Security

How to remove users from Splunk registered by SAML?

Clecimar
Explorer

Hi everyone, I need to remover users that leave the company. I´ve already remove them from company AD, but the remains on the Splunk Cloud.

Someone know how can I delete/remove them from Splunk Cloud ?

Thank you.

Clecimar

Labels (1)
1 Solution

vzabawski
Path Finder

GUI doesn't support deleting users created with SAML. I can edit internal users. I guess it's an expected, yet inconvenient behavior from Splunk's side.

vzabawski_0-1663147345997.png

 

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Go to Settings->Users.  For each user no longer in SAML, select Edit->Delete.  There is no automated process.  Go to https://ideas.splunk.com to suggest one or to vote for an existing idea.

---
If this reply helps you, Karma would be appreciated.

Clecimar
Explorer

Hi everyone.

This didn´t work for me. Even I remove the user from AD, it remains on Splunk and I haven´t the option to remove it as you suggest.

Would be a integration issue ?

Thank you.

Clecimar

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You account may have insufficient permissions to delete users.  I believe you need the edit_user capability.

---
If this reply helps you, Karma would be appreciated.
0 Karma

skseifert
Engager

I am in a role that has "edit_user" selected, and I too can not delete a SAML user.  

0 Karma

dbhojani
Explorer

I was able to find solution for this.

You can delete the user with REST Call if you have Admin level access.

This worked fine for me.

curl -k -u test_user:<PWD> --request DELETE https://stackname.splunkcloud.com:8089/services/admin/SAML-user-role-map/<username>


jmartens
Path Finder

Although removing through REST probably works I find it easier to do it this way:

  1. edit the configuration file in SPLUNK_INSTALL_DIR\etc\system\local\authentication.conf
  2. Naviate to Settings > Authentication methods > reload authentication configuration
0 Karma

vzabawski
Path Finder

GUI doesn't support deleting users created with SAML. I can edit internal users. I guess it's an expected, yet inconvenient behavior from Splunk's side.

vzabawski_0-1663147345997.png

 

Clecimar
Explorer

Great!

This is the kind of answer I was looking for. Thank to understand my question.

Clecimar

Clecimar
Explorer

No, I´m administrator.

I´m going to open a case on support.

Thank you.

Clecimar

0 Karma

dbhojani
Explorer

Did you get any response from splunk support for this issue?

 

I am also Splunk admin & I don't see an option to remove deactivated SAML user from UI. 

It's not feasible to request support request every time a user is deactivated.

0 Karma
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...