headers: Cas-User, REMOTE-USER, REMOTE_USER and X-Forwarded-User. I have verified this with tcpdump:

# tcpdump -s0 -A -i lo port 8000
...
GET /en-US/debug/sso HTTP/1.1
Host: localhost:8000
Cache-Control: max-age=0
Pragma: no-cache
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.162 Safari/535.19
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: UTF-8,*;q=0.5
Cookie: MOD_AUTH_CAS=***; session_id_8000=***
CAS-User: wcooley
REMOTE_USER: wcooley
REMOTE-USER: wcooley
X-Forwarded-User: wcooley
Via: 1.1 splunkhost.example.com
X-Forwarded-For: x.x.x.x
X-Forwarded-Host: splunkhost.example.com
X-Forwarded-Server: splunkhost.example.com
Connection: Keep-Alive

trustedIP in both server.conf and web.conf are 127.0.0.1.

If remoteUser in web.conf is set to Cas-User, REMOTE-USER or X-Forwarded-User, SSO works. The SSO debug has, for example:

Remote User HTTP Header Cas-User
Value of Cas-User   wcooley

If remoteUser is set to REMOTE_USER or is unset (yes, I tested both), then SSO does not work:

Remote User HTTP Header REMOTE_USER
Value of REMOTE_USER    Not set. SSO may not be enabled or you may not be accessing Splunk via your proxy server.

And I am redirected to the login page for other requests. Also, "Other HTTP Headers" has the following:

Accept  text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Charset  UTF-8,*;q=0.5
Accept-Encoding gzip,deflate,sdch
Accept-Language en-US,en;q=0.8
Cas-User        wcooley
Connection      Keep-Alive
Cookie  ...
Host    localhost:8000
Remote-Addr     127.0.0.1
Remote-User     wcooley
User-Agent      Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.162 Safari/535.19
Via     1.1 splunkserver.example.com
X-Forwarded-For x.x.x.x
X-Forwarded-Host        splunkserver.example.com
X-Forwarded-Server      splunkserver.example.com
X-Forwarded-User        wcooley

Notice that REMOTE_USER is not set, but REMOTE-USER is. I tried separately disabling REMOTE_USER and REMOTE-USER, but in all three cases (both enabled, only one of each enabled) the result appears to be the same.

Just to ensure that my mod_auth_cas SSO provider wasn't secretly doing something obnoxious, I switched to basic auth in Apache, with the same results (except, of course, Cas-User wasn't included in the headers).

*whew*