In case anyone runs into the exact problem I had   error: Detected a reference cycle in lookups: fields = sourcetype <-- sourcetype; lookups = [ cisco:prime : LOOKUP-prime_alarms_field_description   Turns out this was an issue with the mentioned automatic lookup.  If you go to settings, automatic lookups, and search for it you can pull it up.  In my case this had "sourcetype" listed as an input field and an output field so I removed it from the output field and now we can search any sourcetype again. ... View more

This is a late answer but I was in this position and could not find the answer anywhere so maybe this will document it for someone else who is searching. If SAML SSO is already set up (as the question states) and you are using Azure AD then what you need to do is to add the users to the Azure AD group that has been created to give access to Splunk. You don't need to do anything in Splunk. I did also do "Reload authentication configuration" under Access controls, Authentication method, but I don't think that was necessary. The users do not appear in the Splunk user list until they have logged in. ... View more