Unfortunately, you need some active code (like an Apache module) to inject that header variable. Most single signon solutions provide such a plugin that will either (A) pick up on the existence of a valid SSO session cookie, and insert the REMOTE_USER header or (B) not seeing a valid cookie, redirect you to the SSO portal. I know next-to-nothing about Centrify, but expect this is how their Apache module functionally works. To avoid using it, you'll probably have to dive down into writing your own Apache modules.

Thanks for your reply. The Centrify module for Apache is not free... therefore it's not an option.

I have an apache2 proxy built, however I have been unable to get it to populate the REMOTE_USER variable. Additionally, it's unclear as to what auth module is recommended for domain lookups into AD. Can you shed some light on that?

I'm looking for the shortest/cheapest path toward true SSO and the Centrify addon looked like it would accomplish that, but unfortunately it only got me half way there.

I do appreciate your time and your recommendations.

Thanks,
G

I had to do something similar to get apache to populate the REMOTE_USER variable from mod_auth_mellon. You can see what I did here, http://answers.splunk.com/answers/177936/accessing-splunk-enterprise-using-adfs-authenticat.html#ans...

Dwaddle is correct. An additional bit of information is that I have tested the Centrify Apache module in a reverse proxy mode to front end other applications like SAP and Peoplesoft in addition to Splunk. It works as expected and supports WIA via Kerberos/NTLM over SPNEGO (also works with ADFS for a federated SSO).

I understand gryan is not able to use the Centrify Apache module due to it not being free, but for other readers I thought this might useful information.

Corey - A Centrify product manager