Configuring SAML authentication

Starting with ONTAP 9.3, you can configure Security Assertion Markup Language (SAML) authentication for web services. When SAML authentication is configured and enabled, users are authenticated by an external Identity Provider (IdP) instead of the directory service providers such as Active Directory and LDAP.

Before you begin

You must have configured the IdP for SAML authentication.
You must have the IdP URI.

About this task

SAML authentication applies only to the http and ontapi applications.
The http and ontapi applications are used by the following web services: Service Processor Infrastructure, ONTAP APIs, or OnCommand System Manager.
SAML authentication is applicable only for accessing the admin SVM.

Steps

Create a SAML configuration so that ONTAP can access the IdP metadata: security saml-sp create -idp-uri idp_uri -sp-host ontap_host_name

idp_uri is the FTP or HTTP address of the IdP host from where the IdP metadata can be downloaded.

ontap_host_name is the host name or IP address of the SAML service provider host, which in this case is the ONTAP system. By default, the IP address of the cluster-management LIF is used.

You can optionally provide the ONTAP server certificate information. By default, the ONTAP web server certificate information is used.

Example

cluster_12::> security saml-sp create -idp-uri https://scspr0235321001.gdl.englab.netapp.com/idp/shibboleth -verify-metadata-server false

Warning: This restarts the web server. Any HTTP/S connections that are active
         will be disrupted.
Do you want to continue? {y|n}: y
[Job 179] Job succeeded: Access the SAML SP metadata using the URL:            
https://10.63.56.150/saml-sp/Metadata

Configure the IdP and Data ONTAP users for the same directory server domain to ensure that users are the same for different authentication methods. See the "security login show" command for the Data ONTAP user configuration.

The URL to access the ONTAP host metadata is displayed.

From the IdP host, configure the IdP with the ONTAP host metadata.
For more information about configuring the IdP, see the IdP documentation.
Enable SAML configuration: security saml-sp modify -is-enabled true
Any existing user that accesses the http or ontapi application is automatically configured for SAML authentication.

If you want to create users for the http or ontapi application after SAML is configured, specify SAML as the authentication method for the new users.

Create a login method for new users with SAML authentication: security login create -user-or-group-name user_name -application [http | ontapi] -authentication-method saml -vserver svm_name
Example
```
cluster_12::> security login create -user-or-group-name admin1 -application http -authentication-method saml -vserver  cluster_12
```

Verify that the user entry is created: security login show

Example

cluster_12::> security login show

Vserver: cluster_12
                                                                 Second
User/Group                 Authentication                 Acct   Authentication
Name           Application Method        Role Name        Locked Method
-------------- ----------- ------------- ---------------- ------ --------------
admin          console     password      admin            no     none
admin          http        password      admin            no     none
admin          http        saml          admin            -      none
admin          ontapi      password      admin            no     none
admin          ontapi      saml          admin            -      none
admin          service-processor
                           password      admin            no     none
admin          ssh         password      admin            no     none
admin1         http        password      backup           no     none
admin1         http        saml          backup           -      none