Refine your search:

How do I make Single Sign On work with mod_proxy

3
2

We are trying to deploy splunk with SSO according to documentation found on http://www.splunk.com/base/Documentation/4.1/Admin/Usesinglesign-onwithSplunk but are hitting a wall.

The suspicion is that mod_proxy does not proxy the remote_user variable needed by Splunk. Anyone know if this and true and known a way around this?

asked 16 Apr '10, 23:06

Alan%20Bradley's gravatar image

Alan Bradley
8606733
accept rate: 100%

7 Answers:
oldestnewestmost voted
5

We don't require that the variable representing the user be remote_user. You can configure the 'remoteUser' variable to say how your proxy server spells it. To try to see what your proxy server might be sending, try accessing http://YourSplunkServer:8000/debug/sso

See also: http://www.splunk.com/base/Documentation/latest/Admin/Usesinglesign-onwithSplunk

link

answered 17 Apr '10, 00:06

jrodman's gravatar image

jrodman ♦
5.8k2515
accept rate: 42%

4

Assuming your auth module provides a REMOTE_USER variable in the context of the apache request, you probably need to provide a line like this:

RequestHeader set REMOTE_USER %{REMOTE_USER}s

In your reverse proxy configuration.

For example, the following configuration might be used in an SSPI configuration for Apache:

<VirtualHost>
<Location />
    Order allow,deny
    Allow from all

    AuthName "FOO.COM"
    AuthType SSPI
    SSPIPackage NTLM
    SSPIOfferSSPI On
    SSPIAuth On
    SSPIAuthoritative On
    SSPIOmitDomain On
    SSPIOfferBasic On
    require valid-user 
</Location> 
# Proxy Configurations
ProxyVia On
ProxyPassInterpolateEnv On
<Proxy *>
    Order allow,deny
    Allow from all
</Proxy>
ProxyPass / http://foo.com:8000/
ProxyPassReverse / http://foo2.com:8000/
ProxyPassReverseCookieDomain foo.com foo2.com
ProxyPassReverseCookiePath / /
RequestHeader set REMOTE_USER %{REMOTE_USER}s   

</VirtualHost>
link

answered 26 Apr '10, 20:15

Nate's gravatar image

Nate ♦
992
accept rate: 66%

3

Based on Nates response I got SSO working with the following config in apache. The only difference is that we use ssl to connect and a non standard ssl port on our splunk server:

<VirtualHost *:8082>
    <Location />   
        Order allow,deny    
        Allow from all    
        AuthName "mysplunkserver.com"    
        AuthType SSPI    
        SSPIPackage NTLM    
        SSPIOfferSSPI On    
        SSPIAuth On    
        SSPIAuthoritative On    
        SSPIOmitDomain On    
        SSPIOfferBasic On    
        require valid-user 
    </Location> 
    # Proxy Configurations
    ProxyVia On
    ProxyPassInterpolateEnv On
    <Proxy *>    
        Order allow,deny    
        Allow from all
    </Proxy>
    ProxyPass / https://mysplunkserver.com:8082/
    ProxyPassReverse / https://mysplunkserver.com:8082/
    ProxyPassReverseCookieDomain mysplunkserver.com publicserver.com
    ProxyPassReverseCookiePath / /
    RequestHeader set REMOTE-USER %{REMOTE_USER}s
    SSLProxyEngine On   
    AllowCONNECT 8082       
</VirtualHost>
link

answered 01 Jun '10, 11:16

chris's gravatar image

chris
1.2k112
accept rate: 48%

2

Assuming you want to authenticate users from Active Directory via an Apache proxy running on Linux, you could easily get this working by using either a free or paid version of Centrify.

The Centrify Suite Application Edition is a paid solution that supports SPNEGO/Kerberos and NTLM for silent authentication as well as BASIC or HTLM forms for username/password authentication.

A free solution would be to configure Splunk for PAM authentication on Linux and use Centrify Express which supports AD authentication from Linux via PAM.

Cool thing about either approach is that you get very robust integration with Active Directory with support for auto-discovery of domain controllers, auto-setup and auto-management of Kerberos and you can even use either solution for authenticating users to the Linux OS.

I might try to see how I can package up the simple PAM + Centrify Express approach and submit it to the splunkbase.

link

answered 17 Aug '10, 17:30

Corey's gravatar image

Corey
4785
accept rate: 0%

2

If the REMOTE_USER isn't being passed through, try replacing the RequestHeader line with the following:

RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader set REMOTE_USER %{RU}e

You may also have to set the remoteUser setting in web.conf to "REMOTE-USER" (dash rather than underscore):

web.conf:

[settings]
trustedIP = 127.0.0.1
remoteUser = REMOTE-USER
link

answered 03 Dec '10, 23:41

gareth's gravatar image

gareth ♦
28113
accept rate: 53%

edited 03 Dec '10, 23:59

+1 for recommending 'REMOTE-USER' vs 'REMOTE_USER' in web.conf. I spent an hour trying to figure this out, tried the RequestHeader set REMOTE_USER %{REMOTE_USER}s trick, etc. I noticed that the SSO debug page at http://localhost/en-US/debug/sso was seeing a header called 'Remote-User' but I could not get REMOTE_USER to work for the life of me.

(18 Nov '11, 17:23) stefanlasiewski
1

Sorry to bump this thread.

I tried this exact configuration but the debug page keeps claiming that REMOTE_USER is null. I can see the user in the apache access.log so I know the authenication is indeed working. Whatever I do I cannot seem to populate the REMOTE_STRING. Any idea will be welcomed

Thanks, Roy.

link

answered 21 Jul '10, 08:22

rosroy's gravatar image

rosroy
11
accept rate: 0%

In web.conf try 'REMOTE-USER' (with a dash) instead of 'REMOTE_USER' (with an underscore).

(18 Nov '11, 17:24) stefanlasiewski
0

SSPI is only available on Windows Apache, any word on how to get this going with Linux Apache?

link

answered 03 Aug '10, 16:48

adamw's gravatar image

adamw
887
accept rate: 7%

Post your answer
toggle preview

Copyright © 2005-2012 Splunk, Inc. All rights reserved.