Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- Re: Splunk SSO change - no longer works.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk SSO change - no longer works.
Hey Everyone.
Been running splunk behind an apache proxy with NTLM for awhile. (Same host).
Today, I decided to move the apache proxy to a different server, and use SAML2.0 as the authentication method.
As fast as /debug/sso goes, this was a no-hiccup change.
As far as the actual web interface goes, it tells me:
Could not authenticate user via SSO.
Please confirm the user set in the
http header via your SSO module has a
matching splunk account with the same
username.
I verified the usernames, which now uses userprinciplename, instead of samaccount.
I can log in using :8000 fine.
Are there some other logs I can get into to help me diagnose this further?
The debug page is perfect.
Is the incoming request IP in
splunkweb's list of trustedIPs? Yes.
SSO will be used to authenticate this
request.Remote User HTTP Header REMOTE-USER
Value of REMOTE-USER
jgauthier@lastar.com
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you post errors seen in splunkd.log?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm getting the same question.The /debug/sso page looks OK.
I got some log in web_service.log
2015-06-24 09:46:44,231 ERROR [558b5d84381ca48350] auth:59 - getSessionKey - unable to login; check credentials
2015-06-24 09:46:44,232 WARNING [558b5d84381ca48350] decorators:207 - Could not authenticate user zillionlee via SSO. Does zillionlee have a matching splunk account with the same username?
But I have a user zillionlee in splunk.I have no idea.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am experiencing the same problem. I have Splunk 6.1.0 build 206881. Can someone shed some lights? Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
did you check if the users are being extracted in ldap settings page?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm getting the same behavior in 6.0.3. The debug page looks like everything is working, but I get the above error page, which says that the user is UNKNOWN_USER.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I noticed on the screen, splunk gives me a little help: User: UNKNOWN_USER
But I can clearly see my named user in the user list. I wonder why they are not matching.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
