Security

How to remove users from Splunk registered by SAML?

Clecimar
Explorer

Hi everyone, I need to remover users that leave the company. I´ve already remove them from company AD, but the remains on the Splunk Cloud.

Someone know how can I delete/remove them from Splunk Cloud ?

Thank you.

Clecimar

Labels (1)
1 Solution

vzabawski
Path Finder

GUI doesn't support deleting users created with SAML. I can edit internal users. I guess it's an expected, yet inconvenient behavior from Splunk's side.

vzabawski_0-1663147345997.png

 

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Go to Settings->Users.  For each user no longer in SAML, select Edit->Delete.  There is no automated process.  Go to https://ideas.splunk.com to suggest one or to vote for an existing idea.

---
If this reply helps you, Karma would be appreciated.

Clecimar
Explorer

Hi everyone.

This didn´t work for me. Even I remove the user from AD, it remains on Splunk and I haven´t the option to remove it as you suggest.

Would be a integration issue ?

Thank you.

Clecimar

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You account may have insufficient permissions to delete users.  I believe you need the edit_user capability.

---
If this reply helps you, Karma would be appreciated.
0 Karma

skseifert
Engager

I am in a role that has "edit_user" selected, and I too can not delete a SAML user.  

0 Karma

dbhojani
Explorer

I was able to find solution for this.

You can delete the user with REST Call if you have Admin level access.

This worked fine for me.

curl -k -u test_user:<PWD> --request DELETE https://stackname.splunkcloud.com:8089/services/admin/SAML-user-role-map/<username>


0 Karma

vzabawski
Path Finder

GUI doesn't support deleting users created with SAML. I can edit internal users. I guess it's an expected, yet inconvenient behavior from Splunk's side.

vzabawski_0-1663147345997.png

 

Clecimar
Explorer

Great!

This is the kind of answer I was looking for. Thank to understand my question.

Clecimar

Clecimar
Explorer

No, I´m administrator.

I´m going to open a case on support.

Thank you.

Clecimar

0 Karma

dbhojani
Explorer

Did you get any response from splunk support for this issue?

 

I am also Splunk admin & I don't see an option to remove deactivated SAML user from UI. 

It's not feasible to request support request every time a user is deactivated.

0 Karma
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! &#x1f308; In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...