Federate NetApp Console with Active Directory Federation Services (AD FS)
Federate your Active Directory Federation Services (AD FS) with the NetApp Console to enable single sign-on (SSO) for the NetApp Console. This allows users to log in to the Console using their corporate credentials.
The Federation admin role is required to make create and manage federations. Federation viewer can view the Federation page. Learn more about access roles.
|
You can federate with your corporate IdP or with the NetApp Support Site. NetApp recommends choosing one or the other, but not both. |
NetApp supports service provider-initiated (SP-initiated) SSO only. First, configure the identity provider to trust the NetApp Console as a service provider. Then, create a connection in the Console using your identity provider's configuration.
You can set up federation with your AD FS server to enable single sign-on (SSO) for NetApp Console. The process involves configuring your AD FS to trust the Console as a service provider and then creating the connection in the NetApp Console.
-
An IdP account with administrative privileges is required. Coordinate with your IdP administrator to complete the steps.
-
Identify the domain you want to use for federation. You can use your email domain or a different domain that you own. If you want to use a domain other than your email domain, you must first verify the domain in the Console. You can do this by following the steps in the Verify your domain in NetApp Console topic.
-
Select Administration > Identity and access.
-
Select Federation to view the Federations page.
-
Select Configure new federation.
-
Enter your domain details:
-
Choose whether you want to use a verified domain or your email domain. The email domain is the domain associated with the account you are logged in with.
-
Enter the name of the federation you are configuring.
-
If you choose a verified domain, select the domain from the list.
-
-
Select Next.
-
For your connection method, choose Protocol and then select Active Directory Federation Services (AD FS).
-
Select Next.
-
Create a Relying Party Trust in your AD FS server. You can use PowerShell or manually configure it on your AD FS server. Consult the AD FS documentation for details on how to create a relying party trust.
-
Create the trust using PowerShell by using following script:
(new-object Net.WebClient -property @{Encoding = [Text.Encoding]::UTF8}).DownloadString("https://raw.github.com/auth0/AD FS-auth0/master/AD FS.ps1") | iex AddRelyingParty "urn:auth0:netapp-cloud-account" "https://netapp-cloud-account.auth0.com/login/callback"
-
Alternatively, you can create the trust manually in the AD FS management console. Use the following NetApp Console values when creating the trust:
-
When creating the Relying Trust Identifier, use the YOUR_TENANT value:
netapp-cloud-account
-
When you select Enable support for the WS-Federation, use the YOUR_AUTH0_DOMAIN value:
netapp-cloud-account.auth0.com
-
-
After creating the trust, copy the metadata URL from your AD FS server or download the federation metadata file. You'll need this URL or file to complete the connection in the Console.
NetApp recommends using the metadata URL to let the NetApp Console automatically retrieve the latest AD FS configuration. If you download the federation metadata file, you will need to update it manually in the NetApp Console whenever there are changes to your AD FS configuration.
-
-
Return to the Console, and select Next to create the connection.
-
Create the connection with AD FS.
-
Enter the AD FS URL that you copied from your AD FS server in the previous step or upload the federation metadata file that you downloaded from your AD FS server.
-
-
Select Create connection. Creating the connection might take a few seconds.
-
Select Next.
-
Select Test connection to test your connection. You are directed to a login page for your IdP server. Log in with your IdP credentials to complete the test and return to the Console to enable the connection.
-
Select Next.
-
On the Enable federation page, review the federation details and then select Enable federation.
-
Select Finish to complete the process.
After you enable the federation, users can log in to the NetApp Console using their corporate credentials.