I want to migrate from LDAP Authentication to Microsoft Azure AD Single Sign On.
I currently have LDAP authentication set up with my active directory domain using the
sAMAccountName as the login field. This means that I log into Splunk with the username
john. With the release of Splunk 6.4.0 and SSO with Azure AD, I want to move to that.
I have figured out how to use the email address as the username by setting the
nameIdFormat field in
I foresee an issue with this. When I change the authentication to SSO, there will be no users on the system. Users will only be created on first login. Does this mean that all the scheduled searches won't run until that specific user logs in?
Should I create a scheduled search user specifically for this reason and set it up beforehand?
/etc/users/*/*/historyout of the set command?
I think you're right on with your thought process. However I fell that by creating the '/etc/users/emailAddy' folders you're effectively creating users in the "sSo world" so that once SSO is enabled users will exist and their saved searches will be fine. I say go forth and write the manual for all those who will follow!!!
Here's my story for others to follow and hopefully improve upon
I mostly followed the Splunk docs to configure single sign-on.
For doing a SAML group to Splunk role mapping, you need to use the AAD group IDs which you can get using the Powershell Get-MsolGroup commandlet.
I also put in the line
nameIdFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress to the
[saml] stanza. This means usernames will be the UPN rather than a horrible object ID.
So I wrote a migration script to do the migration which requires csvcut. I have a lookup file in my splunk instance already, built daily using an ldap search which is where the
userPrincipalName mapping comes from.
The script does the following:
Saved searches require an existing user to run (else they are orphaned). With Azure AD as an identity provider, Splunk needs to create a cache, so to speak, of users. It does this by putting a
username = list;of;roles into
authentication.conf under the stanza
[userToRoleMap_SAML] when a user first logs in. I want all scheduled searches to run, so whenever a public knowledge object is found, I add that user to the new-auths file. Then I imported it into the authentication.conf file manually as a seed.
How did you transfer ownership of existing items (dashboards, reports, alerts etc) from LDAP users to AzureAD users?