Dashboards & Visualizations

Using RSA Authentication to Login to Splunk

aferone
Builder

Hello all,

I have been tasked with using RSA tokens to login to our Splunk environment. I have been asking around, including the vendor, and still don't have good documentation on how to set this up. We have Splunk installed on Ubuntu. I am told it does work, but I have yet to get my hands on any documentation.

Thanks!

Alex

Tags (2)

msettipane
Splunk Employee
Splunk Employee

RSA SecurID and Splunk SSO Integration

Problem: RSA SecurID passes the username to Apache with a unique session id attached to the username.

Simple Solution: Pass Apache the username as input by the user in the RSA SecurID login page.

  1. First read Use single sign-on (SSO) with Splunk

  2. Configure Apache as Proxy Server

  3. Add RSA Webagent to Apache httpd.conf

     include /opt/apache/rsawebagent/rsawebagent.conf
    
  4. Go to the The RSA Authentication Agent and configure the Web Agent to use the same login screen for username and passcode.

  5. Modify the RSA Webagent useridandpasscode.htm

    Add JavaScript to the Page

    function SetCookie(cookieName,cookieValue)
    {
    var today = new Date();
    var expire = new Date();
    expire.setTime(today.getTime() + 3600000*24);
    document.cookie = cookieName+"="+escape(cookieValue) + ";expires="+expire.toGMTString();
    }

    Edit Form Submission

    //myForm.userid.value = myForm2.userid.value;
    SetCookie("SPLUNKUSER",myForm.username.value);

  6. Modify Apache httpd.conf to Capture the Cookie

    <virtualHost …..>
     SetEnvIf Cookie "SPLUNKUSER=([^;]\w+)" rsauser=$1 
     RequestHeader set USERNAMEHEADER %{rsauser}e 
    </VirtualHost>
    
  7. Modify Splunk web.conf in the local directory to accept the new Apache header username

     remoteUser = USERNAMEHEADER
    
  8. Check the debug page to ensure SPLUNKUSER is being passed to Splunk

     http://YourSplunkServer:8000/debug/sso
    

aferone
Builder

Thank you very much!

Do you know offhand if there is an RSA WebAgent for Ubuntu? I can't seem to find one.

0 Karma

bnolen
Path Finder

Another approach (though a little more fiddly) is to configure scripted authentication, with the script calling RADIUS.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

The general approach is to configure the RSA authentication agent on Apache, configure Splunk to use the same user directory, proxy Splunk behind the Apache server, configure the RSA agent login page to set a cookie containing the user name, and configure Apache to copy the cookie value to an HTTP header that Splunk is configured to read the username from.

aferone
Builder

Thanks for the answer. Did it take a long time for you to implement?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...