Thanks for the tip jervin.
We were able to use splunk sso w/ shibboleth using this apache config:
<VirtualHost _default_:443>
ServerAdmin
[email protected]
DocumentRoot /var/www/
ErrorLog /var/log/apache2/error.log
LogLevel warn
CustomLog /var/log/apache2/ssl_access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/myhost.pem
SSLCertificateKeyFile /etc/ssl/private/myhost.key
<Location />
AuthType shibboleth
ShibRequestSetting requireSession 1
ShibUseHeaders On
require ou staff
</Location>
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://127.0.0.1:8000/
ProxyPassReverse / http://127.0.0.1:8000/
</VirtualHost>
We couldn't get apache to pass REMOTE_USER so we told splunk to map the 'uid' variable passed by shib instead in $SPUNK_HOME/etc/system/local/web.conf:
[settings]
trustedIP = 127.0.0.1
SSOMode = strict
remoteUser = uid
login_content = <b>ACCESS DENIED</b>: You are not authorized to access Splunk!
If the user successfully authenticated to shib but they're not authorized to access splunk then they're prompted to authenticate in splunkweb. Not sure if it's the best way, but I simply added an ACCESS DENIED message in the login screen (login_content parameter).
Also, the 'logout' link in splunk is essentially useless now with SSO. You can remove it by navigating to 'Splunk->Manager->User Interface->Views->App Context: search->dashboard' and editing this module:
<module name="AccountBar" layoutPanel="appHeader">
<param name="mode">popup</param>
</module>
... View more