https://community.netapp.com/t5/ONTAP-Discussions/2FA-MFA-MAV-securities-and-AIQ-WFA-accounts/m-p/441330#M41718 <P>Hello,</P><P>&nbsp;</P><P>Just a little question, in case I missed something...</P><P>&nbsp;</P><P>We are securing our admin accesses to Netapp Clusters using 2FA (password + sshKey) and thinking about deploying MAV (Multi Admin Validation) !</P><P>&nbsp;</P><P>But how to handle admin accounts used by ActiveIQ and WorflowAutomation ? AFAIK there is no way to restrict the IP address used by a specific login ?!</P><P>&nbsp;</P><P>Regards,</P><P>GS.</P> Wed, 04 Jun 2025 09:53:19 GMT StockageUGA 2025-06-04T09:53:19Z https://community.netapp.com/t5/ONTAP-Discussions/2FA-MFA-MAV-securities-and-AIQ-WFA-accounts/m-p/441330#M41718 <P>Hello,</P><P>&nbsp;</P><P>Just a little question, in case I missed something...</P><P>&nbsp;</P><P>We are securing our admin accesses to Netapp Clusters using 2FA (password + sshKey) and thinking about deploying MAV (Multi Admin Validation) !</P><P>&nbsp;</P><P>But how to handle admin accounts used by ActiveIQ and WorflowAutomation ? AFAIK there is no way to restrict the IP address used by a specific login ?!</P><P>&nbsp;</P><P>Regards,</P><P>GS.</P> Wed, 04 Jun 2025 09:53:19 GMT https://community.netapp.com/t5/ONTAP-Discussions/2FA-MFA-MAV-securities-and-AIQ-WFA-accounts/m-p/441330#M41718 StockageUGA 2025-06-04T09:53:19Z https://community.netapp.com/t5/ONTAP-Discussions/2FA-MFA-MAV-securities-and-AIQ-WFA-accounts/m-p/441331#M41719 <P>Please check the following pdf.</P><P>&nbsp;</P><P>Enabling SAML authentication for System Manager &amp; Active IQ Unified Manager:<BR /><A href="https://www.netapp.com/pdf.html?item=/media/17055-tr4647.pdf" target="_blank">https://www.netapp.com/pdf.html?item=/media/17055-tr4647.pdf</A></P><P><BR /><A href="https://docs.netapp.com/us-en/ontap/task_security_mfa_setup.html#enable-saml-authentication" target="_blank">https://docs.netapp.com/us-en/ontap/task_security_mfa_setup.html#enable-saml-authentication</A></P><P>&nbsp;</P> Tue, 31 Jan 2023 11:29:41 GMT https://community.netapp.com/t5/ONTAP-Discussions/2FA-MFA-MAV-securities-and-AIQ-WFA-accounts/m-p/441331#M41719 Ontapforrum 2023-01-31T11:29:41Z https://community.netapp.com/t5/ONTAP-Discussions/2FA-MFA-MAV-securities-and-AIQ-WFA-accounts/m-p/441333#M41720 <P>Hello,</P><P>&nbsp;</P><P>Thanks, but the PDF is not completely answering my question.</P><P>&nbsp;</P><P>eg: Netapp Workflow Automation needs privileged credentials on clusters to create volumes/vservers etc... It seems that It only supports Login/Password based credentials.</P><P>&nbsp;</P><P>eg2: Netapp Active IQ Unified Manager needs admin credentials on clusters to interact with them.</P><P>&nbsp;</P><P>So you have to keep an admin account on your cluster only protected by (strong) password !</P><P>&nbsp;</P><P>In TR4647, there is a note about it page 53</P><P>&nbsp;</P><P>After SAML authentication is configured for the http and ontapi applications, the password<BR />authentication method does not need to be configured. They remain configured for administrator<BR />accounts to enable external supportability tools to continue administrator access with single-factor<BR />user ID/password authentication. If no such tools require user ID/password access, delete all<BR />password authentication methods for all administrator accounts for http and ontapi<BR />applications to provide the most secure administrative access environment.</P><P>&nbsp;</P><P>Regards,</P><P>GS</P> Tue, 31 Jan 2023 13:37:48 GMT https://community.netapp.com/t5/ONTAP-Discussions/2FA-MFA-MAV-securities-and-AIQ-WFA-accounts/m-p/441333#M41720 StockageUGA 2023-01-31T13:37:48Z