Skip to main content
OnCommand Unified Manager 9.5
A newer release of this product is available.

Identity provider requirements

Contributors netapp-adityaw

When configuring Unified Manager to use an identity provider (IdP) to perform SAML authentication for all remote users, you need to be aware of some required configuration settings so that the connection to Unified Manager is successful.

You must enter the Unified Manager URI and metadata into the IdP server. You can copy this information from the Unified ManagerSAML Authentication page. Unified Manager is considered the service provider (SP) in the Security Assertion Markup Language (SAML) standard.

Supported encryption standards

  • Advanced Encryption Standard (AES): AES-128 and AES-256

  • Secure Hash Algorithm (SHA): SHA-1 and SHA-256

Validated identity providers

  • Shibboleth

  • Active Directory Federation Services (ADFS)

ADFS configuration requirements

  • You must define three claim rules in the following order that are required for Unified Manager to parse ADFS SAML responses for this relying party trust entry.

    Claim rule Value

    SAM-account-name

    Name ID

    SAM-account-name

    urn:oid:0.9.2342.19200300.100.1.1

    Token groups — Unqualified Name

    urn:oid:1.3.6.1.4.1.5923.1.5.1.1

  • You must set the authentication method to “Forms Authentication” or users may receive an error when logging out of Unified Manager when using Internet Explorer. Follow these steps:

    1. Open the ADFS Management Console.

    2. Click on the Authentication Policies folder on the left tree view.

    3. Under Actions on the right, click Edit Global Primary Authentication Policy.

    4. Set the Intranet Authentication Method to “Forms Authentication” instead of the default “Windows Authentication”.

  • In some cases login through the IdP is rejected when the Unified Manager security certificate is CA-signed. There are two workarounds to resolve this issue:

Other configuration requirements

  • The Unified Manager clock skew is set to 5 minutes, so the time difference between the IdP server and the Unified Manager server cannot be more than 5 minutes or authentication will fail.

  • When users attempt to access Unified Manager using Internet Explorer they might see the message The website cannot display the page. If this occurs, make sure these users uncheck the option for “Show friendly HTTP error messages” in Tools > Internet Options > Advanced.