Skip to main content
BlueXP setup and administration

Enable single sign-on by using identity federation with BlueXP

Contributors netapp-bcammett

Identity federation enables single sign-on with BlueXP so that users can log in using credentials from your corporate identity. To get started, learn how identity federation works with BlueXP and then review an overview of the setup process.

Identity federation with NSS credentials

If you use your NetApp Support Site (NSS) credentials to log in to BlueXP, you should not follow the instructions on this page to set up identity federation. You should do the following instead:

The NetApp Identity and Access Management team will review your request.

How identity federation works

Setting up identity federation creates a trust connection between BlueXP's authentication service provider (auth0) and your own identity management provider.

The following image depicts how identity federation works with BlueXP:

A diagram that shows a user authenticating with BlueXP and a connection between BlueXP and an identity provider that authenticates the user.

  1. A user enters their email address on the BlueXP login page.

  2. BlueXP identifies that the email domain is part of a federated connection and sends the authentication request to the identity provider using the trusted connection.

    When you set up a federated connection, BlueXP always uses that federated connection for authentication.

  3. The user authenticates by using credentials from your corporate directory.

  4. Your identity provider authenticates the user's identity and the user is logged in to BlueXP.

Identity federation uses open standards, such as Security Assertion Markup Language 2.0 (SAML) and OpenID Connect (OIDC).

Supported identity providers

BlueXP supports the following identity providers:

  • Security Assertion Markup Language (SAML) identity providers

  • Microsoft Entra ID

  • Active Directory Federation Services (ADFS)

  • PingFederate

BlueXP supports service provider initiated (SP-initiated) SSO only. Identity provider initiated (IdP-initiated) SSO is not supported.

Overview of the setup process

Before you set up a connection between BlueXP and your identity management provider, you should understand the steps that you'll need to take so that you can prepare accordingly.

These steps are specific to users who log in to BlueXP using a NetApp cloud login. If you use your NSS credentials to log in to BlueXP, learn how to set up identity federation with NSS credentials.

SAML identity provider

At a high-level, setting up a federated connection between BlueXP and a SAML identity provider includes the following steps:

Step Completed by Description

1

Active Directory (AD) admin

Configure your SAML identity provider to enable identity federation with BlueXP.

View instructions for your SAML identity provider:

If your identity provider doesn't appear in the list above, follow these generic instructions

Tip Do not complete the steps that describe how to create a connection in auth0. You'll create that connection in the next step.

2

BlueXP admin

Go to the NetApp Federation Setup page and create the connection with BlueXP.

To complete this step, you need to obtain the following from your AD admin about the identity provider:

  • Sign in URL

  • An X509 signing certificate (PEM or CER format)

  • Sign out URL (optional)

After you create the connection using this information, the Federation Setup page lists the parameters that you can send to your AD admin to complete the configuration in the next step.

Note Take note of the certificate expiration date. You need to return to the Federation Setup page and update the certificate before it expires. This is your responsibility. BlueXP does not track the expiration date. It's best to work with your AD team to get alerted on time.

3

AD admin

Complete the configuration on the identity provider using the parameters shown on the Federation Setup page after finishing step 2.

4

BlueXP admin

Test and enable the connection from the NetApp Federation Setup page

Note that the page refreshes between testing the connection and enabling the connection.

Microsoft Entra ID

At a high-level, setting up a federated connection between BlueXP and Microsoft Entra ID includes the following steps:

Step Completed by Description

1

AD admin

Configure Microsoft Entra ID to enable identity federation with BlueXP.

Tip Do not complete the steps that describe how to create a connection in auth0. You'll create that connection in the next step.

2

BlueXP admin

Go to the NetApp Federation Setup page and create the connection with BlueXP.

To complete this step, you need to obtain the following from your AD admin:

  • Client ID

  • Client secret value

  • Microsoft Entra ID domain

After you create the connection using this information, the Federation Setup page lists the parameters that you can send to your AD admin to complete the configuration in the next step.

Note Take note of the secret key expiration date. You need to return to the Federation Setup page and update the certificate before it expires. This is your responsibility. BlueXP does not track the expiration date. It's best to work with your AD team to get alerted on time.

3

AD admin

Complete the configuration in Microsoft Entra ID using the parameters shown on the Federation Setup page after finishing step 2.

4

BlueXP admin

Test and enable the connection from the NetApp Federation Setup page

Note that the page refreshes between testing the connection and enabling the connection.

ADFS

At a high-level, setting up a federated connection between BlueXP and ADFS includes the following steps:

Step Completed by Description

1

AD admin

Configure the ADFS server to enable identity federation with BlueXP.

2

BlueXP admin

Go to the NetApp Federation Setup page and create the connection with BlueXP.

To complete this step, you need to obtain the following from your AD admin: the URL for the ADFS server or the federation metadata file.

After you create the connection using this information, the Federation Setup page lists the parameters that you can send to your AD admin to complete the configuration in the next step.

Note Take note of the certificate expiration date. You need to return to the Federation Setup page and update the certificate before it expires. This is your responsibility. BlueXP does not track the expiration date. It's best to work with your AD team to get alerted on time.

3

AD admin

Complete the configuration on the ADFS server using the parameters shown on the Federation Setup page after finishing step 2.

4

BlueXP admin

Test and enable the connection from the NetApp Federation Setup page

Note that the page refreshes between testing the connection and enabling the connection.

PingFederate

At a high-level, setting up a federated connection between BlueXP and a PingFederate server includes the following steps:

Step Completed by Description

1

AD admin

Configure your PingFederate server to enable identity federation with BlueXP.

Tip Do not complete the steps that describe how to create a connection in auth0. You'll create that connection in the next step.

2

BlueXP admin

Go to the NetApp Federation Setup page and create the connection with BlueXP.

To complete this step, you need to obtain the following from your AD admin:

  • The URL for the PingFederate server

  • An X509 signing certificate (PEM or CER format)

After you create the connection using this information, the Federation Setup page lists the parameters that you can send to your AD admin to complete the configuration in the next step.

Note Take note of the certificate expiration date. You need to return to the Federation Setup page and update the certificate before it expires. This is your responsibility. BlueXP does not track the expiration date. It's best to work with your AD team to get alerted on time.

3

AD admin

Complete the configuration on the PingFederate server using the parameters shown on the Federation Setup page after finishing step 2.

4

BlueXP admin

Test and enable the connection from the NetApp Federation Setup page

Note that the page refreshes between testing the connection and enabling the connection.

Updating a federated connection

After the BlueXP admin enables a connection, the admin can update the connection at any time from the NetApp Federation Setup page

For example, you might need to update the connection by uploading a new certificate.

The BlueXP admin who created the connection is the only authorized user who can update the connection. If you'd like to add additional admins, contact NetApp Support.