Configure Single Sign-On with reverse proxy
Before you configure reverse proxy-based SSO with Splunk Enterprise, make sure you have the following:
- A Proxy Server (Splunk Enterprise supports IIS or Apache) configured as a reverse proxy to authenticate to external systems.
- An LDAP Server or other external authentication system provisioned with appropriate groups and users for your proxy to authenticate against.
- A working Splunk Enterprise configuration that is either configured to use the same external authentication system as your proxy (usually LDAP) or that has native Splunk Enterprise users that match the user and group IDs contained in your external authentication system.
Configuring SSO with reverse proxy requires the following steps:
1. Edit the properties on your proxy server to authenticate against your external authentication system.
2. Edit the Splunk Enterprise
3. Edit the Splunk Enterprise
Note: For optimal security, any HTTP header-based solutions should be implemented over a TLS/SSL enabled deployment.
trustedIP in the
general settings stanza to add the IP address that will make secure authentication requests to splunkd. This is typically Splunk Web and therefore the localhost. You can only enter one IP address per splunkd instance.
If no IP addresses are provided in the
trustedIP list, Splunk SSO is disabled by default.
To enable SSO, configure the following in the
[settings] stanza in
SSOMode = strict trustedIP = 127.0.0.1,10.3.1.61,10.1.8.81 remoteUser = X-Remote-User tools.proxy.on = True
Strict mode restricts authentication to identities that match the IP addresses listed in
Permissive mode also restricts authentication to requests from IPs found in the
||n/a||Set this to the IP address of the authenticating proxy or proxies. Specify a single address or a comma-separated list of addresses; IP ranges and netmask notation are not supported.|
The default Splunk header used is
||false||To use Splunk SSO, set |
When set to "false," Splunk Enterprise uses the IP address of the computer logging on, however, in Splunk Enterprise SSO, it is the proxy that is requesting login on behalf of the user. Since requests are rejected if the IP address is not listed in the trustedIP property, setting this value to
If you host Splunk Web behind a proxy that does not place Splunk Web at the proxy's root, you may also need to configure the
root_endpoint setting in
For example if your proxy hosts Splunk Web at "yourhost.com:9000/splunk",
root_endpoint should be set to
root_endpoint=/lzone ProxyPass /lzone http://splunkweb.splunk.com:8000/lzone ProxyPassReverse /lzone http://splunkweb.splunk.com:8000/lzone
You would next make it visible to the proxy by mapping it in
ProxyPass /lzone http://splunkweb.splunk.com:8000/lzone ProxyPassReverse /lzone http://splunkweb.splunk.com:8000/lzone
Since there is no simple log out for a session and Splunk Enterprise will preserve a session as long as the correct header information is contained in the proxy header, you should set your proxy's session timeout value with this in mind.
If you need to end a session before the timeout has occurred, you can use the REST end point along with the session identifier to destroy the session:
curl -s -uadmin:changeme -k -X DELETE https://localhost:8089/services/authentication/httpauth-tokens/990cb3e61414376554a39e390471fff0
About Single Sign-On using reverse proxy
Troubleshoot reverse-proxy SSO
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11