Skip to main content
Element Software

Set up multi-factor authentication

Contributors netapp-pcarriga
PDFs

Multi-factor authentication (MFA) uses a third-party Identity Provider (IdP) via the Security Assertion Markup Language (SAML) to manage user sessions. MFA enables administrators to configure additional factors of authentication as required, such as password and text message, and password and email message.

You can use these basic steps via the Element API to set up your cluster to use multi-factor authentication.

Details of each API method can be found in the Element API Reference.

  1. Create a new third-party Identity Provider (IdP) configuration for the cluster by calling the following API method and passing the IdP metadata in JSON format: CreateIdpConfiguration

    IdP metadata, in plain text format, is retrieved from the third-party IdP. This metadata needs to be validated to ensure that it is correctly formatted in JSON. There are numerous JSON formatter applications available that you can use, for example:https://freeformatter.com/json-escape.html.

  2. Retrieve cluster metadata, via spMetadataUrl, to copy to the third-party IdP by calling the following API method: ListIdpConfigurations

    spMetadataUrl is a URL used to retrieve service provider metadata from the cluster for the IdP in order to establish a trust relationship.

  3. Configure SAML assertions on the third-party IdP to include the “NameID” attribute to uniquely identify a user for audit logging and for Single Logout to function properly.

  4. Create one or more cluster administrator user accounts authenticated by a third-party IdP for authorization by calling the following API method:AddIdpClusterAdmin

    Note The username for the IdP cluster Administrator should match the SAML attribute Name/Value mapping for the desired effect, as shown in the following examples:

    • email=bob@company.com — where the IdP is configured to release an email address in the SAML attributes.

    • group=cluster-administrator - where the IdP is configured to release a group property in which all users should have access. Note that the SAML attribute Name/Value pairing is case-sensitive for security purposes.

  5. Enable MFA for the cluster by calling the following API method: EnableIdpAuthentication

Find more information