When configured to permissive mode, UI requests hitting the Splunk UI without the REMOTE_USER header are directed to a go-away page, saying not authorized. This behavior is correct for strict mode, but not for permissive mode.
This is kinda unfortunate for any use case where you want SSO to enable certain kinds of automatic access but stlil enable users to log in the old fashioned way.
My use case is automated UI testing, which is obviously a minority, but will affect all splunk app developers.
Have you submitted a Support Request?
No, I haven't put in the time to figure out how I can access support, and I don't expect anyone to fix it anyway. I was just documenting the state of the world, essentially.