Solved: How to implement Splunk SSO with Google Authentica...

eshedra · ‎04-15-2015

Hi All,
I implemented Splunk SSO with Google Authentication Proxy (GAP) (https://github.com/bitly/google_auth_proxy) by using this tutorial: http://hustoknow.blogspot.co.il/2014/11/implementing-splunk-sso-with-google-apps.html.

Everything works fine except the fact that the username must be an email address. Splunk won't let admins to change usernames and I have a system which is all configured by names as usernames (and not email addresses).

Is it possible to forward from the proxy to Splunk only the user and not the whole email address?
I tried to do that by using X-Forwarded-User instead of X-Forwarded-Mail in web.conf with no success.

Another approach might be changing the usernames. Is it possible? Maybe directly from the server running it?

Thanks

dwaddle · ‎04-15-2015

We use this with a config similar to:

pass_basic_auth = true

## Google Apps Domains to allow authentication for
google_apps_domains = [
     "defpoint.com"
]

On the proxy, and:

[settings]
enableSplunkWebSSL = 0

remoteUser = X-Forwarded-User
trustedIP = 127.0.0.1

In web.conf in Splunk. With this configuration, the proxy only passes usernames with the "@domain.com" part removed. Folks show up in Splunk as "just their user ID" and it works great...

View solution in original post

dwaddle · ‎04-15-2015

We use this with a config similar to:

pass_basic_auth = true

## Google Apps Domains to allow authentication for
google_apps_domains = [
     "defpoint.com"
]

On the proxy, and:

[settings]
enableSplunkWebSSL = 0

remoteUser = X-Forwarded-User
trustedIP = 127.0.0.1

In web.conf in Splunk. With this configuration, the proxy only passes usernames with the "@domain.com" part removed. Folks show up in Splunk as "just their user ID" and it works great...

eshedra · ‎04-18-2015

Another thing- Could you please copy and paste your web.conf file (not only the relevant parts)?

Thanks

ppablo · ‎04-20-2015

Hi @eshedra

Please be sure that when responding to someone's answer, click on "Add comment" directly below their answer or, if responding to someone's comment, type in the "Add your comment..." box directly below their comment. You typed your last 2 responses in the "Enter your answer here..." box at the very bottom of the page which, instead, posts a brand new answer each time. This will help with a clean continuous flow of the conversation. I already converted your "answers" to comments, so just something to keep in mind from here on out. Thanks and happy Splunking!

eshedra · ‎04-18-2015

I used tcpdump and see the username passes from the proxy to the splunk server.
I suspect it might version issue (we are using 6.1). Do you think it might be it?

Are you familiar with other parameters that we can try and pass?

Thansk for help,
Eshed

eshedra · ‎04-16-2015

Hi dwaddle,
I tried you configuration and it doesn't seem to work.
right now when the username in splunk is eshedra@etoro.com it logs me in if I use X-Forwarded-Email.
If I change it to X-Forwarded-User and create a username like "eshedra" it doesn't log me in.
Any ideas?

Thanks for help.
Eshed

dwaddle · ‎04-17-2015

Interesting. It works for us on Splunk 6.2.2. You could try running tcpdump between the google-auth-proxy and Splunk and see if the headers are all coming out right...

eshedra · ‎04-20-2015

It workks now. Thanks for the help

How to implement Splunk SSO with Google Authentication Proxy when the username is not an email address?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases