Single Sign On (SSO) lets you use some other web server to handle authentication for Splunk. For this to work, several assumptions are made, as follows:
Your SSO system can act as an HTTP forwarding proxy, sending HTTP requests through to Splunk.
Your SSO system can place the authenticated user's ID into an HTTP header.
The IP of your server(s) forwarding requests is static.
When given a particular username, Splunk will be able to determine what roles this user is a part of. This is usually accomplished using LDAP, but could also be accomplished by defining users directly through the Splunk UI or via a custom-scripted authentication plugin.
Assuming that all of these are true, the usual approach is to follow these steps: