Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Several SSO issues ( user issues & logout page)

tawollen
Path Finder
‎09-03-2010 08:49 PM

I just set up our Splunk server to authenticate against our SSO infrastructure using the Apache proxy (on Linux). I am also doing SSL encryption on the Apache web proxy as well using purchased SSL certs for the web server on the apache server.

It seems to work (took a while to get the right settings), but I ran into a couple issues.

  • If I try to log into Splunk with a user that doesn't exist, I get dropped to the Splunk login page. I would like to see if there is a way to get directed to a "user not found" page.

  • If I log in as one user (user1) and then don't log out of Splunk (just close the IE window) and then log in with SSO as user2, I will actually get user1's account in Splunk.

  • If I log out of Splunk, I really want it to log out of our SSO infrastructure as well going to a web site like " https://ssologin.company.com/logoff/logoff.jsp?referrer=http://splunk.company.com" Is there a way that the logout link can call this page as well. When you log out of Splunk, I would like it to just come up with a "Logged out" page, and not come back to the login page.

BTW, the only way I got our SSO to work was to use 'remoteUser = SM-USER' , remoteUser = REMOTE_USER (or REMOTE-USER) did not seem to ever work.

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎09-05-2010 10:40 PM

  • There is not. This is kind a failsafe in case SSO is not configured correctly. The right way to ensure this is to configure SiteMinder (I'm assuming from SM-USER) to only allow the same set of users as you configure for Splunk to access the Splunk/Apache resource.

  • I don't know if SM has a way to force a session or browser cookies to be cleared when you auth with a new user. Perhaps it doesn't by default clear the CherryPy cookie, which is called session_id_<port>, e.g. session_id_8000. This is kind of a general problem with SSO and web applications, so I would expect it to be the case that the proxy would intercept and clear those when switching users.

  • This is a good Enhancement Request for Splunk that you should file. In the meantime, you would have to edit $SPLUNK_HOME/share/splunk/search_mrsparkle/modules/nav/AccountBar.html. Unfortunately any change you make to this will probably be overwritten with every patch or upgrade of Splunk, but hopefully the change should be pretty minor.

The HTTP header name REMOTE_USER should refer to the name of the header that contains the trusted/authenticated user ID. By default, SiteMinder puts this id into the header SM-USER, but other SSO systems use a different header name.

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎09-05-2010 10:40 PM

  • There is not. This is kind a failsafe in case SSO is not configured correctly. The right way to ensure this is to configure SiteMinder (I'm assuming from SM-USER) to only allow the same set of users as you configure for Splunk to access the Splunk/Apache resource.

  • I don't know if SM has a way to force a session or browser cookies to be cleared when you auth with a new user. Perhaps it doesn't by default clear the CherryPy cookie, which is called session_id_<port>, e.g. session_id_8000. This is kind of a general problem with SSO and web applications, so I would expect it to be the case that the proxy would intercept and clear those when switching users.

  • This is a good Enhancement Request for Splunk that you should file. In the meantime, you would have to edit $SPLUNK_HOME/share/splunk/search_mrsparkle/modules/nav/AccountBar.html. Unfortunately any change you make to this will probably be overwritten with every patch or upgrade of Splunk, but hopefully the change should be pretty minor.

The HTTP header name REMOTE_USER should refer to the name of the header that contains the trusted/authenticated user ID. By default, SiteMinder puts this id into the header SM-USER, but other SSO systems use a different header name.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...