Splunk® Enterprise

Securing Splunk Enterprise

Splunk Enterprise version 9.0 will no longer be supported as of June 14, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Troubleshoot reverse-proxy SSO

Splunk Web provides an interface that allows you to analyze the environment and the run-time data to help you debug your deployment. This page can be accessed via the proxy or the direct URL. The request headers will not be available if you do not access this page through the proxy server.

+Splunk recommends that this setting is disabled after troubleshooting is complete.

This URL is located at:

http://YourSplunkServer:8000/debug/sso

Important: This debug page is not available by default. In order to make the page available, two steps must be completed. First, the role that is accessing this end point must have the web_debug capability, which the admin role has by default. Second, in web.conf, the setting enableWebDebug=true must be configured. You should immediately disable this setting after you have finished troubleshooting.

Consider the following when using the troubleshooting page to analyze your deployment:

  • Compare the IP provided as the Splunk trusted IP with that of the Host IP. The values must be the same (they should be the IP of your proxy). If they are not the same in the troubleshooting page, you must edit the trustedIP value in server.conf.
  • Check the value for Incoming request IP received by splunkweb to make sure that it displays your client's IP address. If the IP does not match that of your client, you must:
    • Edit web.conf to correct this.
    • Make sure that tools.proxy.on is set to true.
  • Make sure that your proxy is providing a header. Check the Authorization field under Other HTTP Headers. If there is no value present, check the http.conf file in your proxy to make sure that the remote header attribute value is properly set. Splunk software is configured to accept the remote header value of REMOTE_USER, which is the default for most proxies. If your proxy's remote header is different, and you wish to keep that value, you can edit the remote header value in web.conf to change the header that Splunk software will accept. See Configure SSO for more information.
  • Make sure that Splunk Web is creating a cookie to send to splunkd. Check the Cookie field under Other HTTP headers to make sure that a cookie is set. If a cookie is not set, then check your web.conf file to make sure your file is properly configured. Configure SSO for more information.
Last modified on 26 September, 2016
Configure Single Sign-On with reverse proxy   Configure Splunk Enterprise to use a common access card for authentication

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.3.0, 9.3.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters