Deploy:SSO example configurations

From Splunk Wiki

Jump to: navigation, search

SSO: Apache + Kerberos

Compatibility

  • Works with Firefox 3.5 and IE
  • Found no issues
  • Works perfectly for customers who wants integrated authentication between Windows AD and *NIX clients.
  • This provides true SSO experience, where users just need login once to Windows Domain in the companies’ domain member computers and won’t encounter any credential prompt box when accessing Splunkweb.
  • The browsers has to be configured to pass Windows credentials to proxy server.
  • The browsers has to be configured to trust the windows domain
  • The proxy server DOES NOT need to be hosted in a machine that is a member of Windows domain. It just has to be "kerberized". See the details at "Apache+Kerberos (*NIX): What I did to make this work" section below.

Setup

Setup the Apache proxy server as a Kerberos client. Assumes you've installed the following:

  1. Apache 2+
  2. mod_auth_kerb-5.3
  3. mod_proxy
Listen 6443 https
<VirtualHost _default_:6443>
#....
#.... some SSL directives here
#....

<Location />
  Order allow,deny
  Allow from all
  AuthType Kerberos
  AuthName "Kerberos Login at FOO.COM"
  KrbAuthRealms FOO.COM
  KrbMethodK4Passwd Off
  Krb5Keytab "/opt/local/apache2/conf/foo.keytab"
  KrbSaveCredentials On
  Require valid-user
</Location>

# Proxy Configurations
ProxyVia On
ProxyPassInterpolateEnv On

<Proxy *>
Order allow,deny
Allow from all
</Proxy>

ProxyPass / http://foo.com:8090/
ProxyPassReverse / http://foo.com:8090/
ProxyPassReverseCookieDomain foo.com bar.foo.com
ProxyPassReverseCookiePath / /
RequestHeader set REMOTE_USER %{REMOTE_USER}s


</VirtualHost>
Personal tools
Hot Wiki Topics


About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk