We use Okta to authenticate and grant access to our Splunk Cloud instance. The groups and roles are already mapped.
When I have a team member leave the company, we deactivate their Okta account, so in theory, preventing them from accessing any of our apps. The SSO integration is great at creating SAML users on Splunk Cloud, but to get those accounts removed on Splunk Cloud usually requires a Splunk Support ticket and a 3-5 day turnaround. I can't use the Splunk REST API to do it because we're on cloud.
Does anyone know anything about deprovisioning automagically or getting Splunk Cloud to start working on this?
Fezzes, Swarm!
Unfortunately, you can't disable users on Splunk Cloud even as super admin. Local account, you can delete, but not SAML users.
One workaround is just disable user on SC until splunk support has removed those.