Is there any way possible to restrict searches based on source IP of splunk user?
Current environment is Splunk Enterprise 6 with SAML, hosted behind apache as a reverse proxy with mod_mellon handling the SAML authentication to our SSO idp. (https://www.splunk.com/blog/2013/10/09/splunk-sso-using-saml-through-okta.html)
Perhaps some way to map to different user Ids or roles via apache mod config some how, and then using standard Splunk restrictions in roles?
Yes, we are doing this. So how could we map to different roles based on source IP address?
e.g. Currently I am user "brettcave" with role "developer" that has certain rights.
If I log onto splunk from 192.168.1.0/24, I want to map to "developer" role, but if I access from any other IP, i want to map to "user" role.
is this possible?
I think what you can do is to try to do that on your DC side. Splunk just maps Groups to Roles and that's ti.
If you can figure out your strategy on the DC side, then it is fine. But in Splunk I don't think so
Solution posted below - by using 2 different SSO profiles - 1 to the original search head and a 2nd search head with a different configuration, the 2nd head can have a different configuration / ACL configuration.