Skip to main content

security saml-sp create

Contributors
Suggest changes

Configure SAML service provider for authentication

Availability: This command is available to cluster administrators at the admin privilege level.

Description

The security saml-sp create command configures ONTAP with Security Assertion Markup Language (SAML) Service Provider (SP) for single sign-on authentication. This command does not enable SAML SP, it just configures it. Configuring and enabling SAML SP is a two-step process:

  • Create a SAML SP configuration using security saml-sp create command.

  • Enable SAML SP by using security saml-sp modify`-is-enabled`true

After the SAML SP configuration is created, it cannot be modified. It must be deleted and created again to change any settings.

Note This restarts the web server. Any HTTP/S connections that are active will be disrupted.

Parameters

-idp-uri {scheme://(hostname|IPv4 Address|'['IPv6 Address']')…​} - Identity Provider (IdP) Metadata Location

This is the URI of the desired identity provider's (IdP) metadata.

[-sp-host <Remote InetAddress>] - SAML Service Provider Host

This specifies the SAML service provider host IP address.

{ -cert-ca <text> - Server Certificate Issuing CA

This specifies the service provider's certificate issuing CA.

-cert-serial <text> - Server Certificate Serial Number

This specifies the service provider's certificate's serial number.

| [-cert-common-name <FQDN or Custom Common Name>] - Server Certificate Common Name }

This specifies the service provider certificate's common name.

[-verify-metadata-server {true|false}] - Verify IdP Metadata Server Identity

When the IdP metadata is downloaded, the identity of the server hosting the metadata is verified using transport layer security (TLS), validating the server's X.509 certificate against the list of certificate authorities (CAs) in Data ONTAP, and verifying that the host in the server certificate matches the host in the URI (the idp-uri field). This verification can be bypassed by setting this field to false . Bypassing the server verification is not recommended as the server can not be trusted that way, but will be necessary to use non-TLS URIs, e.g. with the "http" scheme, or when the server certificates are self-signed. If the server's certificate was signed by a CA that is not installed in Data ONTAP, the security certificate install -type server-ca command can be used to install it.

[-foreground {true|false}] - Foreground Process

When this parameter is set to false the command runs in the background as a job. The default is true , which causes the command to return after the operation completes.

Examples

The following example configures ONTAP with SAML SP IdP information:

cluster1::> security saml-sp create -idp-uri http://public-idp-uri -sp-host 1.1.1.1
    [Job 9] Job succeeded.
    cluster1::>