Set up multi-factor authentication

Contributors amgrissino netapp-mwallis ntap-bmegan Download PDF of this page

You can use these basic steps via the Element API to set up your cluster to use multi-factor authentication.

Details of each API method can be found in the Element API Reference.

  1. Create a new third-party Identity Provider (IdP) configuration for the cluster by calling the following API method and passing the IdP metadata in JSON format: CreateIdpConfiguration

    IdP metadata, in plain text format, is retrieved from the third-party IdP. This metadata needs to be validated to ensure that it is correctly formatted in JSON. There are numerous JSON formatter applications available that you can use, for example:https://freeformatter.com/json-escape.html.

  2. Retrieve cluster metadata, via spMetadataUrl, to copy to the third-party IdP by calling the following API method: ListIdpConfigurations

    spMetadataUrl is a URL used to retrieve service provider metadata from the cluster for the IdP in order to establish a trust relationship.

  3. Configure SAML assertions on the third-party IdP to include the “NameID” attribute to uniquely identify a user for audit logging and for Single Logout to function properly.

  4. Create one or more cluster administrator user accounts authenticated by a third-party IdP for authorization by calling the following API method:AddIdpClusterAdmin

    The username for the IdP cluster Administrator should match the SAML attribute Name/Value mapping for the desired effect, as shown in the following examples:
    • email=bob@company.com — where the IdP is configured to release an email address in the SAML attributes.

    • group=cluster-administrator - where the IdP is configured to release a group property in which all users should have access. Note that the SAML attribute Name/Value pairing is case-sensitive for security purposes.

  5. Enable MFA for the cluster by calling the following API method: EnableIdpAuthentication