Security

SSO: configuration example of an Apache proxy to CAS

wsw70
Communicator

Hello,

I would like to connect my splunk installation to the enterprise SSO system, based on CAS.
I read the splunk docs about SSO but I do not know how to configure an Apache proxy so that it relays correctly to and from a CAS server (whenever I googled the question I always see people who "have successfully configured their CAS proxy" :))

I would appreciate very much an example of real-life Apache configuration I could readily uise to go ahead with SSO (without reinventing the wheel in the process)

Thank you!

0 Karma
1 Solution

wsw70
Communicator

I finally managed to do this with the configuration below. splunk.example.com:8000 is the actual site to be accessed, cas.example.com is the CAS server. The proxy is on the same machine and will be defined in a VirtualHost.

Apache

The VirtualHost which serves the to-be-SSO-ed application (splunk.example.com:8000) (I did not manage to use below the opening bracket < as it is interpreted as a tag so I replaced it with [)

[VirtualHost splunk.example.com:80>
ServerName splunk.example.com
DocumentRoot /var/www
CASCookiePath /var/cache/apache2/mod_auth_cas/
CASLoginURL https://cas.example.com/cas/login?gateway=true
CASValidateURL  https://cas.example.com/cas/proxyValidate
[Location />
        Authtype CAS
        require valid-user
        CASAuthNHeader Cas-User
[/Location>
ProxyPreserveHost On
ProxyPass        / http://localhost:8000/
ProxyPassReverse / http://localhost:8000/
[/VirtualHost>

CAS

The module to load is mod_auth_cas. The version I had on Debian failed on some crypto module, it is enough to clone the git repository, configure, make and install and it works out of the box

splunk

I did not manage to use REMOTE_USER (this is a bug, also described in another post with great details) and had to use Cas-User per the Apache config

View solution in original post

0 Karma

wsw70
Communicator

I finally managed to do this with the configuration below. splunk.example.com:8000 is the actual site to be accessed, cas.example.com is the CAS server. The proxy is on the same machine and will be defined in a VirtualHost.

Apache

The VirtualHost which serves the to-be-SSO-ed application (splunk.example.com:8000) (I did not manage to use below the opening bracket < as it is interpreted as a tag so I replaced it with [)

[VirtualHost splunk.example.com:80>
ServerName splunk.example.com
DocumentRoot /var/www
CASCookiePath /var/cache/apache2/mod_auth_cas/
CASLoginURL https://cas.example.com/cas/login?gateway=true
CASValidateURL  https://cas.example.com/cas/proxyValidate
[Location />
        Authtype CAS
        require valid-user
        CASAuthNHeader Cas-User
[/Location>
ProxyPreserveHost On
ProxyPass        / http://localhost:8000/
ProxyPassReverse / http://localhost:8000/
[/VirtualHost>

CAS

The module to load is mod_auth_cas. The version I had on Debian failed on some crypto module, it is enough to clone the git repository, configure, make and install and it works out of the box

splunk

I did not manage to use REMOTE_USER (this is a bug, also described in another post with great details) and had to use Cas-User per the Apache config

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...