What are the pre-requisites for enabling SAML authentication in ONTAP System Manager?
Applies to
- ONTAP System Manager 9.3 and later
- Security Assertion Markup Language (SAML)
Answer
Supported IdP Servers
- Microsoft Active Directory Federated Services (ADFS)
- Open-source Shibboleth
- Cisco DUO with ONTAP 9.12.1 and later
Claim Rule | Value |
---|---|
SAM-account-name | Name ID |
SAM-account-name | urn:oid:0.9.2342.19200300.100.1.1 |
Name Format | urn:oasis:names:tc:SAML:2.0:attrname-format:uri |
Token groups – Unqualified Name | urn:oid:1.3.6.1.4.1.5923.1.5.1.1 |
Note: The claim rules mentioned above need to be configured/setup in IdP server.
- IdP server setup is done by an IdP admin and NetApp Support is not involved in this process.
Ports, local users setup and other configuration
- Ports 443 or 80 need to be open between the ONTAP cluster and IdP server
- Access to Remote LAN Module (RLM) or Service Processor (SP) console of the ONTAP cluster
- Administrative users will not be able to log into System Manager if IdP is misconfigured
- You will not be able to disable SAML from the cluster management LIF; you must disable SAML from the RLM or SP console.
- Active Directory Domain Groups configured on a cluster do not work with SAML on Ontap.
- Adding a SAML Domain User in ONTAP cluster using the ONTAP CLI
Notes:
- ONTAP is case-sensitive
- No need to use sAMAccountName (Domain\Username), just use the username
- In some cases you will need to use a user name pattern like
user@domain
to make it work because this comes from the IdP
- Example 1:
If Active Directory Domain Username is John with capital J, then add SAML user in Ontap cluster with the same name.
cluster::> security login create -user-or-group-name John -application http -authentication-method saml -role admin
cluster::> security login create -user-or-group-name John -application ontapi -authentication-method saml -role admin
- Example 2:
If Active Directory Domain Username is joHn with capital H.
cluster::> security login create -user-or-group-name joHn -application http -authentication-method saml -role admin
cluster::> security login create -user-or-group-name joHn -application ontapi -authentication-method saml -role admin
DNS
- The cluster should be able to ping the IdP server fully qualified domain name
::> dns hosts show
::> ping <IDP_server_name>
- The IdP server should be able to ping the cluster management lif or cluster fully qualified domain name
IdP server CLI --> ping <cluster_FQDN>
- Check to make sure the cluster certificate is not expired
::> security certificate show -vserver <cluster_name> -common-name <clustername>
IdP (Identity provider) URL
- Capture the IdP URL from ADFS or Shibboleth server
- OKTA and Ping Federate have been configured successfully but not tested within NetApp.
- The URL is needed to configure SAML on ONTAP System Manager.
- OkTA URL should not contain the Token groups Unqualified name
Correct URL -- https://netapp.okta.com/app/abc1a23a1234567abcd/sso/saml/metadata
Incorrect URL -- https://netapp.okta.com/app/netapp_app_1/abc1a23a1234567abcd/sso/saml/metadata
- Ping Federate URL will be similar to the following:
https://companysaml.domain.com/pf/federation_metadata.ping?PartnerSpId=https://cluster_fqdn