Skip to main content
SnapCenter Software 5.0

Manage multi-factor authentication (MFA) using Rest API, PowerShell, and SCCLI

Contributors netapp-nsriram
PDFs

MFA login is supported from browser, REST API, PowerShell, and SCCLI. MFA is supported through an AD FS identity manager. You can enable MFA, disable MFA, and configure MFA from GUI, REST API, PowerShell, and SCCLI.

Setup AD FS as OAuth/OIDC

Configure AD FS using Windows GUI wizard

  1. Navigate to Server Manager Dashboard > Tools > ADFS Management.

  2. Navigate to ADFS > Application Groups.

    1. Right-click on Application Groups.

    2. Select Add Application group and enter Application Name.

    3. Select Server Application.

    4. Click Next.

  3. Copy Client Identifier.

    This is the Client ID. .. Add Callback URL (SnapCenter Server URL) in Redirect URL. .. Click Next.

  4. Select Generate shared secret.

    Copy the secret value. This is the client’s secret. .. Click Next.

  5. On the Summary page, click Next.

    1. On the Complete page, click Close.

  6. Right-click on the newly added Application Group and select Properties.

  7. Select Add application from App Properties.

  8. Click Add application.

    Select Web API and click Next.

  9. On the Configure Web API page, enter the SnapCenter Server URL and Client Identifier created in the previous step into the Identifier section.

    1. Click Add.

    2. Click Next.

  10. On the Choose Access Control Policy page, select control policy based on your requirement (For example, Permit everyone and require MFA) and click Next.

  11. On the Configure Application Permission page, by default openid is selected as a scope, click Next.

  12. On the Summary page, click Next.

    On the Complete page, click Close.

  13. On the Sample Application Properties page, click OK.

  14. JWT token issued by an authorization server (AD FS) and intended to be consumed by the resource.

    The 'aud' or audience claim of this token must match the identifier of the resource or Web API.

  15. Edit the selected WebAPI and check that Callback URL (SnapCenter Server URL) and the client identifier were added correctly.

    Configure OpenID Connect to provide a username as claims.

  16. Open the AD FS Management tool located under the Tools menu at the top right of the Server Manager.

    1. Select the Application Groups folder from the left sidebar.

    2. Select the Web API and click EDIT.

    3. Go-to Issuance Transform Rules Tab

  17. Click Add Rule.

    1. Select the Send LDAP Attributes as Claims in the Claim rule template dropdown.

    2. Click Next.

  18. Enter the Claim rule name.

    1. Select Active Directory in the Attribute store dropdown.

    2. Select User-Principal-Name in the LDAP Attribute dropdown and UPN in the O*utgoing Claim Type* dropdown.

    3. Click Finish.

Create Application Group using PowerShell commands

You can create the application group, web API, and add the scope and claims using PowerShell commands. These commands are available in automated script format. For more information see <link to KB article>.

  1. Create the new Application Group in AD FS by using the following comamnd.

    New-AdfsApplicationGroup -Name $ClientRoleIdentifier -ApplicationGroupIdentifier $ClientRoleIdentifier

    ClientRoleIdentifier name of your application group

    redirectURL valid URL for redirection after authorization

  2. Create the AD FS Server Application and generate the client secret.

    Add-AdfsServerApplication -Name "$ClientRoleIdentifier - Server app" -ApplicationGroupIdentifier $ClientRoleIdentifier -RedirectUri $redirectURL -Identifier $identifier -GenerateClientSecret

  3. Create the ADFS Web API application and configure the policy name it should use.

    $identifier = (New-Guid).Guid

    Add-AdfsWebApiApplication -ApplicationGroupIdentifier $ClientRoleIdentifier -Name "App Web API"

    -Identifier $identifier -AccessControlPolicyName "Permit everyone"

  4. Get the client ID and client secret from the output of the following commands because, it is shown only one time.

    "client_id = $identifier"

    "client_secret: "$($ADFSApp.ClientSecret)

  5. Grant the AD FS Application the allatclaims and openid permissions.

    Grant-AdfsApplicationPermission -ClientRoleIdentifier $identifier -ServerRoleIdentifier $identifier -ScopeNames @('openid')

    $transformrule = @"

    @RuleTemplate = "LdapClaims"

    @RuleName = "AD User properties and Groups"

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer ==

    "AD AUTHORITY"]

    ⇒ issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query = ";userPrincipalName;{0}", param = c.Value);

    "@

  6. Write out the transform rules file.

    $transformrule |Out-File -FilePath .\issueancetransformrules.tmp -force -Encoding ascii $relativePath = Get-Item .\issueancetransformrules.tmp

  7. Name the Web API Application and define its Issuance Transform Rules using an external file.

    Set-AdfsWebApiApplication -Name "$ClientRoleIdentifier - Web API" -TargetIdentifier

    $identifier -Identifier $identifier,$redirectURL -IssuanceTransformRulesFile

    $relativePath

Update access token expiry time

You can update the access token expiry time using the PowerShell command.

About this task

  • An access token can be used only for a specific combination of user, client, and resource. Access tokens cannot be revoked and are valid until their expiry.

  • By default, the expiry time of an access token is 60 minutes. This minimal expiry time is sufficient and scaled. You must provide sufficient value to avoid any ongoing business-critical jobs.

Step

To update the access token expiry time for an application group WebApi, use the following command in AD FS server.

+ Set-AdfsWebApiApplication -TokenLifetime 3600 -TargetName "<Web API>"

Get the bearer token from AD FS

You should fill the below-mentioned parameters in any REST client (like Postman) and it prompts you to fill in the user credentials. Additionally, you should enter the second-factor authentication (something you have & something you are) to get the bearer token.

+ The validity of the bearer token is configurable from the AD FS server per application and the default validity period is 60 minutes.

Field

Value

Grant type

Authorization Code

Callback URL

Enter your application's base URL if you do not have a callback URL.

Auth URL

[adfs-domain-name]/adfs/oauth2/authorize

Access token URL

[adfs-domain-name]/adfs/oauth2/token

Client ID

Enter the AD FS client ID

Client secret

Enter the AD FS client secret

Scope

OpenID

Client Authentication

Send as Basic AUTH Header

Resource

In the Advance Options tab, add the Resource field with the same value as the Callback URL, which comes as an “aud” value in the JWT token.