You can use multi-factor authentication (MFA) to manage user sessions using a third-party Identity Provider (IdP) via the Security Assertion Markup Language (SAML).
AddIdpClusterAdmin
You can use the AddIpdClusterAdmin method to add a cluster administrator user authenticated by a third-party Identity Provider (IdP). IdP cluster admin accounts are configured based on SAML attribute-value information provided within the IdP’s SAML assertion associated with the user. If a user successfully authenticates with the IdP and has SAML attribute statements within the SAML assertion matching multiple IdP cluster admin accounts, the user will have the combined access level of those matching IdP cluster admin accounts.
CreateIdpConfiguration
You can use the CreateIpdConfiguration method to create a potential trust relationship for authentication using a third-party Identity Provider (IdP) for the cluster. A SAML Service Provider certificate is required for IdP communication. This certificate is generated as required, and returned by this API call.
DeleteAuthSession
You can use the DeleteAuthSession method to delete an individual auth session. If the calling user is not in the ClusterAdmins / Administrator AccessGroup, only auth session belonging to the calling user can be deleted.
DeleteAuthSessionsByClusterAdmin
You can use the DeleteAuthSessionsByClusterAdmin method to delete all authentication sessions associated with the specified ClusterAdminID. If the specified ClusterAdminID maps to a group of users, all authentication sessions for all members of that group will be deleted. To view a list of sessions for possible deletion, use the ListAuthSessionsByClusterAdmin method with the ClusterAdminID parameter.
DeleteAuthSessionsByUsername
You can use the DeleteAuthSessionsByUsername method to delete all authentication sessions for a given user(s). A caller not in AccessGroup ClusterAdmins/Administrator can only delete their own sessions. A caller with ClusterAdmins/Administrator privileges can delete sessions belonging to any user. To see the list of sessions that could be deleted, use ListAuthSessionsByUsername with the same parameters. To view a list of sessions for possible deletion, use the ListAuthSessionsByUsername method with the same parameter.
DeleteIdpConfiguration
You can use the DeleteIdpConfiguration method to delete an existing configuration of a third-party IdP for the cluster. Deleting the last IdP configuration removes the SAML Service Provider certificate from the cluster.
DisableIdpAuthentication
You can use the DisableIdpAuthentication method to disable support for authentication using third-party IdPs for the cluster. Once disabled, users authenticated by third party IdPs are no longer able to access the cluster and any active authenticated sessions are invalidated/disconnected. LDAP and cluster admins are able to access the cluster via supported UIs.
EnableIdpAuthentication
You can use the EnableIdpAuthentication method to enable support for authentication using third-party IdPs for the cluster. Once IdP authentication is enabled, LDAP and cluster admins are no longer able to access the cluster via supported UIs and any active authenticated sessions are invalidated/disconnected. Only users authenticated by third party IdPs are able to access the cluster via supported UIs.
GetIdpAuthenticationState
You can use the GetIdpAuthenticationState method to return information regarding the state of authentication using third-party IdPs.
ListActiveAuthSessions
You can use the ListActiveAuthSessions method to list all of the active authenticated sessions. Only users with Administrative access rights can call this method.
ListIdpConfigurations
You can use the ListIdpConfigurations method to list configurations for third-party IdPs. Optionally, you can provide either the enabledOnly flag to retrieve the currently enabled IdP configuration or an IdP metadata UUID or IdP name to query information for a specific IdP configuration.
UpdateIdpConfiguration
You can use the UpdateIdpConfiguration method to update an existing configuration with a third-party IdP for the cluster.