Enable single sign-on by using identity federation with BlueXP
Suggest changes
PDFs
Single-sign on (federation) simplifies the login process and enhances security by allowing users to log in to BlueXP using their corporate credentials. You can enable single sign-on (SSO) with your identity provider (IdP) or with the NetApp Support site.
Organization admin, Federation admin, Federation viewer. Learn more about access roles.
Identity federation with NetApp Support Site
When you federate with the NetApp Support Site, users can login with the same credentials to access BlueXP as you use for the NetApp Support Site, Active IQ Digital Advisor and other apps associated with your NetApp Support Site account. After you set up federation, any new users who create a NetApp Support Site accounts are also be able to access BlueXP.
|
If you federate with the NetApp Support Site, you can't also federate with your corporate identity management provider. Choose which one works best for your organization. |
-
Download and complete the NetApp Federation Request Form.
-
Submit the form to the email address specified in the form.
The NetApp support team reviews and processes your request.
Set up a federated connection with your identity provider
You can set up a federated connection with your identity provider to enable single sign-on (SSO) for BlueXP. The process involves configuring your identity provider to trust NetApp as a service provider and then creating the connection in BlueXP.
|
|
If you previously configured federation using NetApp Cloud Central (an external application to BlueXP), you'll need to import your federation using the BlueXP Federation page to be able to manage it within BlueXP. Learn how to import your federation. |
Supported identity providers
NetApp supports the following protocols and identity providers for federation:
-
Security Assertion Markup Language (SAML) identity providers
-
Active Directory Federation Services (AD FS)
-
Microsoft Entra ID
-
PingFederate
Federation with BlueXP workflow
NetApp supports service provider-initiated (SP-initiated) SSO only. You need to first configure the identity provider to trust NetApp as a service provider. Then, you can create a connection in BlueXP that uses the identity provider's configuration.
You can federate with your email domain or with a different domain that you own. To federate with a domain different from your email domain, first verify you own the domain.
Verify your domain (if not using your email domain)To federate with a domain different from your email domain, verify that you own it. You can federate your email domain without any extra steps.
Configure your IdP to trust NetApp as a service providerConfigure your identity provider to trust NetApp by creating a new application and providing the necessary information, such as the ACS URL, Entity ID or other credential information. Service provider information varies by identity provider, so refer to the documentation for your specific identity provider for details. You'll need to work with your IdP administrator to complete this step.
Create the federated connection in BlueXPTo create the connection, you need to provide the necessary information from your identity provider, such as the SAML metadata URL or file. This information is used to establish the trust relationship between BlueXP and your identity provider. The information you provide depends on the IdP that you are using. For example, if you're using Microsoft Entra ID, you need to provide the client ID, secret, and domain.
Test your federation in BlueXPTest your federated connection before enabling it. The Federation page in BlueXP provides a test option that allows you to verify your test user is able to authenticate successfully. If the test is successful, you can enable the connection.
Enable your connection in BlueXPAfter you enable the connection, users can log in to BlueXP using their corporate credentials.
Review the topic for your respective protocol or IdP to get started: