Security

True SSO: Bypass login page with Centrify Active Directory Integration for Splunk?

gryan
New Member

I'm using the Centrify Active Directory Integration for Splunk and want to know if a user's account credentials can be passed from their intranet-based workstation and logged into splunk seamlessly; that is, without being presented with a login page... like a true SSO solution.

How would this be accomplished?

Tags (4)
0 Karma

gryan
New Member

Thanks for your reply. The Centrify module for Apache is not free... therefore it's not an option.

I have an apache2 proxy built, however I have been unable to get it to populate the REMOTE_USER variable. Additionally, it's unclear as to what auth module is recommended for domain lookups into AD. Can you shed some light on that?

I'm looking for the shortest/cheapest path toward true SSO and the Centrify addon looked like it would accomplish that, but unfortunately it only got me half way there.

I do appreciate your time and your recommendations.

Thanks,
G

0 Karma

dwaddle
SplunkTrust
SplunkTrust

Unfortunately, you need some active code (like an Apache module) to inject that header variable. Most single signon solutions provide such a plugin that will either (A) pick up on the existence of a valid SSO session cookie, and insert the REMOTE_USER header or (B) not seeing a valid cookie, redirect you to the SSO portal. I know next-to-nothing about Centrify, but expect this is how their Apache module functionally works. To avoid using it, you'll probably have to dive down into writing your own Apache modules.

0 Karma

gryan
New Member

Thanks for your reply. The Centrify module for Apache is not free... therefore it's not an option.

I have an apache2 proxy built, however I have been unable to get it to populate the REMOTE_USER variable. Additionally, it's unclear as to what auth module is recommended for domain lookups into AD. Can you shed some light on that?

I'm looking for the shortest/cheapest path toward true SSO and the Centrify addon looked like it would accomplish that, but unfortunately it only got me half way there.

I do appreciate your time and your recommendations.

Thanks,
G

0 Karma

agitelzon
Explorer

I had to do something similar to get apache to populate the REMOTE_USER variable from mod_auth_mellon. You can see what I did here, http://answers.splunk.com/answers/177936/accessing-splunk-enterprise-using-adfs-authenticat.html#ans...

0 Karma

dwaddle
SplunkTrust
SplunkTrust

It should be possible, but it will require you to do a bit of work. Splunk supports "true" single signon by being front-ended by a single-signon aware proxy server. Splunk will implicitly allow logins in this mode using a header variable provided by the proxy server. Centrify (according to their website) does support single-signon into Apache. Apache can then be configured to proxy into Splunk, passing along the userid which logged in to Apache.

Splunk documentation covers this at http://docs.splunk.com/Documentation/Splunk/latest/Admin/Usesinglesign-onwithSplunk

Corey
Explorer

Dwaddle is correct. An additional bit of information is that I have tested the Centrify Apache module in a reverse proxy mode to front end other applications like SAP and Peoplesoft in addition to Splunk. It works as expected and supports WIA via Kerberos/NTLM over SPNEGO (also works with ADFS for a federated SSO).

I understand gryan is not able to use the Centrify Apache module due to it not being free, but for other readers I thought this might useful information.

Corey - A Centrify product manager

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...