Splunk can only connect to one domain in an AD forest at this time. That's a known limitation.
However, is it possible to set whatever user name you want in the SSO header when you do the re-write. The proxy doing the re-write may be multi-domain or forest aware.
How can I re-write the auth'd user from a non-Splunk-auth domain to target a user in Splunk? If I do, must I map them to users in the domain that Splunk can access to, in order to make the roles work out?
asked 02 Feb '11, 23:10
We are running all of our Splunk servers on Linux, but we use IIS on Windows as a reverse proxy to Splunk. We've figured out a hackish but functional way to give users from another Active Directory forest SSO access to dashboards that I think will give you what you're asking for.
What you need:
Here's how we set up the proxy, best as I can remember:
The above example converts REMOTE_USER to lowercase, strips out Active Directory domain information, and populates a new Remote-User variable with the result. Then, if the user matches the regex in any of the next sections, the Remote-User variable will be populated with the specified abc_developer or abc_admin user name. This rewritten user name can match an account in the configured AD LDAP repository or can be a shared Splunk local user account.
Trying to setup Splunk to work with a reverse proxy as described above using ARR v2.1 and URL Rewrite v2.0. Anyone having the same problems as me?
Splunk is hosted on localhost:8000 IIS proxy on localhost/SplunkTest/
I suppose setting root_endpoint should make all this work without outgoing rules? I am pointing root_endpoint to the proxy root offset, i.e. "/SplunkTest/"
Any help is very appreciated.