Ask The Experts

Highlighted

SAML and OnTap 9.4

This is on OnTap 9.4P3.  We attempted to configure SAML for OCSM, but it failed terribly.  We followed the steps in https://www.youtube.com/watch?v=7i6f3EzFY0s, created the two claims shown, and then received the error below when trying to login:

 

SAML Service Provider

Unknown or Unusable Identity Provider

The identity provider supplying your login credentials is not authorized for use with this service or does not support the necessary capabilities.

Identity provider lookup failed at (https://cardinal.imsweb.com/sysmgr/SysMgr.html)

EntityID: http://adfs.omni.imsweb.com/adfs/services/trust

opensaml::saml2md::MetadataException: Unable to locate metadata for identity provider (http://adfs.omni.imsweb.com/adfs/services/trust)

 

 We contacted support and foundwere told that the third claim used for OCUM is also needed for OCSM (although it isn't discussed in that video for OCSM).  After adding that, we are now getting to a login prompt and then this error:

 

SAML Service Provider

Authorization Failed

Based on the information provided to this application about you, you are not authorized to access the resource at "/sysmgr/SysMgr.html"

 

The account we are trying to login with does have SAML defined as an authentication method.

Cardinal::> security login show

 

Vserver: Cardinal

                                                                 Second

User/Group                 Authentication                 Acct   Authentication

Name           Application Method        Role Name        Locked Method

-------------- ----------- ------------- ---------------- ------ --------------

omni\netapp   http        domain        admin            -      none

omni\netapp   http        saml          admin            -      none

omni\netapp   ontapi      domain        admin            -      none

omni\netapp   ontapi      saml          admin            -      none

omni\netapp   ssh         domain        admin            -      non

 

Vserver: cardinal-svm

                                                                 Second

User/Group                 Authentication                 Acct   Authentication

Name           Application Method        Role Name        Locked Method

-------------- ----------- ------------- ---------------- ------ --------------

OMNI\varonis   ontapi      domain        vsadmin          -      none

 

28 entries were displayed.

 

 

 

 

 

5 REPLIES 5

Re: SAML and OnTap 9.4

We had the same issue also, after adding all the claims we did some digging and found out the reason that it doesn't work is because the claim that is sent from ADFS is just the SAM-account-name without the domain prefix. So what we had to do was create security logins on the NetApp with just the username for the users who required access:

 

If you created a security login for just the individual user and removed the omni\ domain prefix I think it would provide access.

 

Vserver: ####################
Second
User/Group Authentication Acct Authentication
Name Application Method Role Name Locked Method
-------------- ----------- ------------- ---------------- ------ --------------
sam.price http domain admin - none
sam.price http saml admin - none
sam.price ontapi domain admin - none
sam.price ontapi saml admin - none

 

 

I have a case open with NetApp to investigate further.

 

Cheers,

Sam

Re: SAML and OnTap 9.4

Once we deleted the existing accounts with the domain in front of the name and then created new accounts without the domain, that resolved it.  

 

We did find that the third claim (listed in the setup steps for OCUM but not in the video related to setup of OSCM) is not needed.

Re: SAML and OnTap 9.4

Did you find out anything further on this?  I'm experiencing issues with OCSM SAML auth against ADFS.  OCUM works like a champ, but OCSM just gives me an Auth failed error once it's returned from ADFS.

Re: SAML and OnTap 9.4

The last info I got was that it was a bug based on not enumerating groups:

https://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=1100142

 

But no real info in that bug Smiley Happy 

 

In terms of getting an Auth Failed, what is your output from security login show? what user are you trying to connect with? 

 

 

Re: SAML and OnTap 9.4

The related bug for that # looks to be an OCUM thing.  We patched to OCUM 9.5 yesterday and it looks like group enumeration works there.  My Issue has been trying to get a 9.4 OCSM cluster going for SAML based on an AD group.  I tried the group name  with/without the domain and tried a multitude of username variants (samaccount, SPN, fun stuff) and got nothing.

 

Guess it's time for another ticket.

Forums