Deploy:SSO example configurations

From Splunk Wiki

Jump to: navigation, search

SSO: Apache + Kerberos


  • Works with Firefox 3.5 and IE
  • Found no issues
  • Works perfectly for customers who wants integrated authentication between Windows AD and *NIX clients.
  • This provides true SSO experience, where users just need login once to Windows Domain in the companies’ domain member computers and won’t encounter any credential prompt box when accessing Splunkweb.
  • The browsers has to be configured to pass Windows credentials to proxy server.
  • The browsers has to be configured to trust the windows domain
  • The proxy server DOES NOT need to be hosted in a machine that is a member of Windows domain. It just has to be "kerberized". See the details at "Apache+Kerberos (*NIX): What I did to make this work" section below.


Setup the Apache proxy server as a Kerberos client. Assumes you've installed the following:

  1. Apache 2+
  2. mod_auth_kerb-5.3
  3. mod_proxy
Listen 6443 https
<VirtualHost _default_:6443>
#.... some SSL directives here

<Location />
  Order allow,deny
  Allow from all
  AuthType Kerberos
  AuthName "Kerberos Login at FOO.COM"
  KrbAuthRealms FOO.COM
  KrbMethodK4Passwd Off
  Krb5Keytab "/opt/local/apache2/conf/foo.keytab"
  KrbSaveCredentials On
  Require valid-user

# Proxy Configurations
ProxyVia On
ProxyPassInterpolateEnv On

<Proxy *>
Order allow,deny
Allow from all

ProxyPass /
ProxyPassReverse /
ProxyPassReverseCookiePath / /
RequestHeader set REMOTE_USER %{REMOTE_USER}s

Personal tools
Hot Wiki Topics

About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk