Deploy:SSO example configurations
From Splunk Wiki
SSO: Apache + Kerberos
Compatibility
- Works with Firefox 3.5 and IE
- Found no issues
- Works perfectly for customers who wants integrated authentication between Windows AD and *NIX clients.
- This provides true SSO experience, where users just need login once to Windows Domain in the companies’ domain member computers and won’t encounter any credential prompt box when accessing Splunkweb.
- The browsers has to be configured to pass Windows credentials to proxy server.
- The browsers has to be configured to trust the windows domain
- The proxy server DOES NOT need to be hosted in a machine that is a member of Windows domain. It just has to be "kerberized". See the details at "Apache+Kerberos (*NIX): What I did to make this work" section below.
Setup
Setup the Apache proxy server as a Kerberos client. Assumes you've installed the following:
- Apache 2+
- mod_auth_kerb-5.3
- mod_proxy
Listen 6443 https <VirtualHost _default_:6443> #.... #.... some SSL directives here #.... <Location /> Order allow,deny Allow from all AuthType Kerberos AuthName "Kerberos Login at FOO.COM" KrbAuthRealms FOO.COM KrbMethodK4Passwd Off Krb5Keytab "/opt/local/apache2/conf/foo.keytab" KrbSaveCredentials On Require valid-user </Location> # Proxy Configurations ProxyVia On ProxyPassInterpolateEnv On <Proxy *> Order allow,deny Allow from all </Proxy> ProxyPass / http://foo.com:8090/ ProxyPassReverse / http://foo.com:8090/ ProxyPassReverseCookieDomain foo.com bar.foo.com ProxyPassReverseCookiePath / / RequestHeader set REMOTE_USER %{REMOTE_USER}s </VirtualHost>
- Check http://www.grolmsnet.de/kerbtut/ for explanation of the steps above