Splunk® Enterprise

Securing Splunk Enterprise

This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Troubleshoot Proxy SSO

You can view the HTTP request headers that proxy server sends to Splunk Web on the below endpoint after you set enableWebDebug=true in web.conf under settings stanza:

http://<ProxyServerIP>:<ProxyServerPort>/debug/sso

This endpoint will help to verify some of the common configuration or setup errors:

  • Incoming request IP matches the configured value of trustedIP
  • Ensure header attribute names set on proxy server are same as those configured on Splunk
  • Make sure group entries are sent and parsed correctly. Especially, when remoteGroupsQuoted = true is set. You can see how groups are parsed by adding category.UiAuth=DEBUG in etc/log.cfg under splunkd stanza.


Once this is verified, check the following configuration:

  • Groups parsed have mapping in roleMap_proxySSO
  • In some cases, user cannot log in because either the user or their roles are on an exclusion list. Check excludedobjects under the stanza named after value of authSettings

These kind of login events are logged in var/log/splunkd.log along with the reason for failure.

Last modified on 08 June, 2020
 

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.1.0, 9.1.1, 9.1.2, 9.2.0, 9.2.1, 9.3.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters