topic Re: How Do I Remove Old SAML Users? in Security

How Do I Remove Old SAML Users?

brreeves_splunk — Mon, 01 May 2017 14:33:40 GMT

I originally configured my SAML authentication with a NameID that was a GUID. We noticed that they were randomly generated rather than assigned to the same user every time. We've since gone back to our IdP and changed our NameID to email address so that it stays the same each time.

How do I get rid of the extra users under Settings > Access Controls > Users?

Re: How Do I Remove Old SAML Users?

djung — Mon, 01 May 2017 15:31:54 GMT

To get rid of the users in SAML please follow the directions below.

First
remove the users from ~SPLUNK_HOME/etc/users

Second
Find the correct authentication.conf (most of the time it is located under ~SPLUNK_HOME/etc/system/local)

Third,
Locate the [userToRoleMap_SAML] stanza and delete the users you want to delete in SAML.

Fourth,
Preform a debug/refresh then reload the SAML configurations in Settings > Access Controls > Authentication Method > Reload SAML Settings at the bottom of your screen.

Re: How Do I Remove Old SAML Users?

sarah115 — Fri, 27 Jul 2018 00:19:49 GMT

Does this process also apply to Splunk Cloud? That is, must I file a support ticket to get SAML users removed?

Re: How Do I Remove Old SAML Users?

brreeves_splunk — Fri, 27 Jul 2018 01:25:32 GMT

Yes @sarah115. You'd have to submit a ticket to Splunk Cloud Support to have this done.

Reassign Knowledge Objects http://docs.splunk.com/Documentation/Splunk/7.0.3/Knowledge/Resolveorphanedsearches#Use_the_Reassign_Knowledge_Objects_page_in_Settings
Compile a list of users you want to have removed, and submit them in a support ticket with a link to think answers post for clarity on what you want done. 🙂
Enjoy your weekend.

Re: How Do I Remove Old SAML Users?

sarah115 — Fri, 27 Jul 2018 01:55:28 GMT

Thank you very much!

Re: How Do I Remove Old SAML Users?

BenBurrows — Fri, 18 Jan 2019 12:45:08 GMT

You can do what you need via rest with no need to reload the config.

curl -k -u admin:{password} --request DELETE https://{hostname}:8089/services/admin/SAML-user-role-map/{user_id}

You will need to remove the user directory on disk manually.

Re: How Do I Remove Old SAML Users?

ashutosh2020 — Mon, 18 Mar 2019 13:57:34 GMT

This was a lot helpful, now i understood how this mechanism works.

Re: How Do I Remove Old SAML Users?

ssharma09 — Tue, 30 Jul 2019 04:28:15 GMT

Hi BenBurrows,

curl command works fine to delete any user from stand alone SH but does not work in SH Cluster environment. It gives error when I tried at one of the SH cluster

curl: (7) Failed to connect to URI port 8089: connection time out

Re: How Do I Remove Old SAML Users?

BenBurrows — Wed, 31 Jul 2019 12:11:48 GMT

Hi ssharma09,
I was fairly confident that would work fine but I checked it just now to be sure and it does work fine in a SH Cluster. I double checked and it happens that I ran it against the Cluster Captain but I don't think that is a requirement.

The error you posted leads me to believe there is some other issue for you. The error looks like a connection/network error rather than a splunk issue. Are you running the management service on that port on your SHC and are any firewalls blocking the connection? Does a connection get established if you try using telnet or netcat ?

Ben

Re: How Do I Remove Old SAML Users?

markbarber21 — Wed, 13 Nov 2019 18:13:12 GMT

Worked great for me! This is also Splunk Cloud friendly, as we do not have access to the configuration directly.

Re: How Do I Remove Old SAML Users?

dbhojani — Wed, 03 May 2023 20:42:15 GMT

Worked for me! This is great solution , specially for cloud customers.

Re: How Do I Remove Old SAML Users?

thambisetty — Mon, 28 Oct 2024 16:37:53 GMT

Issue still persists in Splunk enterprise. I don't know why Splunk din't fix the issue yet. However, the answer is still valid.