Configure Single Sign-On with reverse proxy
Before you configure reverse proxy-based SSO with Splunk Enterprise, make sure you have the following:
- A Proxy Server (Splunk Enterprise supports IIS or Apache) configured as a reverse proxy to authenticate to external systems.
- An LDAP Server or other external authentication system provisioned with appropriate groups and users for your proxy to authenticate against.
- A working Splunk Enterprise configuration that is either configured to use the same external authentication system as your proxy (usually LDAP) or that has native Splunk Enterprise users that match the user and group IDs contained in your external authentication system.
Configuring SSO with reverse proxy requires the following steps:
1. Edit the properties on your proxy server to authenticate against your external authentication system.
2. Edit the Splunk Enterprise server.conf
file.
3. Edit the Splunk Enterprise web.conf
file.
Note: For optimal security, any HTTP header-based solutions should be implemented over a TLS/SSL enabled deployment.
Configure server.conf
Edit the trustedIP
in the general settings
stanza to add the IP address that will make secure authentication requests to splunkd. This is typically Splunk Web and therefore the localhost. You can only enter one IP address per splunkd instance.
If no IP addresses are provided in the trustedIP
list, Splunk SSO is disabled by default.
Configure web.conf
To enable SSO, configure the following in the [settings]
stanza in web.conf
(SPLUNK_HOME/etc/system/local
):
SSOMode = strict trustedIP = 127.0.0.1,10.3.1.61,10.1.8.81 remoteUser = Remote-User tools.proxy.on = False
Attribute | Default | Value |
---|---|---|
SSOMode
|
no | The SSOMode attribute determines whether the Splunk Web SSO operates in strict or permissive mode.
Strict mode restricts authentication to identities that match the IP addresses listed in Permissive mode also restricts authentication to requests from IPs found in the |
trustedIP
|
n/a | Set this to the IP address of the authenticating proxy or proxies. Specify a single address or a comma-separated list of addresses; IP ranges and netmask notation are not supported. |
remoteUser
|
REMOTE_USER
|
The remoteUser attribute determines the authenticated identity's attribute that is passed by the proxy server via the HTTP request header. This value defaults to REMOTE_USER but any LDAP attribute can be passed in this request header as long as the proxy sets this attribute properly after authentication. When you configure your remoteUser attribute, you must also configure the RequestHeader property in your proxy configuration to pass the identity's attribute to Splunk software. This process is described in "About Splunk Single Sign-On".
The default Splunk header used is |
tools.proxy.on
|
false | For apache 1.x proxy this value shoud be set to True. For later versions this value should be set to False. |
If you host Splunk Web behind a proxy that does not place Splunk Web at the proxy's root, you may also need to configure the root_endpoint
setting in $SPLUNK_HOME/etc/system/local/web.conf
.
For example if your proxy hosts Splunk Web at "yourhost.com:9000/splunk", root_endpoint
should be set to /splunk
.
For example:
root_endpoint=/lzone
In the above example, Splunk Web is accessed via http://splunk.example.com:8000/lzone
instead of http://splunk.example.com:8000/
.
You would next make it visible to the proxy by mapping it in httpd.conf
:
ProxyPass /lzone http://splunkweb.splunk.com:8000/lzone ProxyPassReverse /lzone http://splunkweb.splunk.com:8000/lzone
Session management
Since there is no simple log out for a session and Splunk Enterprise will preserve a session as long as the correct header information is contained in the proxy header, you should set your proxy's session timeout value with this in mind.
If you need to end a session before the timeout has occurred, you can use the REST end point along with the session identifier to destroy the session:
curl -s -uadmin:changeme -k -X DELETE https://localhost:8089/services/authentication/httpauth-tokens/990cb3e61414376554a39e390471fff0
About single sign-on using reverse proxy | Troubleshoot reverse-proxy SSO |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0
Feedback submitted, thanks!