Splunk as an SP w/Shibb IdP

[Cantor, Scott]

> I currently have a Splunk installation using their so-called single-sign on, i.e.,
> behind an Apache+Shib SP reverse proxy that forwards a REMOTE_USER
> header. A long-standing annoyance is that if a Splunk browser tab is left open
> but the session is invalidated, i.e., laptop violating the consistent source IP
> address policy (see other recent threads), the Splunk web client's continual
> AJAX polling can create tens of redirects per second until the user either logs
> on to shibb or kills the tab. (Not really an operational problem, but annoying
> when I'm looking at the IdP logs.) Has anyone else experienced and solved
> this problem?

I haven't noticed, but it isn't as easy to notice in V2, at least not how I used it, I'll have to review my logs.

In any case, perhaps you could configure whatever URL(s) are involved in the AJAX part to honor the session but not require one. Then it will passively expose the session if it exists, but just pass through if not. Don't know what that would do to the app or if it would create a security issue, but that's the only possible fix. AJAX just isn't a workable model when the browser doesn't understand the authentication mechanism in use.

-- Scott