Security

Several SSO issues ( user issues & logout page)

tawollen
Path Finder

I just set up our Splunk server to authenticate against our SSO infrastructure using the Apache proxy (on Linux). I am also doing SSL encryption on the Apache web proxy as well using purchased SSL certs for the web server on the apache server.

It seems to work (took a while to get the right settings), but I ran into a couple issues.

  • If I try to log into Splunk with a user that doesn't exist, I get dropped to the Splunk login page. I would like to see if there is a way to get directed to a "user not found" page.

  • If I log in as one user (user1) and then don't log out of Splunk (just close the IE window) and then log in with SSO as user2, I will actually get user1's account in Splunk.

  • If I log out of Splunk, I really want it to log out of our SSO infrastructure as well going to a web site like " https://ssologin.company.com/logoff/logoff.jsp?referrer=http://splunk.company.com" Is there a way that the logout link can call this page as well. When you log out of Splunk, I would like it to just come up with a "Logged out" page, and not come back to the login page.

BTW, the only way I got our SSO to work was to use 'remoteUser = SM-USER' , remoteUser = REMOTE_USER (or REMOTE-USER) did not seem to ever work.

Tags (2)
1 Solution

gkanapathy
Splunk Employee
Splunk Employee
  • There is not. This is kind a failsafe in case SSO is not configured correctly. The right way to ensure this is to configure SiteMinder (I'm assuming from SM-USER) to only allow the same set of users as you configure for Splunk to access the Splunk/Apache resource.

  • I don't know if SM has a way to force a session or browser cookies to be cleared when you auth with a new user. Perhaps it doesn't by default clear the CherryPy cookie, which is called session_id_<port>, e.g. session_id_8000. This is kind of a general problem with SSO and web applications, so I would expect it to be the case that the proxy would intercept and clear those when switching users.

  • This is a good Enhancement Request for Splunk that you should file. In the meantime, you would have to edit $SPLUNK_HOME/share/splunk/search_mrsparkle/modules/nav/AccountBar.html. Unfortunately any change you make to this will probably be overwritten with every patch or upgrade of Splunk, but hopefully the change should be pretty minor.

The HTTP header name REMOTE_USER should refer to the name of the header that contains the trusted/authenticated user ID. By default, SiteMinder puts this id into the header SM-USER, but other SSO systems use a different header name.

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee
  • There is not. This is kind a failsafe in case SSO is not configured correctly. The right way to ensure this is to configure SiteMinder (I'm assuming from SM-USER) to only allow the same set of users as you configure for Splunk to access the Splunk/Apache resource.

  • I don't know if SM has a way to force a session or browser cookies to be cleared when you auth with a new user. Perhaps it doesn't by default clear the CherryPy cookie, which is called session_id_<port>, e.g. session_id_8000. This is kind of a general problem with SSO and web applications, so I would expect it to be the case that the proxy would intercept and clear those when switching users.

  • This is a good Enhancement Request for Splunk that you should file. In the meantime, you would have to edit $SPLUNK_HOME/share/splunk/search_mrsparkle/modules/nav/AccountBar.html. Unfortunately any change you make to this will probably be overwritten with every patch or upgrade of Splunk, but hopefully the change should be pretty minor.

The HTTP header name REMOTE_USER should refer to the name of the header that contains the trusted/authenticated user ID. By default, SiteMinder puts this id into the header SM-USER, but other SSO systems use a different header name.

View solution in original post

Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!