Splunk SSO with an IIS Reverse Proxy

I recently engaged with a customer who wanted to Splunk their CA Service Desk Manager system and I created some very powerful dashboards - of course :)

bb8They also requested Single Sign On for Splunk so that their IT Managers and Directors didn't have to login to Splunk manually. They initially looked at integrating Splunk with ADFS but their main AD resource was away on leave, so I suggested that they could use IIS as a Reverse Proxy (as they are primarily a Windows shop).

It sounded easy... however there wasn't a lot information on the interwebs for IIS 8.x but I did find a helpful post on Splunk answers.

The key to getting Splunk SSO working with an IIS Reverse Proxy is to install all of the required IIS modules: Microsoft ARR (Free) Microsoft URL Rewrite (Free) Helicon ISAPI_Rewrite3 (Freeware - Lite version)

Setting up ARR as a reverse proxy is fairly straight forward.

Install the Windows Authentication module in IIS.

Enable Windows Authentication for the relevant web site in IIS, then disable Anonymous Authentication. (If you miss this step, your users won't have their AD userid passed through for SSO.)

Update the following configuration files on your Splunk Search Head(s):

$SPLUNK_HOME\etc\system\local\server.conf :-

[general] trustedIP=

$SPLUNK_HOME\etc\system\local\web.conf :-

[settings] SSOMode = permissive trustedIP =,<splunk_server> remoteUser = REMOTE-USER tools.proxy.on = false enableWebDebug = true

Note: Replace <splunk_server> with the IP Address of your Splunk Search Head(s).

Restart Splunk.


Update the following configuration file on your IIS Server:

C:\Program Files\Helicon\ISAPI_Rewrite3\httpd.conf :-

RewriteEngine on RewriteLog "C:\Helicon\ISAPI_Rewrite3\rewrite.log" RewriteLogLevel 9 RewriteCond %{REMOTE_USER} <AD_DOMAIN_NAME>\\(.*) [NC] RewriteHeader REMOTE-USER: .* %1 [NC,L]

Note: Replace <AD_DOMAIN_NAME> with your relevant AD Domain Name.

You can now access Splunk via the proxy server without logging in: https://<proxy_server>/

You can also login directly to the Search Head(s) via the Splunk Web UI: https://<splunk_server>:8000/

Use the force...

Luke @skywalka

SplunkLuke Harris2 Comments