I'm playing with Splunk 6.6.0 and DOD CAC login (X509 client certificates on a smartcard). The documentation says the REMOTE_USER must be in every request, but testing shows this isn't necessarily true, I think. Once the user received a session cookie, I was able to remove the header and stay signed in. In fact, I could close the browser and re-open it and the session was still alive. The cookie was set to expire in 10 years I believe, but I'm sure after 1hr of inactivity the server-side expires it.
Since client SSL auth and cert extraction is said to be an expensive operation, I thought I'd only request it once. This is what our web mail does. But I have also read that a per-location ssl verify requires a secure renegotiation and is better done with a separate domain or port. Our web mail uses a different port. So I was thinking of doing a redirect from when Splunk sends the user to /en-US/account/login to go to a separate VirtualHost that has "SSLVerifyClient required" and passes REMOTE_USER from %{SSL_CLIENT_SAN_OTHER_msUPN_0}e which maps to userPrincipleName in LDAP to Active Directory...
I believe this is a much better way than the previous solutions on here, but:
I think the answers are:
This should greatly improve performance as the client certificates aren't verified with each connection.
"In fact, I could close the browser and re-open it and the session was still alive"
I find this hard to believe unless you had otnher browser windows open or have a network device that is caching cookies.
"or have a network device that is caching cookies."
I find this hard to believe.
Which part, that you might have such a device or that one might exist?