Troubleshooting issues with SAML configuration

If configuring Security Assertion Markup Language (SAML) authentication fails, you can manually repair each node on which the SAML configuration failed and recover from the failure. During the repair process, the web server is restarted and any active HTTP connections or HTTPS connections are disrupted.

About this task

When you configure SAML authentication, ONTAP applies SAML configuration on a per-node basis. When you enable SAML authentication, ONTAP automatically tries to repair each node if there are configuration issues. If there are issues with SAML configuration on any node, you can disable SAML authentication and then reenable SAML authentication. There can be situations when SAML configuration fails to apply on one or more nodes even after you reenable SAML authentication. You can identify the node on which SAML configuration has failed and then manually repair that node.

Steps

  1. Log in to the advanced privilege level: set -privilege advanced
  2. Identify the node on which SAML configuration failed: security saml-sp status show -instance
    Example
    cluster_12::*> security saml-sp status show -instance
    
                             Node: node1
                    Update Status: config-success
                   Database Epoch: 9
       Database Transaction Count: 997
                       Error Text: 
    SAML Service Provider Enabled: false
            ID of SAML Config Job: 179
    
                             Node: node2
                    Update Status: config-failed
                   Database Epoch: 9
       Database Transaction Count: 997
                       Error Text: SAML job failed, Reason: Internal error. Failed to receive the SAML IDP Metadata file.
    SAML Service Provider Enabled: false
            ID of SAML Config Job: 180
    2 entries were displayed.
  3. Repair the SAML configuration on the failed node: security saml-sp repair -node node_name
    Example
    cluster_12::*> security saml-sp repair -node node2 
    
    Warning: This restarts the web server. Any HTTP/S connections that are active
             will be disrupted.
    Do you want to continue? {y|n}: y
    [Job 181] Job is running.
    [Job 181] Job success.
    The web server is restarted and any active HTTP connections or HTTPS connections are disrupted.
  4. Verify that SAML is successfully configured on all of the nodes: security saml-sp status show -instance
    Example
    cluster_12::*> security saml-sp status show -instance
    
                             Node: node1
                    Update Status: config-success
                   Database Epoch: 9
       Database Transaction Count: 997
                       Error Text: 
    SAML Service Provider Enabled: false
            ID of SAML Config Job: 179
    
                             Node: node2
                    Update Status: config-success
                   Database Epoch: 9
       Database Transaction Count: 997
                       Error Text: 
    SAML Service Provider Enabled: false
            ID of SAML Config Job: 180
    2 entries were displayed.