Automatic Deprovisioning of users for Okta IdP

Splunk has implemented SCIM (System for Cross-domain Identity Management), a standardized protocol designed for efficient and secure management of user identities across various systems. With the release of this feature, Splunk customers can automatically deprovision users within Splunk when a user(s) are removed from the customer’s Okta Identity Provider (IdP) with following benefits for the customers. This new feature eliminates the need for manual intervention in user deprovisioning, providing a seamless and efficient solution for our customers using Okta.

Until today, to deprovision a user, customers had to file a support ticket. With the release of the feature, Splunk customers can automatically deprovision users within Splunk when a user(s) are removed from the customer’s Okta Identity Provider (IdP) 

Valuable Outcomes for Customers

Enhanced Security: Reduce the risk of unauthorized access by prompt removal of inactive or ghost users. Your Identity Provider (IdP) can now be the centralized place to manage the full users’ identity lifecycle across applications in the organization. Thus improving the security posture. 

Operational Efficiency: Reduce operational burden by eliminating additional manual tasks to keep applications in sync with the IdP making this a self-severable process for you and your administrator teams.

Compliance: You can now maintain compliance with regulatory requirements by simplifying attestations and ensuring accurate and current user records. 

How Can You Configure This Feature?

This feature is available for Splunk Cloud customers with Okta IdP and can be enabled by Splunk Admin only. If you are an Splunk Admin you will have to select “Enable SCIM provisioning” in the SSO app.

This feature is available for all 3 following Okta authentication models.

• Username and password
• Bearer token (Splunk API token)
• Oauth2

Note: If Okta UI does not have a provisioning option then please contact Okta support.

Once you have enabled, read more here on how to configure the Splunk platform to remove users on Okta. 

 What’s Next?

This feature was requested by Splunk customers and users. We are happy we have delivered part of three Splunk Ideas which will be saving time, and reduce management burden to remove unwanted users or ghost users.

• PLECID-I-239: Support Deletion/Removal Of SAML Users
• ESSID-I-14: Splunk to have the capability to purge "ghost users" without logging a ticket. 
• EID-I-270: Support to Disable/Delete Account when Utilizing SAML

We are working to support removal of users for Azure IdP and enabling user provisioning which is required to make deprovisioning fully compatible with the IdPs.

Your ideas and votes are highly valued so please do continue to submit Splunk ideas. 

Happy Splunking!