Skip to main content
BlueXP setup and administration

Enable single sign-on by using identity federation with BlueXP

Contributors netapp-bcammett netapp-tonias
PDFs

Identity federation enables single sign-on with BlueXP so that users can log in using credentials from your corporate identity. To get started, learn how identity federation works and then review an overview of the setup process.

Identity federation with NSS credentials

If you use your NetApp Support Site (NSS) credentials to log in to BlueXP, you should not follow the instructions on this page to set up identity federation. You should do the following instead:

The NetApp support team will review and process your request.

How identity federation works

Setting up identity federation creates a trust connection between BlueXP's authentication service provider (Auth0) and your own identity management provider.

The following image depicts how identity federation works with BlueXP:

A diagram that shows a user authenticating with BlueXP and a connection between BlueXP and an identity provider that authenticates the user.

  1. The user enters their email address on the BlueXP login page.

  2. BlueXP identifies that the email domain is part of a federated connection and sends the authentication request to the identity provider using the trusted connection.

    When you set up a federated connection, BlueXP always uses that federated connection for authentication.

  3. The user authenticates by using credentials from your corporate directory.

  4. Your identity provider authenticates the user's identity and the user is logged in to BlueXP.

Identity federation uses open standards, such as Security Assertion Markup Language 2.0 (SAML) and OpenID Connect (OIDC).

Supported identity providers

BlueXP supports the following identity providers:

  • Security Assertion Markup Language (SAML) identity providers

  • Microsoft Entra ID

  • Active Directory Federation Services (AD FS)

  • PingFederate

BlueXP supports service provider-initiated (SP-initiated) SSO only.

Overview of the setup process

Before setting up a connection between BlueXP and your identity management provider, understand the required steps to prepare.

These steps are specific to users who log in to BlueXP using a NetApp cloud login. If you use your NSS credentials to log in to BlueXP, learn how to set up identity federation with NSS credentials.

SAML identity provider

Setting up a federated connection with a SAML identity provider involves these steps:

Step Completed by Description

1

IdP admin

Configure your SAML identity provider to enable identity federation with BlueXP.

View instructions for your SAML identity provider:

* ADFS
* Okta
* OneLogin
* PingFederate
* SalesForce
* SiteMinder
* SSOCircle

If your identity provider doesn't appear in the list above, follow these generic instructions

TIP: Do not complete the steps that describe how to create a connection in auth0. You'll create that connection in the next step.

2

BlueXP admin

Go to the NetApp Federation Setup page and create the connection with BlueXP.

To complete this step, you need to get the following from your IdP admin about the identity provider:

  • Sign in URL

  • An X509 signing certificate (PEM or CER format)

  • Sign out URL (optional)

After you create the connection using this information, the Federation Setup page lists the parameters that you can send to your IdP admin to complete the configuration in the next step.

Note Take note of the certificate expiration date. You need to return to the Federation Setup page and update the certificate before it expires. This is your responsibility. BlueXP does not track the expiration date, so you must monitor and update the certificate before it expires. It's best to work with your IT team to get alerted on time.

3

IdP admin

Complete the configuration on the identity provider using the parameters shown on the Federation Setup page after finishing step 2.

4

BlueXP admin

Test and enable the connection from the NetApp Federation Setup page

The page refreshes between testing the connection and enabling the connection.

Microsoft Entra ID

Setting up a federated connection between BlueXP and Microsoft Entra ID includes the following steps:

Step Completed by Description

1

IdP admin

Configure Microsoft Entra ID to enable identity federation with BlueXP.

View instructions for registering the application with Microsoft Entra ID

TIP: Do not complete the steps that describe how to create a connection in auth0. You'll create that connection in the next step.

2

BlueXP admin

Go to the NetApp Federation Setup page and create the connection with BlueXP.

To complete this step, you need to obtain the following from your IdP admin:

* Client ID
* Client secret value
* Microsoft Entra ID domain

After you create the connection using this information, the Federation Setup page lists the parameters that you can send to your AD admin to complete the configuration in the next step.

NOTE: Take note of the secret key expiration date. You need to return to the Federation Setup page and update the certificate before it expires. This is your responsibility. BlueXP does not track the expiration date. It's best to work with your AD team to get alerted on time.

3

IdP admin

Complete the configuration in Microsoft Entra ID using the parameters shown on the Federation Setup page after finishing step 2.

4

BlueXP admin

Test and enable the connection from the NetApp Federation Setup page

Note that the page refreshes between testing the connection and enabling the connection.

AD FS

Setting up a federated connection between BlueXP and AD FS includes the following steps:

Step Completed by Description

1

IdP admin

Configure the AD FS server to enable identity federation with BlueXP.

View instructions for configuring the ADFS server with auth0

2

BlueXP admin

Go to the NetApp Federation Setup page and create the connection with BlueXP.

To complete this step, you need to obtain the following from your IdP admin: the URL for the AD FS server or the federation metadata file.

After you create the connection using this information, the Federation Setup page lists the parameters that you can send to your IdP admin to complete the configuration in the next step.

Note Keep track of the certificate expiration date. Update the certificate on the Federation Setup page before it expires. This is your responsibility. BlueXP does not track the expiration date. It's best to work with your AD team to get alerted on time.

3

IdP admin

Complete the configuration on the ADFS server using the parameters shown on the Federation Setup page after finishing step 2.

4

BlueXP admin

Test and enable the connection from the NetApp Federation Setup page

The page refreshes between testing and enabling the connection.

PingFederate

Setting up a federated connection between BlueXP and a PingFederate server includes the following steps:

Step Completed by Description

1

IdP admin

Configure your PingFederate server to enable identity federation with BlueXP.

View instructions for creating a connection

TIP: Do not complete the steps that describe how to create a connection in auth0. You'll create that connection in the next step.

2

BlueXP admin

Go to the NetApp Federation Setup page and create the connection with BlueXP.

To complete this step, you need to obtain the following from your AD admin:

* The URL for the PingFederate server
* An X509 signing certificate (PEM or CER format)

After you create the connection using this information, the Federation Setup page lists the parameters that you can send to your AD admin to complete the configuration in the next step.

NOTE: Keep track of the certificate expiration date. Update the certificate on the Federation Setup page before it expires. This is your responsibility. BlueXP does not track the expiration date. It's best to work with your IdP team to get alerted on time.

3

IdP admin

Complete the configuration on the PingFederate server using the parameters shown on the Federation Setup page after finishing step 2.

4

BlueXP admin

Test and enable the connection from the NetApp Federation Setup page

The page refreshes between testing the connection and enabling the connection.

Updating a federated connection

After the BlueXP admin enables a connection, the admin can update the connection at any time from the NetApp Federation Setup page

For example, you might need to update the connection by uploading a new certificate.

Only the BlueXP admin who created the connection can update it.If you'd like to add additional admins, contact NetApp Support.