Currently we use LDAP to authenticate to our Splunk Cloud environment. We have hundreds of users in our system and we have a few mapped roles. We are wanting to implement SSO because of another system that uses it (Tableau). They would like seamless integration between both systems so Splunk won't ask for credentials when users are logged into Tableau and run a report from that system. I am concerned about user names getting deleted because we would move away from the LDAP integration and go into SAML. The SSO solution we would be using is Otka. Please let me know.
@euroa - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post. If no, please leave a comment with more feedback. Thanks.
I'm only guessing at this point because I haven't done a migration from ldap to saml, only a clean install with saml...
With SAML, okta includes a nameid in the response after the user authenticates. This is used to uniquely identify the user. See nameIDFormat in the splunk docs. If you pass the saml nameid as the same format you used for the ldap user name attribute then I'm guessing splunk will continue to use the same users after you migrate.
OKTA is a supported provider for Splunk Cloud and straightforward to setup. However, your users will have to be authenticated through OKTA in order to login. They won't be able to login to tableau and then login directly to Splunk Cloud.
Regarding users being overwritten and orphaned searches, there is no way around this at this time. Your Splunk admin would need to audit the existing users and migrate their private knowledge objects to the accounts.
There was a good talk at .conf 2016 about SAML 2.0. The slides and talks have not been posted yet but I would encourage you to see what is new in the new Splunk SAML implementation.
I haven't gone to SAML yet but my colleagues have in 6.4. As I understand it, there are issues you need to be careful of to make sure that saved searches belonging to users don't get assigned to nobody etc.
From the talk, things have improved in SAML 2.0 as they call it but it's still a bit of work.
Here's the latest docs: http://docs.splunk.com/Documentation/Splunk/6.5.0/Security/ConfigureSAMLSSO