I originally configured my SAML authentication with a NameID that was a GUID. We noticed that they were randomly generated rather than assigned to the same user every time. We've since gone back to our IdP and changed our NameID to email address so that it stays the same each time.
How do I get rid of the extra users under Settings > Access Controls > Users?
To get rid of the users in SAML please follow the directions below.
First
remove the users from ~SPLUNK_HOME/etc/users
Second
Find the correct authentication.conf (most of the time it is located under ~SPLUNK_HOME/etc/system/local)
Third,
Locate the [userToRoleMap_SAML] stanza and delete the users you want to delete in SAML.
Fourth,
Preform a debug/refresh then reload the SAML configurations in Settings > Access Controls > Authentication Method > Reload SAML Settings at the bottom of your screen.
You can do what you need via rest with no need to reload the config.
curl -k -u admin:{password} --request DELETE https://{hostname}:8089/services/admin/SAML-user-role-map/{user_id}
You will need to remove the user directory on disk manually.
Worked for me! This is great solution , specially for cloud customers.
Hi BenBurrows,
curl command works fine to delete any user from stand alone SH but does not work in SH Cluster environment. It gives error when I tried at one of the SH cluster
curl: (7) Failed to connect to URI port 8089: connection time out
Worked great for me! This is also Splunk Cloud friendly, as we do not have access to the configuration directly.
Hi ssharma09,
I was fairly confident that would work fine but I checked it just now to be sure and it does work fine in a SH Cluster. I double checked and it happens that I ran it against the Cluster Captain but I don't think that is a requirement.
The error you posted leads me to believe there is some other issue for you. The error looks like a connection/network error rather than a splunk issue. Are you running the management service on that port on your SHC and are any firewalls blocking the connection? Does a connection get established if you try using telnet or netcat ?
Ben
To get rid of the users in SAML please follow the directions below.
First
remove the users from ~SPLUNK_HOME/etc/users
Second
Find the correct authentication.conf (most of the time it is located under ~SPLUNK_HOME/etc/system/local)
Third,
Locate the [userToRoleMap_SAML] stanza and delete the users you want to delete in SAML.
Fourth,
Preform a debug/refresh then reload the SAML configurations in Settings > Access Controls > Authentication Method > Reload SAML Settings at the bottom of your screen.
Issue still persists in Splunk enterprise. I don't know why Splunk din't fix the issue yet. However, the answer is still valid.
Does this process also apply to Splunk Cloud? That is, must I file a support ticket to get SAML users removed?
This was a lot helpful, now i understood how this mechanism works.
Yes @sarah115. You'd have to submit a ticket to Splunk Cloud Support to have this done.
Thank you very much!