Once we deleted the existing accounts with the domain in front of the name and then created new accounts without the domain, that resolved it.  

We did find that the third claim (listed in the setup steps for OCUM but not in the video related to setup of OSCM) is not needed.

Did you find out anything further on this?  I'm experiencing issues with OCSM SAML auth against ADFS.  OCUM works like a champ, but OCSM just gives me an Auth failed error once it's returned from ADFS.

The last info I got was that it was a bug based on not enumerating groups:

https://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=1100142

But no real info in that bug 🙂 

In terms of getting an Auth Failed, what is your output from security login show? what user are you trying to connect with? 

The related bug for that # looks to be an OCUM thing.  We patched to OCUM 9.5 yesterday and it looks like group enumeration works there.  My Issue has been trying to get a 9.4 OCSM cluster going for SAML based on an AD group.  I tried the group name  with/without the domain and tried a multitude of username variants (samaccount, SPN, fun stuff) and got nothing.

Guess it's time for another ticket.

SAML in conjunction with ADFS 2.0 Windows 2008r2.

NetApp Release 9.4P3

We wanted to use AD authentication instead of local user accounts for our administrators on NetApp.

I tried to follow that guide:

https://docs.netapp.com/ocum-94/index.jsp?topic=%2Fcom.netapp.doc.onc-um-ag%2FGUID-DA56FC0E-E1FA-43AF-B258-546F08B8F78B.html

But it did not work for me.

Basically, when I am trying to log in it prompts me for credentials and seems to me it accepts my AD credentials.

But then it does not redirect me to the NetApp.

Perhaps there is an issue in windows IIS configuration?

I will appreciate any thoughts/advises.

Regards,

One of the issues right off is that you're using instructions for OnCommand Unified Manager and not for ONTAP.

Before you go much further, try the instructions for ONTAP at https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.pow-adm-auth-rbac%2FGUID-05AC050B-5F8C-472E-9B36-543C5DFAB72A.html

Hi Jonathan,
I hope you are fine.

I have tried that bit of configuration. It did not work.

1. cluster_12::> security login create -user-or-group-name admin1 -application http -authentication-method saml -vserver  cluster_12
   
   
   

   As for the SAML configuration, I did it via the GUI interface.
   I am able to retrieve metadata from the NetApp using ADFS on my AD controller. 
   NetApp, in turn, is able to retrieve federation metadata from the ADFS server which resides on my AD controller.
   
   It looks a bit strange. 
   When I am trying to log in into NetApp it just redirects me to the AD controller which is asking me for my AD credentials.
   As soon as you type in your AD username and password it just stays on the same page. 

    

   Regards,

    

Do you have both the identifier (https://hostname/saml-sp) and the endpoint (https://hostname/saml-sp/SAML2/POST) configured in ADFS?

I think that that part is missing.

I am currently running windows Windows 2008r2 with ADFS2.0.

What part of ADFS configuration that would be?

Regards,

That will be in the Relying Party Trusts configuration.  With SAML, you have to configure the trust on both the provider and the consumer.

Checked the config on ADFS

Looks OK 

Please see screenshots attached