Skip to main content
AI Data Engine

Configure OpenID Connect for AIDE in ONTAP

Contributors dmp-netapp netapp-dbagwell netapp-bhouser
PDFs

As an ONTAP cluster administrator, you can use ONTAP System Manager to configure OpenID Connect (OIDC) authentication for an AI Data Engine (AIDE) cluster. This provides a secure and centralized login through an external identity provider (IdP).

Caution You must configure OIDC to access AIDE Console. When configured, all authentication flows through OIDC. If OIDC is not configured, the console will be unavailable to administrators as well as the data engineers and data scientists. In this case, signing in to System Manager reverts to local authentication.

Also note the following about OIDC configuration for AIDE access:

  • At a high level, OIDC configuration consists of two major steps. First you need to perform basic OIDC configuration using System Manager. You can then complete the setup by configuring external role mapping using the ONTAP CLI.

  • You cannot modify an existing OIDC configuration. If you need to make a change, first delete the configuration and create a new one with the desired settings.

  • If you disable or remove OIDC, System Manager will revert to local ONTAP user authentication.

OIDC overview

OpenID Connect (OIDC) is an authentication protocol built on the OAuth 2.0 framework. It extends OAuth 2.0, which is used primarily for authorization, by adding an identity layer. OIDC introduces the concept of an ID token, which is a JSON Web Token (JWT) containing claims about the authentication event and the identity of the user.

You need to select and configure an external identity provider (IdP) supported by AFX with AIDE. The IdP authenticates users and issues tokens that AFX, through System Manager, can use to grant access to AIDE Console.

Configure third-party identity providers

To authenticate using OIDC, you need to first configure an external IdP. The ONTAP implementation of OIDC uses role claims in the tokens to enforce RBAC. When setting up an IdP, make sure it's configured to return role claims in the id token and access token. ONTAP supports two IdPs for OIDC authentication: Entra ID and Active Directory Federation Services (AD FS).

Entra ID

You can configure Entra ID using the following high-level steps:

  1. Create a new App Registration at the Entra ID configuration page.

  2. Set the Redirect URI (Web) value to https://$CLUSTER_MGMT_IP/oidc/callback, substituting the appropriate cluster management IP address or FQDN.

  3. Create the required roles under App Roles and assign them to your users.

  4. Update the token claims to under Token Configuration to return roles in id-token and access-token.

See Set up an OpenID Connect provider with Entra ID for more information.

Active Directory Federation Services

You can configure AD FS using the following high-level steps:

  1. Create new Application Group and select Server application accessing a web API.

  2. Set the Redirect URI (Web) value to https://$CLUSTER_MGMT_IP/oidc/callback, substituting the appropriate cluster management IP address or FQDN.

  3. Configure claims to return roles in tokens.

See Add AD FS as an OpenID Connect identity provider for more information.

Configure OIDC in System Manager

After configuring your IdP, you can set up OIDC authentication in System Manager to enable secure access to AIDE Console.

Tip You can provide the Metadata URI to automatically populate the OIDC configuration fields in System Manager. Review the documentation for your IdP to get the exact URI format.
Before you begin

  • You need to have administrator access to System Manager.

  • Your OIDC identity provider must be configured and accessible.

Steps

  1. In System Manager, select Cluster and then Settings; locate the OpenID Connect card.

  2. If OIDC is already configured, you can edit or disable the configuration. If OIDC is not configured select gear icon to start the setup process.

  3. Under Configure OpenID Connect, provide values for the following fields:

    • Provider

    • Issuer

    • JSON web key set URI

    • Authorization endpoint

    • Token endpoint

    • End session endpoint

    • Access Token Issuer (optional)

  4. Under Client configuration, provide values for the following fields:

    • Client ID

    • Remote user claim

    • Refresh interval

  5. Under Connection details, provide values for the following fields:

    • Cluster IP address or FQDN

    • Outgoing proxy (optional)

  6. Under External Role mapping, select an existing role mapping or define a new role for the ONTAP admin user.

  7. Select Enable now and then Save. System Manager will refresh to apply the new authentication settings.

  8. Log in with your IdP credentials; after successful authentication you'll be returned to System Manager.

After you finish

Complete the OIDC setup by configuring external role mapping.

Configure external role mapping using the CLI

External role mapping is an ONTAP feature enabling you to map the external IdP roles to the corresponding ONTAP roles. You need to configure this mapping to ensure users authenticating through OIDC are granted the appropriate RBAC permissions in ONTAP.

About this task

This task maps the data engineer and data scientist to the corresponding ONTAP roles. You need to update the command examples with the appropriate role names based on your environment. Note that you should have already mapped the storage administrator role to the ONTAP admin role during basic OIDC configuration in System Manager.

Steps

  1. Using SSH, sign in to the ONTAP CLI using an account with administrative privileges.

  2. Configure role mapping for the data engineer role; for example:

    security login external-role-mapping create -external-role dataEngineer -provider entra -ontap-role data-engineer

  3. Configure role mapping for the data scientist role; for example:

    security login external-role-mapping create -external-role dataScientist -provider entra -ontap-role data-scientist