Security

Using SSO proxy to connect to multiple AD domain

cervelli
Splunk Employee
Splunk Employee

Splunk can only connect to one domain in an AD forest at this time. That's a known limitation.

However, is it possible to set whatever user name you want in the SSO header when you do the re-write. The proxy doing the re-write may be multi-domain or forest aware.

How can I re-write the auth'd user from a non-Splunk-auth domain to target a user in Splunk? If I do, must I map them to users in the domain that Splunk can access to, in order to make the roles work out?

Tags (3)
1 Solution

fervin
Path Finder

We are running all of our Splunk servers on Linux, but we use IIS on Windows as a reverse proxy to Splunk. We've figured out a hackish but functional way to give users from another Active Directory forest SSO access to dashboards that I think will give you what you're asking for.

What you need:

  1. A Windows server running IIS 7+
  2. The free Microsoft Application Request Routing (ARR) extension - available for download from: http://www.iis.net/download/applicationrequestrouting
  3. The free Microsoft URL Rewrite extension - available for download from: http://www.iis.net/download/URLRewrite
  4. The free Helicon ISAPI_Rewrite module – available for download from: http://www.helicontech.com/download-isapi_rewrite3.htm
  5. A Splunk search head configured for LDAP and SSO. Set remoteUser = REMOTE-USER instead of REMOTE_USER.

Here's how we set up the proxy, best as I can remember:

  1. Install ARR v2.1 using the default options.
  2. Install URL Rewrite v2.0 using the default options.
  3. Install the Helicon ISAPI_Rewrite3 Module to IIS. The free version is sufficent because we will be using ARR to work around the free version’s RewriteProxy limitations…
  4. From the Application Request Routing Cache feature view, click on the Server Proxy action and Enable proxy.
  5. Create a new IIS web site for the Splunk proxy address (ex – splunk.xyz.com). Bind an SSL certificate to the web site at this time.
  6. On the newly created website’s feature view, click on URL Rewrite and then the Add Rule(s) action.
  7. Create a rule based on the Reverse Proxy template which points to your Splunk search head. Enable SSL Offloading.
  8. Edit the rule such that a Condition input of {HTTP_HOST} matches the pattern (splunk\.xyz\.com).
  9. By chaining such Reverse Proxy rules, you can specify multiple Splunk environments if you need to (splunkdev\.xyz\.com)…
  10. Make the first rule {HTTPS} matches ^OFF$ if you want to redirect all web traffic to SSL.
  11. Edit the Helicon configuration as below:

    RewriteHeader REMOTE_USER: .* $1
    RewriteMap user int:tolower
    RewriteCond %{REMOTE_USER} .* \\([^\\]+)
    RewriteHeader Remote-User: .* ${user:%1}
    RewriteBase /

    RewriteHeader Remote-User: ^(abcuser1|abcuser2|abcuser3) abc_developer
    RewriteHeader Remote-User: ^(abcuser5|abcuser5) abc_admin
    RewriteBase /

The above example converts REMOTE_USER to lowercase, strips out Active Directory domain information, and populates a new Remote-User variable with the result. Then, if the user matches the regex in any of the next sections, the Remote-User variable will be populated with the specified abc_developer or abc_admin user name. This rewritten user name can match an account in the configured AD LDAP repository or can be a shared Splunk local user account.

That’s it!

View solution in original post

magnuspenilsson
Explorer

Trying to setup Splunk to work with a reverse proxy as described above using ARR v2.1 and URL Rewrite v2.0. Anyone having the same problems as me?

Splunk is hosted on localhost:8000 IIS proxy on localhost/SplunkTest/

After adding an outgoing rewrite rule to make browser redirect work (LOCATION), I manage to get to the login screen but without any proper CSS styles. The problem was that the CSS files included pictures etc using url("[the_uri]"). Also, there where javascript calls using the syntax "uri":"[the_uri]". I managed to create outgoing rewrite rules for that as well. So far so good.

But now I'm stucked, log searching etc. They are initiated using POST and GET on paths build with the javascript function make_url(), which is supposed to make life easier for proxy setups. It's hard to solve this issue with outgoing rewrite rules since the links are pieced together client side.

I suppose setting root_endpoint should make all this work without outgoing rules? I am pointing root_endpoint to the proxy root offset, i.e. "/SplunkTest/"

Any help is very appreciated.

0 Karma

csnidsplunk
Explorer

Have you found any further information or gotten this to work?

Thanks

0 Karma

fervin
Path Finder

We are running all of our Splunk servers on Linux, but we use IIS on Windows as a reverse proxy to Splunk. We've figured out a hackish but functional way to give users from another Active Directory forest SSO access to dashboards that I think will give you what you're asking for.

What you need:

  1. A Windows server running IIS 7+
  2. The free Microsoft Application Request Routing (ARR) extension - available for download from: http://www.iis.net/download/applicationrequestrouting
  3. The free Microsoft URL Rewrite extension - available for download from: http://www.iis.net/download/URLRewrite
  4. The free Helicon ISAPI_Rewrite module – available for download from: http://www.helicontech.com/download-isapi_rewrite3.htm
  5. A Splunk search head configured for LDAP and SSO. Set remoteUser = REMOTE-USER instead of REMOTE_USER.

Here's how we set up the proxy, best as I can remember:

  1. Install ARR v2.1 using the default options.
  2. Install URL Rewrite v2.0 using the default options.
  3. Install the Helicon ISAPI_Rewrite3 Module to IIS. The free version is sufficent because we will be using ARR to work around the free version’s RewriteProxy limitations…
  4. From the Application Request Routing Cache feature view, click on the Server Proxy action and Enable proxy.
  5. Create a new IIS web site for the Splunk proxy address (ex – splunk.xyz.com). Bind an SSL certificate to the web site at this time.
  6. On the newly created website’s feature view, click on URL Rewrite and then the Add Rule(s) action.
  7. Create a rule based on the Reverse Proxy template which points to your Splunk search head. Enable SSL Offloading.
  8. Edit the rule such that a Condition input of {HTTP_HOST} matches the pattern (splunk\.xyz\.com).
  9. By chaining such Reverse Proxy rules, you can specify multiple Splunk environments if you need to (splunkdev\.xyz\.com)…
  10. Make the first rule {HTTPS} matches ^OFF$ if you want to redirect all web traffic to SSL.
  11. Edit the Helicon configuration as below:

    RewriteHeader REMOTE_USER: .* $1
    RewriteMap user int:tolower
    RewriteCond %{REMOTE_USER} .* \\([^\\]+)
    RewriteHeader Remote-User: .* ${user:%1}
    RewriteBase /

    RewriteHeader Remote-User: ^(abcuser1|abcuser2|abcuser3) abc_developer
    RewriteHeader Remote-User: ^(abcuser5|abcuser5) abc_admin
    RewriteBase /

The above example converts REMOTE_USER to lowercase, strips out Active Directory domain information, and populates a new Remote-User variable with the result. Then, if the user matches the regex in any of the next sections, the Remote-User variable will be populated with the specified abc_developer or abc_admin user name. This rewritten user name can match an account in the configured AD LDAP repository or can be a shared Splunk local user account.

That’s it!

Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...