Splunk SOAR (f.k.a. Phantom)

How to remap objects from an user ID to another after SAML integration?

victor_menezes
Path Finder

Hi folks,

We've been using Phantom for a while now and currently implementing SAML integration. The concerning part is that the objects (assets, playbooks, permissions...) are set to ids instead of usernames, so logins via SAML generates new user ids, and we have to remap those objects form that particular local user to the current SAML user id.

Is there any way to do that via REST or did anyone ever built a playbook to make that change?

My idea is to rename the local users appending a "_local" to the username and ask the users to login via SSO, then have a routine that identifies SAML username = local username +"_local" and move the objects from this local id to the new SAML id.

Doable?

Labels (2)
Tags (3)
0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...