Release notes
Configure SAML authentication
Suggest changes
-
PDF of this doc site
-
Cluster administration
-
Volume administration
-
Logical storage management with the CLI
-
-
NAS storage management
-
Configure NFS with the CLI
-
Manage NFS with the CLI
-
Manage SMB with the CLI
-
Manage file access using SMB
-
-
-
Security and data encryption
-
Data protection and disaster recovery
-
Collection of separate PDF docs
Creating your file...
Beginning with ONTAP 9.3, you can configure Security Assertion Markup Language (SAML) authentication for web services. When SAML authentication is configured and enabled, users are authenticated by an external Identity Provider (IdP) instead of the directory service providers such as Active Directory and LDAP. When SAML authentication is disabled, the configured directory service providers such as Active Directory and LDAP are used for authentication
Enable SAML authentication
To enable SAML authentication with System Manager or with the CLI, perform the following steps. If your cluster is running ONTAP 9.7 or earlier, the System Manager steps you need to follow are different. Refer to the System Manager online help available on your system.
|
After you enable SAML authentication, only remote users can access the System Manager GUI. Local users cannot access the System Manager GUI after SAML authentication is enabled. |
-
The IdP that you plan to use for remote authentication must be configured.
See the documentation that is provided by the IdP that you have configured.
-
You must have the URI of the IdP.
-
SAML authentication applies only to the
httpandontapiapplications.The
httpandontapiapplications are used by the following web services: Service Processor Infrastructure, ONTAP APIs, or System Manager. -
SAML authentication is applicable only for accessing the admin SVM.
The following IdPs have been validated with System Manager:
-
Active Directory Federation Services
-
Cisco DUO (validated with the following ONTAP versions:)
-
9.7P21 and later 9.7 releases (refer to the System Manager Classic documentation)
-
9.8P17 and later 9.8 releases
-
9.9.1P13 and later 9.9 releases
-
9.10.1P9 and later 9.10 releases
-
9.11.1P4 and later 9.11 releases
-
9.12.1 and later releases
-
-
Shibboleth
Perform the following steps depending on your environment:
-
Click Cluster > Settings.
-
Next to SAML Authentication, click
. -
Ensure there is a check in the Enable SAML Authentication checkbox.
-
Enter the URL of the IdP URI (including "https://").
-
Modify the host system address, if needed.
-
Ensure the correct certificate is being used:
-
If your system was mapped with only one certificate with type "server", then that certificate is considered the default and it isn't displayed.
-
If your system was mapped with multiple certificates as type "server", then one of the certificates is displayed. To select a different certificate, click Change.
-
-
Click Save. A confirmation window displays the metadata information, which has been automatically copied to your clipboard.
-
Go to the IdP system you specified and copy the metadata from your clipboard to update the system metadata.
-
Return to the confirmation window (in System Manager) and check the checkbox I have configured the IdP with the host URI or metadata.
-
Click Logout to enable SAML-based authentication. The IdP system will display an authentication screen.
-
In the IdP system, enter your SAML-based credentials. After your credentials are verified, you will be directed to the System Manager home page.
-
Create a SAML configuration so that ONTAP can access the IdP metadata:
security saml-sp create -idp-uri <idp_uri> -sp-host <ontap_host_name>idp_uriis the FTP or HTTP address of the IdP host from where the IdP metadata can be downloaded.ontap_host_nameis the host name or IP address of the SAML service provider host, which in this case is the ONTAP system. By default, the IP address of the cluster-management LIF is used.You can optionally provide the ONTAP server certificate information. By default, the ONTAP web server certificate information is used.
cluster_12::> security saml-sp create -idp-uri https://example.url.net/idp/shibboleth Warning: This restarts the web server. Any HTTP/S connections that are active will be disrupted. Do you want to continue? {y|n}: y [Job 179] Job succeeded: Access the SAML SP metadata using the URL: https://10.0.0.1/saml-sp/Metadata Configure the IdP and Data ONTAP users for the same directory server domain to ensure that users are the same for different authentication methods. See the "security login show" command for the Data ONTAP user configuration.The URL to access the ONTAP host metadata is displayed.
