Splunk® Enterprise

Securing Splunk Enterprise

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Configure Single Sign-On

Before you configure proxy-based SSO with Splunk Enterprise, make sure you have the following:

  • A Proxy Server (Splunk Enterprise supports IIS or Apache) configured as a reverse proxy to authenticate to external systems.
  • An LDAP Server or other external authentication system provisioned with appropriate groups and users for your proxy to authenticate against.
  • A working Splunk Enterprise configuration that is either configured to use the same external authentication system as your proxy (usually LDAP) or that has native Splunk Enterprise users that match the user and group IDs contained in your external authentication system.

Configuring SSO requires the following steps:

1. Edit the properties on your proxy server to authenticate against your external authentication system.

2. Edit Splunk's server.conf file.

3. Edit Splunk's web.conf file.

Note: For optimal security, any HTTP header-based solutions should be implemented over a TLS/SSL enabled deployment.

Configure server.conf

Edit the trustedIP in the general settings stanza to add the IP address that will make secure authentication requests to splunkd. This is typically Splunk Web and therefore the localhost. You can only enter one IP address per splunkd instance.

trustedIP=127.0.0.1

If no IP addresses are provided in the trustedIP list, Splunk SSO is disabled by default.

Configure web.conf

To enable SSO using Apache 1.x, configure the following in the [settings] stanza in web.conf (SPLUNK_HOME/etc/system/local). For other supported proxy servers, leave tools.proxy.on set to the default value of false.

SSOMode = strict
trustedIP = 127.0.0.1,10.3.1.61,10.1.8.81
remoteUser = X-Remote-User
tools.proxy.on = True
Attribute Default Value
SSOMode no The SSOMode attribute determines whether the Splunk Web SSO operates in strict or permissive mode.

Strict mode restricts authentication to identities that match the IP addresses listed in trustedIP property. If the IP attempting to connect does not match any IP address, an error page appears to the user. Strict mode is recommended for SSO.

Permissive mode also restricts authentication to requests from IPs found in the trustedIP list. In permissive mode, if the IP attempting to connect does not match any IP address, a login page is displayed to allow the user to re-authenticate.

trustedIP n/a Set this to the IP address of the authenticating proxy or proxies. Specify a single address or a comma-separated list of addresses; IP ranges and netmask notation are not supported.
remoteUser REMOTE_USER The remoteUser attribute determines the authenticated identity’s attribute that is passed by the proxy server via the HTTP request header. Splunk defaults this value to REMOTE_USER but any LDAP attribute can be passed via this request header as long as the proxy sets this attribute properly after authentication. When you configure your remoteUser attribute, you must also configure the RequestHeader property in your proxy configuration to pass the identity’s attribute to Splunk. This process is described in "About Splunk Single Sign-On".

The default Splunk header used is REMOTE_USER, but if your proxy uses a different header, you can change the name of the header here.

tools.proxy.on false Set tools.proxy.on to true if using Apache 1.x as a proxy server. Use the default value of false for other supported proxy servers.

When set to "false," Splunk Enterprise uses the IP address of the computer logging on, however, in Splunk Enterprise SSO, it is the proxy that is requesting login on behalf of the user. Since requests are rejected if the IP address is not listed in the trustedIP property, setting this value to True means that Splunk Web looks at the proxy’s IP address.

If you host Splunk Web behind a proxy that does not place Splunk Web at the proxy's root, you may also need to configure the root_endpoint setting in $SPLUNK_HOME/etc/system/local/web.conf.

For example if your proxy hosts Splunk Web at "yourhost.com:9000/splunk", root_endpoint should be set to /splunk.

For example:

root_endpoint=/lzone
ProxyPass /lzone http://splunkweb.splunk.com:8000/lzone
ProxyPassReverse /lzone http://splunkweb.splunk.com:8000/lzone

In the above example, Splunk Web is accessed via http://splunk.example.com:8000/lzone instead of http://splunk.example.com:8000/.

You would next make it visible to the proxy by mapping it in httpd.conf:

ProxyPass /lzone http://splunkweb.splunk.com:8000/lzone
ProxyPassReverse /lzone http://splunkweb.splunk.com:8000/lzone

Session management

Since there is no simple log out for a session and Splunk Enterprise will preserve a session as long as the correct header information is contained in the proxy header, you should set your proxy's session timeout value with this in mind.

If you need to end a session before the timeout has occurred, you can use the REST end point along with the session identifier to destroy the session:

curl -s -uadmin:changeme  -k -X DELETE https://localhost:8089/services/authentication/httpauth-tokens/990cb3e61414376554a39e390471fff0
PREVIOUS
About Single Sign-On
  NEXT
Troubleshoot SSO

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15


Comments

Thanks for commenting, Plaxos. I have updated the topic to clarify that tools.proxy.on=true applies only when using Apache 1.x.

Andrewb splunk, Splunker
June 29, 2015

In Splunks configuration reference manual for web.conf it states that tools.proxy.on=true is "For Apache 1.x proxies only." Using it with Apache 2 will stop SSO from working (and cost hours in tracking down the problem).

Plaxos
June 28, 2015

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters