Security

SSO not functioning. Does hostname matter?

cfergus
Path Finder

We are using Apache HTTP to proxy to Splunk. The short version is that we extract creds and put them in the "Remote-User" header. I can provide more complete info if it might help.

Through Splunk Web, I created a user 'myname'. Going to https://apache-server/splunk/en-US/debug/sso displays that SSO is enabled, Value of Remote-User is 'myname', and SSO will be used to authenticate this request.

However, navigating to https://apache-server/splunk/ Prompts me to login.

We have a nearly identical setup where this is working properly. The major difference is that the working version proxies to localhost (127.0.0.1). The other version uses a private address (a trustedIP) to contact Splunk.

Could this network mismatch have any impact?
Does the host name enter into SSO in a different way than /debug/sso shows? Is there an internal log I can search against that provides better information?

Using: Splunk 4.1.1 Apache 2.x https proxying to http Linux Magic Ponies

Tags (3)
0 Karma
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

Yes, the IP does matter. Did you set trustedIP and verify that it matches what is coming into Splunk (e.g., not changed by NAT or something)?

The default is that Splunk will only trust 127.0.0.1 for SSO requests, and require login for requests from anywhere else. This is so that someone can't just set up their own proxy or browser plugin to send a header with a username and get into Splunk without providing a password.

So, you need to configure the ip address of your Apache server into server.conf, under [general], trustedIP to let Splunk know that requests from those addresses do not need further authentication, and the IP there must match what Splunk sees in /debug/sso.

Update:

Actually, you may need to configure it into web.conf under [settings] too.

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

Yes, the IP does matter. Did you set trustedIP and verify that it matches what is coming into Splunk (e.g., not changed by NAT or something)?

The default is that Splunk will only trust 127.0.0.1 for SSO requests, and require login for requests from anywhere else. This is so that someone can't just set up their own proxy or browser plugin to send a header with a username and get into Splunk without providing a password.

So, you need to configure the ip address of your Apache server into server.conf, under [general], trustedIP to let Splunk know that requests from those addresses do not need further authentication, and the IP there must match what Splunk sees in /debug/sso.

Update:

Actually, you may need to configure it into web.conf under [settings] too.

cfergus
Path Finder

This post led me to the right configuration. I misunderstood the purpose of the two trustedIP properties. In actuality, the web.conf needed my web proxy 10.1.1.x as a trustedIP to say that splunkweb trusted the proxy.
The server.conf needed the splunkweb ip (127.0.0.1) as a trustedIP to say the daemon trusted the web, which was running locally.

In short:
(server.conf)

The location of splunk web

trustedIP = 127.0.0.1

(web.conf)

The location of the web proxy

10.1.1.x

0 Karma

kris2000
Explorer

Hi,

Output of "https://apache-server/splunk/en-US/debug/sso" Could help debugging.

Meanwhile..

If the trusted IP & SSO settings are correct,

You should see under "Remote User HTTP Header" section:

Remote User HTTP Header Remote-User

Value of Remote-User myname

Depending on the proxy you are using, check whether you are getting REMOTE-USER or REMOTE_USER field in the request header at the Splunk side and make sure thats what Splunk expects.

Just some suggestions...

-Kris

cfergus
Path Finder

Those parameters are being shown in the /debug/sso page.

The "Value of Remote-User" is 'myname'.

As best I can tell, Splunk is getting what it needs. My next debug process would be to see if Splunk is rejecting SSO creds, or if it thinks it never gets them. Anybody know if I can turn logging to a different level or anything?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...