We are planning to move to SAML SSO soon. One of the drawbacks of SAML is that you cannot authenticate on the API any longer. Up to this point, any user defined to use splunkweb has had access to the API. How can I find out who will be impacted by yanking API access?
I'd start with this query.
index=_internal source="*splunkd_access.log" NOT (user="-" OR user="splunk-system-user") | dedup user | table user