Here's my story for others to follow and hopefully improve upon
I mostly followed the Splunk docs to configure single sign-on.
For doing a SAML group to Splunk role mapping, you need to use the AAD group IDs which you can get using the Powershell Get-MsolGroup commandlet.
I also put in the line nameIdFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress to the [saml] stanza. This means usernames will be the UPN rather than a horrible object ID.
So I wrote a migration script to do the migration which requires csvcut. I have a lookup file in my splunk instance already, built daily using an ldap search which is where the sAMAccountName to userPrincipalName mapping comes from.
The script does the following:
Rename the users directory
Do an in-place sed to change ownership of all public objects
Build a file of new users to insert into authentication.conf
Saved searches require an existing user to run (else they are orphaned). With Azure AD as an identity provider, Splunk needs to create a cache, so to speak, of users. It does this by putting a username = list;of;roles into authentication.conf under the stanza [userToRoleMap_SAML] when a user first logs in. I want all scheduled searches to run, so whenever a public knowledge object is found, I add that user to the new-auths file. Then I imported it into the authentication.conf file manually as a seed.
... View more