About proxy single sign-on
Proxy single sign-on, or proxy SSO, is an authentication method that lets you configure single sign-on authentication for Splunk Enterprise instances through a reverse proxy server.
With proxy SSO, a proxy server exists between the Splunk Enterprise deployment and an external authentication service. You can pass user identity and group information in HTTP headers from the proxy server to Splunk Enterprise. Splunk Enterprise uses the information it receives in these headers to authenticate users and subsequently authorize them through groups that have been mapped to Splunk roles.
Authentication using proxy SSO provides the following benefits:
- It combines authentication and authorization into one step for the user, which streamlines the login process
- It eliminates a direct connection between Splunk Enterprise and the external authentication service, which increases security
- It reduces the number of configuration steps for authentication
- It lowers the amount of network communication between Splunk Enterprise and authentication services, making authentication more efficient
- It expands the number of authentication service options you can use beyond Lightweight Directory Access Protocol (LDAP), as the proxy server passes the required authentication and authorization information
It's not possible to configure proxy SSO in Splunk Enterprise using Splunk Web. Instead, you must use the Representational State Transfer (REST API) or modify configuration files, as described in Configure proxy single sign on.
Splunk Cloud Platform does not support authentication using proxy SSO.
Prerequisites to configuring proxy SSO
To set up proxy SSO, you must have the following:
- A proxy server
- This proxy server must be configured to send HTTP headers as part of an HTTP web request or response.
- A working Splunk Enterprise deployment
For more information about how to configure these items and set up proxy SSO, see Configure proxy SSO.
How proxy SSO works
- You configure a proxy server to handle authentication requests between Splunk Enterprise and an external authentication service.
- You map groups on the external application service to roles on the Splunk Enterprise deployment.
- The proxy server authenticates against the configured authentication service and creates an HTTP request.
- Splunk Enterprise receives HTTP headers from the trusted reverse proxy server.
- Splunk Enterprise checks the
trustedIPsetting in its web.conf configuration file to determine that it is receiving a request from the trusted proxy server IP address.
- Based on the headers that Splunk Enterprise receives from the trusted proxy server, Splunk Enterprise accepts or denies the login request.
After a successful login, the client web browser creates a session cookie and the user can then access Splunk Web.
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.1.0, 9.1.1, 9.1.2