Skip to main content
NetApp Console setup and administration

Federate with a SAML identity provider

Contributors netapp-tonias
PDFs

Federate with your SAML 2.0 IdP provider to enable single sign-on (SSO) for the NEtApp Console. This allows users to log in using their corporate credentials.

Required role

The Federation admin role is required to make create and manage federations. Federation viewer can view the Federation page. Learn more about access roles.

Note You can federate with your corporate IdP or with the NetApp Support Site. You can't federate with both.

NetApp supports service provider-initiated (SP-initiated) SSO only. You need to first configure the identity provider to trust NetApp as a service provider. Then, you can create a connection in the Console that uses the identity provider's configuration.

You can set up a federated connection with your SAML 2.0 provider to enable single sign-on (SSO) for the Console. The process involves configuring your provider to trust NetApp as a service provider and then creating the connection in the Console.

Before you begin

  • An IdP account with administrative privileges is required. Coordinate with your IdP administrator to complete the steps.

  • Identify the domain you want to use for federation. You can use your email domain or a different domain that you own. If you want to use a domain other than your email domain, you must first verify the domain in the Console. You can do this by following the steps in the Verify your domain in NetApp Console topic.

Steps

  1. Select Administration > Identity and access.

  2. Select Federation to view the Federations page.

  3. Select Configure new federation.

  4. Enter your domain details:

    1. Choose whether you want to use a verified domain or your email domain. The email domain is the domain associated with the account you are logged in with.

    2. Enter the name of the federation you are configuring.

    3. If you choose a verified domain, select the domain from the list.

  5. Select Next.

  6. For your connection method, choose Protocol and then select SAML Identity Provider.

  7. Select Next.

  8. Configure your SAML identity provider to trust NetApp as a service provider. You need to do this step on your SAML provider server.

    1. Ensure that your IdP has the attribute email set to the user's email address. This is required for the Console to identify users correctly:

      <saml:AttributeStatement xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">
        <saml:AttributeValue xsi:type="xs:string">email@domain.com</saml:AttributeValue>
    </saml:Attribute>
</saml:AttributeStatement>

    2. Use the following values when registering your SAML application with the Console:

    3. After creating the trust, copy the following values from your SAML provider server:

      • Sign In URL

      • Sign Out URL (optional)

    4. Download the X.509 certificate from your SAML provider server. It needs to be in PEM, CER, or CRT format.

  9. Return to the Console, and select Next to create the connection.

  10. Create the connection with SAML.

    1. Enter the Sign In URL of your SAML server.

    2. Upload the X.509 certificate that you downloaded from your SAML provider server.

    3. Optionally, enter the Sign Out URL of your SAML server.

  11. Select Create connection. The system creates the connection in a few seconds.

  12. Select Next.

  13. Select Test connection to test your connection. You are directed to a login page for your IdP server. Log in with your IdP credentials to complete the test and return to the Console to enable the connection.

  14. Select Next.

  15. On the Enable federation page, review the federation details and then select Enable federation.

  16. Select Finish to complete the process.

After you enable the federation, users can log in to the NetApp Console using their corporate credentials.