What do I need to know before configuring and enabling SAML?

Contributors

Before configuring and enabling the Security Assertion Markup Language (SAML) capabilities for authentication, make sure you meet the following requirements and understand SAML restrictions.

Requirements

Before you begin, make sure that:

  • An Identity Provider (IdP) is configured in your network. An IdP is an external system used to request credentials from a user and determine if the user is successfully authenticated. Your security team is responsible for maintaining the IdP.

  • An IdP administrator has configured user attributes and groups in the IdP system.

  • An IdP administrator has ensured that the IdP supports the ability to return a Name ID on authentication.

  • An administrator has ensured that the IdP server and controller clocks are synchronized (either through an NTP server or by adjusting the controller clock settings).

  • An IdP metadata file is downloaded from the IdP system and available on the local system used for accessing System Manager.

  • You know the IP address or domain name of each controller in the storage array.

Restrictions

In addition to the requirements above, make sure you understand the following restrictions:

  • Once SAML is enabled, you cannot disable it through the user interface, nor can you edit the IdP settings. If you need to disable or edit the SAML configuration, contact Technical Support for assistance. We recommend that you test the SSO logins before you enable SAML in the final configuration step. (The system also performs an SSO login test before enabling SAML.)

  • If you disable SAML in the future, the system automatically restores the previous configuration (Local User Roles and/or Directory Services).

  • If Directory Services are currently configured for user authentication, SAML overrides that configuration.

  • When SAML is configured, the following clients cannot access storage array resources:

    • Enterprise Management Window (EMW)

    • Command-line interface (CLI)

    • Software Developer Kits (SDK) clients

    • In-band clients

    • HTTP Basic Authentication REST API clients

    • Login using standard REST API endpoint