Skip to main content
NetApp Knowledge Base

What are the pre-requisites for enabling SAML authentication in ONTAP System Manager?

Views:
6,762
Visibility:
Public
Votes:
2
Category:
ontap-system-manager
Specialty:
om
Last Updated:

Applies to

  • ONTAP System Manager 9.3 and later
  • Security Assertion Markup Language (SAML)

Answer

Supported IdP Servers
Claim Rule Value
SAM-account-name Name ID
SAM-account-name urn:oid:0.9.2342.19200300.100.1.1
Name Format urn:oasis:names:tc:SAML:2.0:attrname-format:uri
Token groups – Unqualified Name urn:oid:1.3.6.1.4.1.5923.1.5.1.1

Note: The claim rules mentioned above need to be configured/setup in IdP server.

  • IdP server setup is done by an IdP admin and NetApp Support is not involved in this process.
Ports, local users setup and other configuration
  • Ports 443 or 80 need to be open between the ONTAP cluster and IdP server 
  • Access to Remote LAN Module (RLM) or Service Processor (SP) console of the ONTAP cluster 
    • Administrative users will not be able to log into System Manager if IdP is misconfigured
    • You will not be able to disable SAML from the cluster management LIF; you must disable SAML from the RLM  or SP console. 
  • Active Directory Domain Groups configured on a cluster do not work with SAML on Ontap.
  • Adding a SAML Domain User in ONTAP cluster using the ONTAP CLI

Notes:

  • ONTAP is case-sensitive
  • No need to use sAMAccountName (Domain\Username), just use the username
  • In some cases you will need to use a user name pattern like user@domain to make it work because this comes from the IdP

 

  • Example 1:

If Active Directory Domain Username is John with capital J, then add SAML user in Ontap cluster with the same name.

cluster::> security login create -user-or-group-name John -application http -authentication-method saml -role admin
cluster::> security login create -user-or-group-name John -application ontapi -authentication-method saml -role admin

  • Example 2:

If Active Directory Domain Username is joHn with capital H.

cluster::> security login create -user-or-group-name joHn -application http -authentication-method saml -role admin
cluster::> security login create -user-or-group-name joHn -application ontapi -authentication-method saml -role admin

DNS
  • The cluster should be able to ping the IdP server fully qualified domain name

::> dns hosts show

::> ping <IDP_server_name>

  • The IdP server should be able to ping the cluster management lif or cluster fully qualified domain name

IdP server CLI --> ping <cluster_FQDN>

  • Check to make sure the cluster certificate is not expired

::> security certificate show -vserver <cluster_name> -common-name <clustername>

IdP (Identity provider) URL
  • Capture the IdP URL from ADFS or Shibboleth server
    • OKTA and Ping Federate have been configured successfully but not tested within NetApp.
    • The URL is needed to configure SAML on ONTAP System Manager.
  • OkTA URL should not contain the Token groups Unqualified name

Correct URL  --   https://netapp.okta.com/app/abc1a23a1234567abcd/sso/saml/metadata
Incorrect URL --  https://netapp.okta.com/app/netapp_app_1/abc1a23a1234567abcd/sso/saml/metadata

  • Ping Federate URL will be similar to the following:

https://companysaml.domain.com/pf/federation_metadata.ping?PartnerSpId=https://cluster_fqdn

 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.