-
From the IdP host, configure the IdP with the ONTAP host metadata.
For more information about configuring the IdP, see the IdP documentation.
-
Enable SAML configuration:
security saml-sp modify -is-enabled trueAny existing user that accesses the
httporontapiapplication is automatically configured for SAML authentication. -
If you want to create users for the
httporontapiapplication after SAML is configured, specify SAML as the authentication method for the new users.-
Create a login method for new users with SAML authentication:
The user_namevalue is case-sensitive. Include only the user name, and do not include any portion of the domain.security login create -user-or-group-name <user_name> -application [http | ontapi] -authentication-method saml -vserver <svm_name>Example:
cluster_12::> security login create -user-or-group-name admin1 -application http -authentication-method saml -vserver cluster_12
-
Verify that the user entry is created:
security login showExample:
cluster_12::> security login show Vserver: cluster_12 Second User/Group Authentication Acct Authentication Name Application Method Role Name Locked Method -------------- ----------- ------------- ---------------- ------ -------------- admin console password admin no none admin http password admin no none admin http saml admin - none admin ontapi password admin no none admin ontapi saml admin - none admin service-processor password admin no none admin ssh password admin no none admin1 http password backup no none admin1 http saml backup - none
-
Disable SAML authentication
You can disable SAML authentication when you want to stop authenticating web users by using an external Identity Provider (IdP). When SAML authentication is disabled, the configured directory service providers such as Active Directory and LDAP are used for authentication.
Perform the following steps depending on your environment:
-
Click Cluster > Settings.
-
Under SAML Authentication, click the Enabled toggle button.
-
Optional: You can also click
next to SAML Authentication, and then uncheck the Enable SAML Authentication checkbox.
-
Disable SAML authentication:
security saml-sp modify -is-enabled false -
If you no longer want to use SAML authentication or if you want to modify the IdP, delete the SAML configuration:
security saml-sp delete
Troubleshoot issues with SAML configuration
If configuring Security Assertion Markup Language (SAML) authentication fails, you can manually repair each node on which the SAML configuration failed and recover from the failure. During the repair process, the web server is restarted and any active HTTP connections or HTTPS connections are disrupted.
When you configure SAML authentication, ONTAP applies SAML configuration on a per-node basis. When you enable SAML authentication, ONTAP automatically tries to repair each node if there are configuration issues. If there are issues with SAML configuration on any node, you can disable SAML authentication and then reenable SAML authentication. There can be situations when SAML configuration fails to apply on one or more nodes even after you reenable SAML authentication. You can identify the node on which SAML configuration has failed and then manually repair that node.
-
Log in to the advanced privilege level:
set -privilege advanced -
Identify the node on which SAML configuration failed:
security saml-sp status show -instanceExample:
cluster_12::*> security saml-sp status show -instance Node: node1 Update Status: config-success Database Epoch: 9 Database Transaction Count: 997 Error Text: SAML Service Provider Enabled: false ID of SAML Config Job: 179 Node: node2 Update Status: config-failed Database Epoch: 9 Database Transaction Count: 997 Error Text: SAML job failed, Reason: Internal error. Failed to receive the SAML IDP Metadata file. SAML Service Provider Enabled: false ID of SAML Config Job: 180 2 entries were displayed. -
Repair the SAML configuration on the failed node:
security saml-sp repair -node <node_name>Example:
cluster_12::*> security saml-sp repair -node node2 Warning: This restarts the web server. Any HTTP/S connections that are active will be disrupted. Do you want to continue? {y|n}: y [Job 181] Job is running. [Job 181] Job success.The web server is restarted and any active HTTP connections or HTTPS connections are disrupted.
-
Verify that SAML is successfully configured on all of the nodes:
security saml-sp status show -instanceExample:
cluster_12::*> security saml-sp status show -instance Node: node1 Update Status: config-success Database Epoch: 9 Database Transaction Count: 997 Error Text: SAML Service Provider Enabled: false ID of SAML Config Job: 179 Node: node2 Update Status: config-success Database Epoch: 9 Database Transaction Count: 997 Error Text: SAML Service Provider Enabled: false ID of SAML Config Job: 180 2 entries were displayed.
