Moving from LDAP to SAML authentication
An often asked question when configuring SAML is how do you ensure users can access their knowledge objects and saved searches that were created before migrating to SAML? Do you need to a script that migrates the users’ knowledge objects? As always is the case, the answer isn’t simple but it depends on the authentication mechanism prior to SAML.
When moving from LDAP to SAML, if the same LDAP server is configured as the backend authentication database on the Identity Provider(Adfs, Okta, Ping…), then the users would be the same and the groups they belong to would be the same.
Then moving from LDAP to SAML and retaining the previously created knowledge objects is straightforward and can be achieved …
The role hierarchy in splunk allows a user who has the ‘edit_user’ capability to create other splunk users and grant them any role including admin. But what if you want to delegate user creation to a ‘mini-admin’ who should be able to create only users but not more admins.
Starting 6.2, we have the concept of a delegated admin, who can create users who can only belong to a pre-provided list of roles. This is a way of enforcing the principle that users can only create other users with privileges that are a subset of their own.
Let us see how this can be achieved.…