Ask The Experts

Highlighted

SAML and OnTap 9.4

This is on OnTap 9.4P3.  We attempted to configure SAML for OCSM, but it failed terribly.  We followed the steps in https://www.youtube.com/watch?v=7i6f3EzFY0s, created the two claims shown, and then received the error below when trying to login:

 

SAML Service Provider

Unknown or Unusable Identity Provider

The identity provider supplying your login credentials is not authorized for use with this service or does not support the necessary capabilities.

Identity provider lookup failed at (https://cardinal.imsweb.com/sysmgr/SysMgr.html)

EntityID: http://adfs.omni.imsweb.com/adfs/services/trust

opensaml::saml2md::MetadataException: Unable to locate metadata for identity provider (http://adfs.omni.imsweb.com/adfs/services/trust)

 

 We contacted support and foundwere told that the third claim used for OCUM is also needed for OCSM (although it isn't discussed in that video for OCSM).  After adding that, we are now getting to a login prompt and then this error:

 

SAML Service Provider

Authorization Failed

Based on the information provided to this application about you, you are not authorized to access the resource at "/sysmgr/SysMgr.html"

 

The account we are trying to login with does have SAML defined as an authentication method.

Cardinal::> security login show

 

Vserver: Cardinal

                                                                 Second

User/Group                 Authentication                 Acct   Authentication

Name           Application Method        Role Name        Locked Method

-------------- ----------- ------------- ---------------- ------ --------------

omni\netapp   http        domain        admin            -      none

omni\netapp   http        saml          admin            -      none

omni\netapp   ontapi      domain        admin            -      none

omni\netapp   ontapi      saml          admin            -      none

omni\netapp   ssh         domain        admin            -      non

 

Vserver: cardinal-svm

                                                                 Second

User/Group                 Authentication                 Acct   Authentication

Name           Application Method        Role Name        Locked Method

-------------- ----------- ------------- ---------------- ------ --------------

OMNI\varonis   ontapi      domain        vsadmin          -      none

 

28 entries were displayed.

 

 

 

 

 

2 REPLIES

Re: SAML and OnTap 9.4

We had the same issue also, after adding all the claims we did some digging and found out the reason that it doesn't work is because the claim that is sent from ADFS is just the SAM-account-name without the domain prefix. So what we had to do was create security logins on the NetApp with just the username for the users who required access:

 

If you created a security login for just the individual user and removed the omni\ domain prefix I think it would provide access.

 

Vserver: ####################
Second
User/Group Authentication Acct Authentication
Name Application Method Role Name Locked Method
-------------- ----------- ------------- ---------------- ------ --------------
sam.price http domain admin - none
sam.price http saml admin - none
sam.price ontapi domain admin - none
sam.price ontapi saml admin - none

 

 

I have a case open with NetApp to investigate further.

 

Cheers,

Sam

Re: SAML and OnTap 9.4

Once we deleted the existing accounts with the domain in front of the name and then created new accounts without the domain, that resolved it.  

 

We did find that the third claim (listed in the setup steps for OCUM but not in the video related to setup of OSCM) is not needed.

Forums