I would highly suggest using a systems management system to automate deployment (we prefer chef). However, here I'll provide manual installation instructions for those less fortunate sysadmins.
These instructions were tested on Ubuntu 10.04 LTS.
Start by installing node.js and node package manager (npm):
install node.js and npm
sudo apt-get install python-software-properties
sudo add-apt-repository ppa:chris-lea/node.js
sudo apt-get update
sudo apt-get install nodejs npm
install splunk-auth-proxy
sudo apt-get install git-core
git clone https://github.com/Shopify/splunk-auth-proxy.git
cd splunk-auth-proxy
npm install
configure splunk-auth-proxy
splunk-auth-proxy requires you to specify the location of the SSL private key and certificate you want to use as well as your Google Apps domain name and secret (creating your SSL private key and certificate is outside the scope of this howto).
edit config.json
{
"web": {
"port": "4000"
},
"ssl": {
"key": "./certs/privatekey.pem",
"cert": "./certs/certificate.pem"
},
"splunk": {
"hostname": "localhost",
"port": "8000"
},
"google": {
"domain": "example.com",
"secret": "mygoogleappssupersecret"
}
}
configure splunk
In $SPLUNK_HOME/etc/system/local/ add the following to server.conf and web.conf
server.conf
[general]
trustedIP = 127.0.0.1
web.conf
[settings]
enableSplunkWebSSL = 0
trustedIP = 127.0.0.1
SSOMode = strict
remoteUser = Remote-User
As documented in the splunk SSO docs, you will need to make sure you have already set up splunk users that match your Google Apps users. The quick and dirty solution is to download your Google Apps user list as a .csv and then use a script like useradd-csv2splunk.sh, included with splunk-auth-proxy, to bulk add the users. You will need to update the script with proper splunk admin credentials and have a properly formatted .csv. The format for the .csv file is:
email,firstname,lastname,splunkRole
dale.neufeld@example.com,Dale,Neufeld,admin
chmod +x useradd-csv2splunk.sh
sudo ./useradd-csv2splunk.sh users.csv
processing dale.neufeld@example.com...
User added.
...successfully added dale.neufeld
Test launch splunk-auth-proxy
$./node_modules/coffee-script/bin/coffee server.coffee config.json
Now let's see if that worked. Browse to:
https://localhost:4000
Hopefully you're taken to the Google login page, authenticated and passed right into splunk, fully authenticated and ready to search!
Daemonizing splunk-auth-proxy
We like runit for service start-up and supervision.
$sudo apt-get install runit
cd /etc/sv/
sudo mkdir splunk-auth-proxy
sudo touch run
sudo chmod +x run
sudo vim run
contents of run file
#!/bin/sh
exec 2>&1
cd /path/to/splunk-auth-proxy
export NODE_ENV=production
exec ./node_modules/.bin/coffee server.coffe ./config.json
configure runit logging
sudo mkdir -p log/main
cd log
sudo touch run
sudo chmod +x run
sudo vim run
contents of /etc/sv/splunk-auth-proxy/log/run
#!/bin/sh
exec svlogd -tt ./main
start splunk-auth-proxy service
sudo ln -s /etc/sv/splunk-auth-proxy /etc/service/
sudo sv restart splunk-auth-proxy
And there you have it! You should now have a fully functional SSO proxy sitting in front of splunk allowing your users to forget one more password! As a bonus, you also now have simple two-factor authentication capabilities ready to go if you use Google Apps two-step verification.