Using SSO proxy to connect to multiple AD domain

We are running all of our Splunk servers on Linux, but we use IIS on Windows as a reverse proxy to Splunk. We've figured out a hackish but functional way to give users from another Active Directory forest SSO access to dashboards that I think will give you what you're asking for.

What you need:

1. A Windows server running IIS 7+
2. The free Microsoft Application Request Routing (ARR) extension - available for download from: http://www.iis.net/download/applicationrequestrouting
3. The free Microsoft URL Rewrite extension - available for download from: http://www.iis.net/download/URLRewrite
4. The free Helicon ISAPI_Rewrite module – available for download from: http://www.helicontech.com/download-isapi_rewrite3.htm
5. A Splunk search head configured for LDAP and SSO. Set remoteUser = REMOTE-USER instead of REMOTE_USER.

Here's how we set up the proxy, best as I can remember:

1. Install ARR v2.1 using the default options.
2. Install URL Rewrite v2.0 using the default options.
3. Install the Helicon ISAPI_Rewrite3 Module to IIS. The free version is sufficent because we will be using ARR to work around the free version’s RewriteProxy limitations…
4. From the Application Request Routing Cache feature view, click on the Server Proxy action and Enable proxy.
5. Create a new IIS web site for the Splunk proxy address (ex – splunk.xyz.com). Bind an SSL certificate to the web site at this time.
6. On the newly created website’s feature view, click on URL Rewrite and then the Add Rule(s) action.
7. Create a rule based on the Reverse Proxy template which points to your Splunk search head. Enable SSL Offloading.
8. Edit the rule such that a Condition input of {HTTP_HOST} matches the pattern (splunk\.xyz\.com).
9. By chaining such Reverse Proxy rules, you can specify multiple Splunk environments if you need to (splunkdev\.xyz\.com)…
10. Make the first rule {HTTPS} matches ^OFF$ if you want to redirect all web traffic to SSL.

11. Edit the Helicon configuration as below:

    RewriteHeader REMOTE_USER: .* $1
    RewriteMap user int:tolower
    RewriteCond %{REMOTE_USER} .* \\([^\\]+)
    RewriteHeader Remote-User: .* ${user:%1}
    RewriteBase /
    
    RewriteHeader Remote-User: ^(abcuser1|abcuser2|abcuser3) abc_developer
    RewriteHeader Remote-User: ^(abcuser5|abcuser5) abc_admin
    RewriteBase /
    

The above example converts REMOTE_USER to lowercase, strips out Active Directory domain information, and populates a new Remote-User variable with the result. Then, if the user matches the regex in any of the next sections, the Remote-User variable will be populated with the specified abc_developer or abc_admin user name. This rewritten user name can match an account in the configured AD LDAP repository or can be a shared Splunk local user account.

That’s it!