This is on OnTap 9.4P3. We attempted to configure SAML for OCSM, but it failed terribly. We followed the steps in https://www.youtube.com/watch?v=7i6f3EzFY0s, created the two claims shown, and then received the error below when trying to login:
SAML Service Provider
Unknown or Unusable Identity Provider
The identity provider supplying your login credentials is not authorized for use with this service or does not support the necessary capabilities.
We contacted support and foundwere told that the third claim used for OCUM is also needed for OCSM (although it isn't discussed in that video for OCSM). After adding that, we are now getting to a login prompt and then this error:
SAML Service Provider
Based on the information provided to this application about you, you are not authorized to access the resource at "/sysmgr/SysMgr.html"
The account we are trying to login with does have SAML defined as an authentication method.
We had the same issue also, after adding all the claims we did some digging and found out the reason that it doesn't work is because the claim that is sent from ADFS is just the SAM-account-name without the domain prefix. So what we had to do was create security logins on the NetApp with just the username for the users who required access:
If you created a security login for just the individual user and removed the omni\ domain prefix I think it would provide access.
The related bug for that # looks to be an OCUM thing. We patched to OCUM 9.5 yesterday and it looks like group enumeration works there. My Issue has been trying to get a 9.4 OCSM cluster going for SAML based on an AD group. I tried the group name with/without the domain and tried a multitude of username variants (samaccount, SPN, fun stuff) and got nothing.
As for the SAML configuration, I did it via the GUI interface. I am able to retrieve metadata from the NetApp using ADFS on my AD controller. NetApp, in turn, is able to retrieve federation metadata from the ADFS server which resides on my AD controller.
It looks a bit strange. When I am trying to log in into NetApp it just redirects me to the AD controller which is asking me for my AD credentials. As soon as you type in your AD username and password it just stays on the same page.