security saml-sp create
Configure SAML service provider for authentication
Availability: This command is available to cluster administrators at the admin privilege level.
Description
The security saml-sp create
command configures ONTAP with Security Assertion Markup Language (SAML) Service Provider (SP) for single sign-on authentication. This command does not enable SAML SP, it just configures it. Configuring and enabling SAML SP is a two-step process:
-
Create a SAML SP configuration using
security saml-sp create
command. -
Enable SAML SP by using security saml-sp modify`-is-enabled
`true
After the SAML SP configuration is created, it cannot be modified. It must be deleted and created again to change any settings.
This restarts the web server. Any HTTP/S connections that are active will be disrupted. |
Parameters
-idp-uri {scheme://(hostname|IPv4 Address|'['IPv6 Address']')…}
- Identity Provider (IdP) Metadata Location-
This is the URI of the desired identity provider's (IdP) metadata.
[-sp-host <Remote InetAddress>]
- SAML Service Provider Host-
This specifies the SAML service provider host IP address.
- {
-cert-ca <text>
- Server Certificate Issuing CA -
This specifies the service provider's certificate issuing CA.
-cert-serial <text>
- Server Certificate Serial Number-
This specifies the service provider's certificate's serial number.
- |
[-cert-common-name <FQDN or Custom Common Name>]
- Server Certificate Common Name } -
This specifies the service provider certificate's common name.
[-verify-metadata-server {true|false}]
- Verify IdP Metadata Server Identity-
When the IdP metadata is downloaded, the identity of the server hosting the metadata is verified using Transport Layer Security (TLS), validating the server's X.509 certificate against the list of certificate authorities (CAs) in ONTAP, and verifying that the host in the server certificate matches the host in the URI (the
idp-uri
field). This verification can be bypassed by setting this field tofalse
. Bypassing the server verification is not recommended as the server can not be trusted that way, but will be necessary to use non-TLS URIs, e.g. with the "http" scheme, or when the server certificates are self-signed. If the server's certificate was signed by a CA that is not installed in ONTAP, the security certificate install -type server-ca command can be used to install it. [-foreground {true|false}]
- Foreground Process-
When this parameter is set to
false
the command runs in the background as a job. The default istrue
, which causes the command to return after the operation completes.
Examples
The following example configures ONTAP with SAML SP IdP information:
cluster1::> security saml-sp create -idp-uri http://public-idp-uri -sp-host 1.1.1.1 [Job 9] Job succeeded. cluster1::>