Security

How to remove users from Splunk registered by SAML?

Clecimar
Explorer

Hi everyone, I need to remover users that leave the company. I´ve already remove them from company AD, but the remains on the Splunk Cloud.

Someone know how can I delete/remove them from Splunk Cloud ?

Thank you.

Clecimar

Labels (1)
1 Solution

vzabawski
Path Finder

GUI doesn't support deleting users created with SAML. I can edit internal users. I guess it's an expected, yet inconvenient behavior from Splunk's side.

vzabawski_0-1663147345997.png

 

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Go to Settings->Users.  For each user no longer in SAML, select Edit->Delete.  There is no automated process.  Go to https://ideas.splunk.com to suggest one or to vote for an existing idea.

---
If this reply helps you, Karma would be appreciated.

Clecimar
Explorer

Hi everyone.

This didn´t work for me. Even I remove the user from AD, it remains on Splunk and I haven´t the option to remove it as you suggest.

Would be a integration issue ?

Thank you.

Clecimar

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You account may have insufficient permissions to delete users.  I believe you need the edit_user capability.

---
If this reply helps you, Karma would be appreciated.
0 Karma

skseifert
Engager

I am in a role that has "edit_user" selected, and I too can not delete a SAML user.  

0 Karma

dbhojani
Explorer

I was able to find solution for this.

You can delete the user with REST Call if you have Admin level access.

This worked fine for me.

curl -k -u test_user:<PWD> --request DELETE https://stackname.splunkcloud.com:8089/services/admin/SAML-user-role-map/<username>


jmartens
Path Finder

Although removing through REST probably works I find it easier to do it this way:

  1. edit the configuration file in SPLUNK_INSTALL_DIR\etc\system\local\authentication.conf
  2. Naviate to Settings > Authentication methods > reload authentication configuration
0 Karma

vzabawski
Path Finder

GUI doesn't support deleting users created with SAML. I can edit internal users. I guess it's an expected, yet inconvenient behavior from Splunk's side.

vzabawski_0-1663147345997.png

 

Clecimar
Explorer

Great!

This is the kind of answer I was looking for. Thank to understand my question.

Clecimar

Clecimar
Explorer

No, I´m administrator.

I´m going to open a case on support.

Thank you.

Clecimar

0 Karma

dbhojani
Explorer

Did you get any response from splunk support for this issue?

 

I am also Splunk admin & I don't see an option to remove deactivated SAML user from UI. 

It's not feasible to request support request every time a user is deactivated.

0 Karma
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco &#43; Splunk! We’ve ...