Ask The Experts

SAML and OnTap 9.4

Stormont
12,791 Views

This is on OnTap 9.4P3.  We attempted to configure SAML for OCSM, but it failed terribly.  We followed the steps in https://www.youtube.com/watch?v=7i6f3EzFY0s, created the two claims shown, and then received the error below when trying to login:

 

SAML Service Provider

Unknown or Unusable Identity Provider

The identity provider supplying your login credentials is not authorized for use with this service or does not support the necessary capabilities.

Identity provider lookup failed at (https://cardinal.imsweb.com/sysmgr/SysMgr.html)

EntityID: http://adfs.omni.imsweb.com/adfs/services/trust

opensaml::saml2md::MetadataException: Unable to locate metadata for identity provider (http://adfs.omni.imsweb.com/adfs/services/trust)

 

 We contacted support and foundwere told that the third claim used for OCUM is also needed for OCSM (although it isn't discussed in that video for OCSM).  After adding that, we are now getting to a login prompt and then this error:

 

SAML Service Provider

Authorization Failed

Based on the information provided to this application about you, you are not authorized to access the resource at "/sysmgr/SysMgr.html"

 

The account we are trying to login with does have SAML defined as an authentication method.

Cardinal::> security login show

 

Vserver: Cardinal

                                                                 Second

User/Group                 Authentication                 Acct   Authentication

Name           Application Method        Role Name        Locked Method

-------------- ----------- ------------- ---------------- ------ --------------

omni\netapp   http        domain        admin            -      none

omni\netapp   http        saml          admin            -      none

omni\netapp   ontapi      domain        admin            -      none

omni\netapp   ontapi      saml          admin            -      none

omni\netapp   ssh         domain        admin            -      non

 

Vserver: cardinal-svm

                                                                 Second

User/Group                 Authentication                 Acct   Authentication

Name           Application Method        Role Name        Locked Method

-------------- ----------- ------------- ---------------- ------ --------------

OMNI\varonis   ontapi      domain        vsadmin          -      none

 

28 entries were displayed.

 

 

 

 

 

1 ACCEPTED SOLUTION

ERG-InfraTeam
12,553 Views

We had the same issue also, after adding all the claims we did some digging and found out the reason that it doesn't work is because the claim that is sent from ADFS is just the SAM-account-name without the domain prefix. So what we had to do was create security logins on the NetApp with just the username for the users who required access:

 

If you created a security login for just the individual user and removed the omni\ domain prefix I think it would provide access.

 

Vserver: ####################
Second
User/Group Authentication Acct Authentication
Name Application Method Role Name Locked Method
-------------- ----------- ------------- ---------------- ------ --------------
sam.price http domain admin - none
sam.price http saml admin - none
sam.price ontapi domain admin - none
sam.price ontapi saml admin - none

 

 

I have a case open with NetApp to investigate further.

 

Cheers,

Sam

View solution in original post

12 REPLIES 12

ERG-InfraTeam
12,554 Views

We had the same issue also, after adding all the claims we did some digging and found out the reason that it doesn't work is because the claim that is sent from ADFS is just the SAM-account-name without the domain prefix. So what we had to do was create security logins on the NetApp with just the username for the users who required access:

 

If you created a security login for just the individual user and removed the omni\ domain prefix I think it would provide access.

 

Vserver: ####################
Second
User/Group Authentication Acct Authentication
Name Application Method Role Name Locked Method
-------------- ----------- ------------- ---------------- ------ --------------
sam.price http domain admin - none
sam.price http saml admin - none
sam.price ontapi domain admin - none
sam.price ontapi saml admin - none

 

 

I have a case open with NetApp to investigate further.

 

Cheers,

Sam

Stormont
12,487 Views

Once we deleted the existing accounts with the domain in front of the name and then created new accounts without the domain, that resolved it.  

 

We did find that the third claim (listed in the setup steps for OCUM but not in the video related to setup of OSCM) is not needed.

Jonathan_Liedy
12,306 Views

Did you find out anything further on this?  I'm experiencing issues with OCSM SAML auth against ADFS.  OCUM works like a champ, but OCSM just gives me an Auth failed error once it's returned from ADFS.

ERG-InfraTeam
12,284 Views

The last info I got was that it was a bug based on not enumerating groups:

https://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=1100142

 

But no real info in that bug 🙂 

 

In terms of getting an Auth Failed, what is your output from security login show? what user are you trying to connect with? 

 

 

Jonathan_Liedy
12,267 Views

The related bug for that # looks to be an OCUM thing.  We patched to OCUM 9.5 yesterday and it looks like group enumeration works there.  My Issue has been trying to get a 9.4 OCSM cluster going for SAML based on an AD group.  I tried the group name  with/without the domain and tried a multitude of username variants (samaccount, SPN, fun stuff) and got nothing.

 

Guess it's time for another ticket.

AlexanderA
11,928 Views

SAML in conjunction with ADFS 2.0 Windows 2008r2.

NetApp Release 9.4P3


We wanted to use AD authentication instead of local user accounts for our administrators on NetApp.

I tried to follow that guide:

https://docs.netapp.com/ocum-94/index.jsp?topic=%2Fcom.netapp.doc.onc-um-ag%2FGUID-DA56FC0E-E1FA-43AF-B258-546F08B8F78B.html

But it did not work for me.

 

Basically, when I am trying to log in it prompts me for credentials and seems to me it accepts my AD credentials.

But then it does not redirect me to the NetApp.

 

Perhaps there is an issue in windows IIS configuration?

 

I will appreciate any thoughts/advises.

 

Regards,

 

 

Jonathan_Liedy
11,916 Views

One of the issues right off is that you're using instructions for OnCommand Unified Manager and not for ONTAP.

 

Before you go much further, try the instructions for ONTAP at https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.pow-adm-auth-rbac%2FGUID-05AC050B-5F8C-472E-9B36-543C5DFAB72A.html

AlexanderA
11,908 Views

Hi Jonathan,
I hope you are fine.

 

I have tried that bit of configuration. It did not work.

 

  1. cluster_12::> security login create -user-or-group-name admin1 -application http -authentication-method saml -vserver  cluster_12


    As for the SAML configuration, I did it via the GUI interface.
    I am able to retrieve metadata from the NetApp using ADFS on my AD controller. 
    NetApp, in turn, is able to retrieve federation metadata from the ADFS server which resides on my AD controller.

    It looks a bit strange. 
    When I am trying to log in into NetApp it just redirects me to the AD controller which is asking me for my AD credentials.
    As soon as you type in your AD username and password it just stays on the same page. 

     

    Regards,

     

Jonathan_Liedy
11,906 Views

Do you have both the identifier (https://hostname/saml-sp) and the endpoint (https://hostname/saml-sp/SAML2/POST) configured in ADFS?

AlexanderA
11,288 Views

I think that that part is missing.

 

I am currently running windows Windows 2008r2 with ADFS2.0.

What part of ADFS configuration that would be?

 

Regards,

 

Jonathan_Liedy
11,285 Views

That will be in the Relying Party Trusts configuration.  With SAML, you have to configure the trust on both the provider and the consumer.

AlexanderA
11,253 Views

Checked the config on ADFS

Looks OK 

Please see screenshots attached 

Public