Splunk SSO with an IIS Reverse Proxy

Splunk SSO with an IIS Reverse Proxy

I recently engaged with a customer who wanted to Splunk their CA Service Desk Manager system and I created some very powerful dashboards – of course 🙂

bb8They also requested Single Sign On for Splunk so that their IT Managers and Directors didn’t have to login to Splunk manually. They initially looked at integrating Splunk with ADFS but their main AD resource was away on leave, so I suggested that they could use IIS as a Reverse Proxy (as they are primarily a Windows shop).

It sounded easy… however there wasn’t a lot information on the interwebs for IIS 8.x but I did find a helpful post on Splunk answers.

The key to getting Splunk SSO working with an IIS Reverse Proxy is to install all of the required IIS modules:
Microsoft ARR (Free)
Microsoft URL Rewrite (Free)
Helicon ISAPI_Rewrite3 (Freeware – Lite version)

Setting up ARR as a reverse proxy is fairly straight forward.

Install the Windows Authentication module in IIS.

Enable Windows Authentication for the relevant web site in IIS, then disable Anonymous Authentication. (If you miss this step, your users won’t have their AD userid passed through for SSO.)

Update the following configuration files on your Splunk Search Head(s):

$SPLUNK_HOME\etc\system\local\server.conf :-

[general]
trustedIP=127.0.0.1

$SPLUNK_HOME\etc\system\local\web.conf :-

[settings]
SSOMode = permissive
trustedIP = 127.0.0.1,<splunk_server>
remoteUser = REMOTE-USER
tools.proxy.on = false
enableWebDebug = true

Note: Replace <splunk_server> with the IP Address of your Splunk Search Head(s).

Restart Splunk.

r5-d4

Update the following configuration file on your IIS Server:

C:\Program Files\Helicon\ISAPI_Rewrite3\httpd.conf :-

RewriteEngine on RewriteLog "C:\Helicon\ISAPI_Rewrite3\rewrite.log"
RewriteLogLevel 9
RewriteCond %{REMOTE_USER} <AD_DOMAIN_NAME>\\(.*) [NC]
RewriteHeader REMOTE-USER: .* %1 [NC,L]

Note: Replace <AD_DOMAIN_NAME> with your relevant AD Domain Name.

You can now access Splunk via the proxy server without logging in:
https://<proxy_server>/

You can also login directly to the Search Head(s) via the Splunk Web UI:
https://<splunk_server>:8000/

Use the force…

Luke @skywalka

Comments

  • Alex

    Hi Luke,

    Thanks so much for the write-up! Everything worked once I added a star to my trustedIP setting in web.conf:

    trustedIP = 127.0.0.1,(Splunk IP),*

    My debugging URL [ http://(iis_proxy_server_name)/en-US/debug/sso ] basically told me that my IP’s were unauthorized until I added the star. Not sure if I goofed something up with my proxy or my Splunk install.

Add your comments

Your email address will not be published. Required fields are marked *