Security

How Do I Remove Old SAML Users?

Splunk Employee
Splunk Employee

I originally configured my SAML authentication with a NameID that was a GUID. We noticed that they were randomly generated rather than assigned to the same user every time. We've since gone back to our IdP and changed our NameID to email address so that it stays the same each time.

How do I get rid of the extra users under Settings > Access Controls > Users?

0 Karma
1 Solution

Splunk Employee
Splunk Employee

To get rid of the users in SAML please follow the directions below.

First
remove the users from ~SPLUNK_HOME/etc/users

Second
Find the correct authentication.conf (most of the time it is located under ~SPLUNK_HOME/etc/system/local)

Third,
Locate the [userToRoleMap_SAML] stanza and delete the users you want to delete in SAML.

Fourth,
Preform a debug/refresh then reload the SAML configurations in Settings > Access Controls > Authentication Method > Reload SAML Settings at the bottom of your screen.

View solution in original post

Explorer

You can do what you need via rest with no need to reload the config.

curl -k -u admin:{password} --request DELETE https://{hostname}:8089/services/admin/SAML-user-role-map/{user_id}

You will need to remove the user directory on disk manually.

Explorer

Hi BenBurrows,

curl command works fine to delete any user from stand alone SH but does not work in SH Cluster environment. It gives error when I tried at one of the SH cluster

curl: (7) Failed to connect to URI port 8089: connection time out

0 Karma

Path Finder

Worked great for me! This is also Splunk Cloud friendly, as we do not have access to the configuration directly.

0 Karma

Explorer

Hi ssharma09,
I was fairly confident that would work fine but I checked it just now to be sure and it does work fine in a SH Cluster. I double checked and it happens that I ran it against the Cluster Captain but I don't think that is a requirement.

The error you posted leads me to believe there is some other issue for you. The error looks like a connection/network error rather than a splunk issue. Are you running the management service on that port on your SHC and are any firewalls blocking the connection? Does a connection get established if you try using telnet or netcat ?

Ben

0 Karma

Splunk Employee
Splunk Employee

To get rid of the users in SAML please follow the directions below.

First
remove the users from ~SPLUNK_HOME/etc/users

Second
Find the correct authentication.conf (most of the time it is located under ~SPLUNK_HOME/etc/system/local)

Third,
Locate the [userToRoleMap_SAML] stanza and delete the users you want to delete in SAML.

Fourth,
Preform a debug/refresh then reload the SAML configurations in Settings > Access Controls > Authentication Method > Reload SAML Settings at the bottom of your screen.

View solution in original post

Engager

Does this process also apply to Splunk Cloud? That is, must I file a support ticket to get SAML users removed?

0 Karma

Explorer

This was a lot helpful, now i understood how this mechanism works.

0 Karma

Splunk Employee
Splunk Employee

Yes @sarah115. You'd have to submit a ticket to Splunk Cloud Support to have this done.

  1. Reassign Knowledge Objects http://docs.splunk.com/Documentation/Splunk/7.0.3/Knowledge/Resolveorphanedsearches#Use_the_Reassign...
  2. Compile a list of users you want to have removed, and submit them in a support ticket with a link to think answers post for clarity on what you want done. 🙂
  3. Enjoy your weekend.
0 Karma

Engager

Thank you very much!

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!