Token authentication mechanism kind of works in parallel with SAML, so it requires SAML Attribute Query support in order to retrieve the information about group membership. Without AQR, this can be done with a script which extends Splunk auth and retrieves the information about group membership on its own, without AQR. You have 3 possible options: 1. Use identity provider which supports Attribute Query (AQR) 2. Use Azure or Okta since Splunk has auth extensions for them out of the box 3. Create your own authentication extension. If I'm not mistaken, Splunk cloud doesn't support auth extensions, so option 3 might be not applicable to your case.
... View more