Reporting

How to implement Splunk SSO with Google Authentication Proxy when the username is not an email address?

eshedra
Explorer

Hi All,
I implemented Splunk SSO with Google Authentication Proxy (GAP) (https://github.com/bitly/google_auth_proxy) by using this tutorial: http://hustoknow.blogspot.co.il/2014/11/implementing-splunk-sso-with-google-apps.html.

Everything works fine except the fact that the username must be an email address. Splunk won't let admins to change usernames and I have a system which is all configured by names as usernames (and not email addresses).

Is it possible to forward from the proxy to Splunk only the user and not the whole email address?
I tried to do that by using X-Forwarded-User instead of X-Forwarded-Mail in web.conf with no success.

Another approach might be changing the usernames. Is it possible? Maybe directly from the server running it?

Thanks

1 Solution

dwaddle
SplunkTrust
SplunkTrust

We use this with a config similar to:

pass_basic_auth = true

## Google Apps Domains to allow authentication for
google_apps_domains = [
     "defpoint.com"
]

On the proxy, and:

[settings]
enableSplunkWebSSL = 0

remoteUser = X-Forwarded-User
trustedIP = 127.0.0.1

In web.conf in Splunk. With this configuration, the proxy only passes usernames with the "@domain.com" part removed. Folks show up in Splunk as "just their user ID" and it works great...

View solution in original post

dwaddle
SplunkTrust
SplunkTrust

We use this with a config similar to:

pass_basic_auth = true

## Google Apps Domains to allow authentication for
google_apps_domains = [
     "defpoint.com"
]

On the proxy, and:

[settings]
enableSplunkWebSSL = 0

remoteUser = X-Forwarded-User
trustedIP = 127.0.0.1

In web.conf in Splunk. With this configuration, the proxy only passes usernames with the "@domain.com" part removed. Folks show up in Splunk as "just their user ID" and it works great...

eshedra
Explorer

Another thing- Could you please copy and paste your web.conf file (not only the relevant parts)?

Thanks

0 Karma

ppablo
Retired

Hi @eshedra

Please be sure that when responding to someone's answer, click on "Add comment" directly below their answer or, if responding to someone's comment, type in the "Add your comment..." box directly below their comment. You typed your last 2 responses in the "Enter your answer here..." box at the very bottom of the page which, instead, posts a brand new answer each time. This will help with a clean continuous flow of the conversation. I already converted your "answers" to comments, so just something to keep in mind from here on out. Thanks and happy Splunking!

0 Karma

eshedra
Explorer

I used tcpdump and see the username passes from the proxy to the splunk server.
I suspect it might version issue (we are using 6.1). Do you think it might be it?

Are you familiar with other parameters that we can try and pass?

Thansk for help,
Eshed

0 Karma

eshedra
Explorer

Hi dwaddle,
I tried you configuration and it doesn't seem to work.
right now when the username in splunk is eshedra@etoro.com it logs me in if I use X-Forwarded-Email.
If I change it to X-Forwarded-User and create a username like "eshedra" it doesn't log me in.
Any ideas?

Thanks for help.
Eshed

0 Karma

dwaddle
SplunkTrust
SplunkTrust

Interesting. It works for us on Splunk 6.2.2. You could try running tcpdump between the google-auth-proxy and Splunk and see if the headers are all coming out right...

0 Karma

eshedra
Explorer

It workks now. Thanks for the help

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...