topic Re: How to authenticate Netapp Ontap XML api with SAML authentication in ONTAP Discussions

How to authenticate Netapp Ontap XML api with SAML authentication

nyxtom — Wed, 04 Jun 2025 10:22:38 GMT

Hello,

Currently I've been using the Netapp Ontap < 9.x XML api by making simple HTTP Post requests with basic authentication to the servlet: /servlets/netapp.servlets.admin.XMLrequest like many of the docs and examples have shown.

Recently, one of our systems has enabled SAML authentication and as a result I am currently unable to make requests to the same api using the standard HTTP Post and passing along the user/pass in the headers like I was before. Usually I will get a redirect for these HTTP Post requests.

How would I go about implementing authentication on top of what I already have to get it working again?

Re: How to authenticate Netapp Ontap XML api with SAML authentication

GidonMarcus — Thu, 10 Jun 2021 22:19:26 GMT

You need to choose how a given user will authenticate (SMAL/password/domain/public key).

http://docs.netapp.com/ontap-9/topic/com.netapp.doc.dot-cm-cmpr-991/security__login__create.html

http://docs.netapp.com/ontap-9/topic/com.netapp.doc.dot-cm-cmpr-991/security__login__modify.html

Re: How to authenticate Netapp Ontap XML api with SAML authentication

nyxtom — Fri, 11 Jun 2021 14:37:17 GMT

Right I got that far, but I'm not exactly sure on the actual implementation if it's based on SAML. Are there any examples for this sort of thing?

Re: How to authenticate Netapp Ontap XML api with SAML authentication

GidonMarcus — Sun, 13 Jun 2021 22:32:39 GMT

Right. So I misunderstood your original question. The short answer - I believe you can't/shouldn't (just use a password/certificate).

SAML is essentially a signed token that the IDP give the user agent to pass onto the SP (ONTAP).

*taken from Wikipedia.

If your IDP happy to give the token to your script - which will still likely require you to authenticate to the IDP (with a password)?, and your script module can process the JS script the IDP returns to redirect you into the ONTAP login and ONTAP accepts it, that all might work...

But I think none of these will happen. The IDP will not authenticate a non-browser, the script module will not process the JS, and the NetApp login will not accept SAML token on the ZAPI site.