After turning on Okta SAML authentication, saved searches and reports are no longer available


Since i moved authentication from LDAP to SAML, $SPLUNK_HOME/etc/users has a bunch of new username@our.domain directories (the old username directories are still there). What's the best way (migrating the contents of username to username@our.domain? or changing a setting so username settings go back to how they were? something else?) to fix this?

0 Karma

Splunk Employee
Splunk Employee

Your identity provider should be able to map the LDAP usernames to SAML usernames. When you do this, you won't need to reassign knowledge objects including saved searches. In our case we mapped samAccountName to realName (this is a config on the identity provider side) in order to keep user directories the same.

0 Karma


Hi @ronerf
I've had the same issue as you when I changed the authentication from LDAP to SAML.
My solution was to reassign the Knowledge Objects to the new naming schema because it was only for a couple of users.
I don't know how Okta works but it's generally possible for IDPs to change the way, a username is send to Splunk.

Maybe the Okta Support can help you changing the transfered username or you reassign the Knowledge Objects manually.

Kind regards,