Splunk Search

DoD CAC enable for Splunk Web


Splunk Support,

As a DoD entity we are required to have Web applications, including Splunk, to be DoD CAC enabled for login authentication. Is there any way to do this in Splunk Web in any shape or form?

George Jackson

Tags (1)

Path Finder

Hi there DISA,

  Have you guys found a solution to PKI CAC enable Splunk. We are also being directed to get this done. Not sure if other DoD entities are moving forward with this directive as well. Let me know if there is a group with information to share on this tasking. Thank you.

Navy Metoc

0 Karma


IHAC with a mandate for smart-card authentication (DOD CAC) as well. This mandate explicitly EXCLUDES a proxy solution.

So although the solutions below may work, they all require a proxy and therefore don't meet the requirements.

It looks like this question has been idle for the past 18 months - any updates?



I'm facing the same issue with a looming suspense. Please contact me at kmattern@araneasolutions.com so we can directly share info. We have been seeking other DoD users.


0 Karma


I have configured my proxy three different ways for testing purposes.

  1. Create a new virtual host on a separate port (Access would be through https://proxy:port).
  2. Change the splunk root to /splunk (Reverse proxy would be configured to forward everything https://proxy/splunk)
  3. Configured the proxy to forward all /en-US/ requests (Access through https://proxy/en-US/)

All three worked without issue when I added "Keepalive On" to ssl.conf (As I stated above). Of the three ways, I prefer #1 because the keepalive statement can be made in the virtual host configuration. This would cause the least repercussions, only affecting other services in the virtual host configuration.

New Member

Splunk SSO requires every page request to include the remote-user in the header ... wouldn't this method make page loads extremely slow due to the constant querying of the smart card?

0 Karma


There is actually a rather simple way to perform what you are asking. If you configure SSL on a proxy server (I used a RHEL 5.8 server with apache installed), you can do it with the following three lines:

RewriteCond %{SSL:SSL_CLIENT_S_DN_CN} ([0-9]+$)

RewriteRule (.*) - [E=USER:%1]

RequestHeader set xuser %{USER}e

Assuming you have configured your proxy server correctly, you can use the above three statements to send your login information to Splunk as "Xuser". At that point, it is a matter of typing in the correct AD attribute in Splunk.

After this process is complete, the certificate authentication is then done by Apache. Apache then forwards the username on to splunk. Splunk SSO references Active Directory for the user account based on the attribute you specified in Splunk.


The branch I support appends the CN inside AD. I had to point Splunk at employeeID instead of sAMAccountName to get it to match up with the CN from the users CAC. Other than that, MatthewRogers solutiuon worked great.

0 Karma


Yes. Keepalive on makes a world of a difference!!

0 Karma


I also had to add "Keepalive On" to ssl.conf. Once I added this, there was very little difference between access through the proxy and direct access.

However, if at any time you pull the smart card you have authenticated with, you must close the browser, re-open it, and reauthenticate.

0 Karma


As I understand it, CAC is a PKI smartcard implementation. As such, any website you authenticate to using CAC is done via an X.509 client certificate stored on the CAC itself. Splunk does not support X.509 certificate authentication out of the box, but I think a SSO/Proxy setup using Apache could do it. But, I don't think it would be a trivial setup to get working -- as you still have to deal with user/role definitions within Splunk and so on.

If this is the route you must take, I would recommend discussing this with Splunk Professional Services.

Get Updates on the Splunk Community!

New Cloud Intrusion Detection System Add-on for Splunk

In July 2022 Splunk released the Cloud IDS add-on which expanded Splunk capabilities in security and data ...

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...