Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Several SSO issues ( user issues & logout page)

tawollen
Path Finder
‎09-03-2010 08:49 PM

I just set up our Splunk server to authenticate against our SSO infrastructure using the Apache proxy (on Linux). I am also doing SSL encryption on the Apache web proxy as well using purchased SSL certs for the web server on the apache server.

It seems to work (took a while to get the right settings), but I ran into a couple issues.

  • If I try to log into Splunk with a user that doesn't exist, I get dropped to the Splunk login page. I would like to see if there is a way to get directed to a "user not found" page.

  • If I log in as one user (user1) and then don't log out of Splunk (just close the IE window) and then log in with SSO as user2, I will actually get user1's account in Splunk.

  • If I log out of Splunk, I really want it to log out of our SSO infrastructure as well going to a web site like " https://ssologin.company.com/logoff/logoff.jsp?referrer=http://splunk.company.com" Is there a way that the logout link can call this page as well. When you log out of Splunk, I would like it to just come up with a "Logged out" page, and not come back to the login page.

BTW, the only way I got our SSO to work was to use 'remoteUser = SM-USER' , remoteUser = REMOTE_USER (or REMOTE-USER) did not seem to ever work.

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎09-05-2010 10:40 PM

  • There is not. This is kind a failsafe in case SSO is not configured correctly. The right way to ensure this is to configure SiteMinder (I'm assuming from SM-USER) to only allow the same set of users as you configure for Splunk to access the Splunk/Apache resource.

  • I don't know if SM has a way to force a session or browser cookies to be cleared when you auth with a new user. Perhaps it doesn't by default clear the CherryPy cookie, which is called session_id_<port>, e.g. session_id_8000. This is kind of a general problem with SSO and web applications, so I would expect it to be the case that the proxy would intercept and clear those when switching users.

  • This is a good Enhancement Request for Splunk that you should file. In the meantime, you would have to edit $SPLUNK_HOME/share/splunk/search_mrsparkle/modules/nav/AccountBar.html. Unfortunately any change you make to this will probably be overwritten with every patch or upgrade of Splunk, but hopefully the change should be pretty minor.

The HTTP header name REMOTE_USER should refer to the name of the header that contains the trusted/authenticated user ID. By default, SiteMinder puts this id into the header SM-USER, but other SSO systems use a different header name.

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎09-05-2010 10:40 PM

  • There is not. This is kind a failsafe in case SSO is not configured correctly. The right way to ensure this is to configure SiteMinder (I'm assuming from SM-USER) to only allow the same set of users as you configure for Splunk to access the Splunk/Apache resource.

  • I don't know if SM has a way to force a session or browser cookies to be cleared when you auth with a new user. Perhaps it doesn't by default clear the CherryPy cookie, which is called session_id_<port>, e.g. session_id_8000. This is kind of a general problem with SSO and web applications, so I would expect it to be the case that the proxy would intercept and clear those when switching users.

  • This is a good Enhancement Request for Splunk that you should file. In the meantime, you would have to edit $SPLUNK_HOME/share/splunk/search_mrsparkle/modules/nav/AccountBar.html. Unfortunately any change you make to this will probably be overwritten with every patch or upgrade of Splunk, but hopefully the change should be pretty minor.

The HTTP header name REMOTE_USER should refer to the name of the header that contains the trusted/authenticated user ID. By default, SiteMinder puts this id into the header SM-USER, but other SSO systems use a different header name.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...