|
I'm using the Centrify Active Directory Integration for Splunk and want to know if a user's account credentials can be passed from their intranet-based workstation and logged into splunk seamlessly; that is, without being presented with a login page... like a true SSO solution. How would this be accomplished? |
|
It should be possible, but it will require you to do a bit of work. Splunk supports "true" single signon by being front-ended by a single-signon aware proxy server. Splunk will implicitly allow logins in this mode using a header variable provided by the proxy server. Centrify (according to their website) does support single-signon into Apache. Apache can then be configured to proxy into Splunk, passing along the userid which logged in to Apache. Splunk documentation covers this at http://docs.splunk.com/Documentation/Splunk/latest/Admin/Usesinglesign-onwithSplunk Dwaddle is correct. An additional bit of information is that I have tested the Centrify Apache module in a reverse proxy mode to front end other applications like SAP and Peoplesoft in addition to Splunk. It works as expected and supports WIA via Kerberos/NTLM over SPNEGO (also works with ADFS for a federated SSO). I understand gryan is not able to use the Centrify Apache module due to it not being free, but for other readers I thought this might useful information. Corey - A Centrify product manager
(22 Apr '12, 16:28)
Corey
|
|
Thanks for your reply. The Centrify module for Apache is not free... therefore it's not an option. I have an apache2 proxy built, however I have been unable to get it to populate the REMOTE_USER variable. Additionally, it's unclear as to what auth module is recommended for domain lookups into AD. Can you shed some light on that? I'm looking for the shortest/cheapest path toward true SSO and the Centrify addon looked like it would accomplish that, but unfortunately it only got me half way there. I do appreciate your time and your recommendations. Thanks, G Thanks for your reply. The Centrify module for Apache is not free... therefore it's not an option. I have an apache2 proxy built, however I have been unable to get it to populate the REMOTE_USER variable. Additionally, it's unclear as to what auth module is recommended for domain lookups into AD. Can you shed some light on that? I'm looking for the shortest/cheapest path toward true SSO and the Centrify addon looked like it would accomplish that, but unfortunately it only got me half way there. I do appreciate your time and your recommendations. Thanks, G
(22 Apr '12, 14:31)
gryan
Unfortunately, you need some active code (like an Apache module) to inject that header variable. Most single signon solutions provide such a plugin that will either (A) pick up on the existence of a valid SSO session cookie, and insert the REMOTE_USER header or (B) not seeing a valid cookie, redirect you to the SSO portal. I know next-to-nothing about Centrify, but expect this is how their Apache module functionally works. To avoid using it, you'll probably have to dive down into writing your own Apache modules.
(23 Apr '12, 10:40)
dwaddle ♦
|