While we cannot access this tool with FAAS SAML authentication for accounts with not admin privileges, but can successfully access it via local admin accounts.
So is it something that somewhere credentials have been broken for this app or is there a role that can be mapped to the users to access it.
HI - thanks for trying out our app. Here's the details on how to solve this from the readme file in our TA:
"Much of this app functionality requires the user to have the "list_storage_passwords" capability in Splunk. If the user(s) who will be using this app do not have that capability, there is an added "domaintools_user" role included with the app. Add this role to the user(s) and they will be able to use this app. This capability will allow users to decrypt passwords stored by apps, though, so make sure you are okay with that."
The reason for that is because our app uses Splunk's built in credential store. There are some downsides to using that, and this is one of them, so we are building a new version of the app that will use a more direct method that is still secure. You should see that in Splunk Base within the next week, but if you want it sooner, message me directly and we'll get it to you.
Were you able to get the bulk Whois and Reputation Score enrichment working on your proxy logs?