Ask The Experts

SAML and OnTap 9.4

This is on OnTap 9.4P3.  We attempted to configure SAML for OCSM, but it failed terribly.  We followed the steps in, created the two claims shown, and then received the error below when trying to login:


SAML Service Provider

Unknown or Unusable Identity Provider

The identity provider supplying your login credentials is not authorized for use with this service or does not support the necessary capabilities.

Identity provider lookup failed at (


opensaml::saml2md::MetadataException: Unable to locate metadata for identity provider (


 We contacted support and foundwere told that the third claim used for OCUM is also needed for OCSM (although it isn't discussed in that video for OCSM).  After adding that, we are now getting to a login prompt and then this error:


SAML Service Provider

Authorization Failed

Based on the information provided to this application about you, you are not authorized to access the resource at "/sysmgr/SysMgr.html"


The account we are trying to login with does have SAML defined as an authentication method.

Cardinal::> security login show


Vserver: Cardinal


User/Group                 Authentication                 Acct   Authentication

Name           Application Method        Role Name        Locked Method

-------------- ----------- ------------- ---------------- ------ --------------

omni\netapp   http        domain        admin            -      none

omni\netapp   http        saml          admin            -      none

omni\netapp   ontapi      domain        admin            -      none

omni\netapp   ontapi      saml          admin            -      none

omni\netapp   ssh         domain        admin            -      non


Vserver: cardinal-svm


User/Group                 Authentication                 Acct   Authentication

Name           Application Method        Role Name        Locked Method

-------------- ----------- ------------- ---------------- ------ --------------

OMNI\varonis   ontapi      domain        vsadmin          -      none


28 entries were displayed.







Re: SAML and OnTap 9.4

We had the same issue also, after adding all the claims we did some digging and found out the reason that it doesn't work is because the claim that is sent from ADFS is just the SAM-account-name without the domain prefix. So what we had to do was create security logins on the NetApp with just the username for the users who required access:


If you created a security login for just the individual user and removed the omni\ domain prefix I think it would provide access.


Vserver: ####################
User/Group Authentication Acct Authentication
Name Application Method Role Name Locked Method
-------------- ----------- ------------- ---------------- ------ --------------
sam.price http domain admin - none
sam.price http saml admin - none
sam.price ontapi domain admin - none
sam.price ontapi saml admin - none



I have a case open with NetApp to investigate further.




View solution in original post

Re: SAML and OnTap 9.4

Once we deleted the existing accounts with the domain in front of the name and then created new accounts without the domain, that resolved it.  


We did find that the third claim (listed in the setup steps for OCUM but not in the video related to setup of OSCM) is not needed.

Re: SAML and OnTap 9.4

Did you find out anything further on this?  I'm experiencing issues with OCSM SAML auth against ADFS.  OCUM works like a champ, but OCSM just gives me an Auth failed error once it's returned from ADFS.

Re: SAML and OnTap 9.4

The last info I got was that it was a bug based on not enumerating groups:


But no real info in that bug 🙂 


In terms of getting an Auth Failed, what is your output from security login show? what user are you trying to connect with? 



Re: SAML and OnTap 9.4

The related bug for that # looks to be an OCUM thing.  We patched to OCUM 9.5 yesterday and it looks like group enumeration works there.  My Issue has been trying to get a 9.4 OCSM cluster going for SAML based on an AD group.  I tried the group name  with/without the domain and tried a multitude of username variants (samaccount, SPN, fun stuff) and got nothing.


Guess it's time for another ticket.

Re: SAML and OnTap 9.4

SAML in conjunction with ADFS 2.0 Windows 2008r2.

NetApp Release 9.4P3

We wanted to use AD authentication instead of local user accounts for our administrators on NetApp.

I tried to follow that guide:

But it did not work for me.


Basically, when I am trying to log in it prompts me for credentials and seems to me it accepts my AD credentials.

But then it does not redirect me to the NetApp.


Perhaps there is an issue in windows IIS configuration?


I will appreciate any thoughts/advises.





Re: SAML and OnTap 9.4

One of the issues right off is that you're using instructions for OnCommand Unified Manager and not for ONTAP.


Before you go much further, try the instructions for ONTAP at

Re: SAML and OnTap 9.4

Hi Jonathan,
I hope you are fine.


I have tried that bit of configuration. It did not work.


  1. cluster_12::> security login create -user-or-group-name admin1 -application http -authentication-method saml -vserver  cluster_12

    As for the SAML configuration, I did it via the GUI interface.
    I am able to retrieve metadata from the NetApp using ADFS on my AD controller. 
    NetApp, in turn, is able to retrieve federation metadata from the ADFS server which resides on my AD controller.

    It looks a bit strange. 
    When I am trying to log in into NetApp it just redirects me to the AD controller which is asking me for my AD credentials.
    As soon as you type in your AD username and password it just stays on the same page. 




Re: SAML and OnTap 9.4

Do you have both the identifier (https://hostname/saml-sp) and the endpoint (https://hostname/saml-sp/SAML2/POST) configured in ADFS?

Re: SAML and OnTap 9.4

I think that that part is missing.


I am currently running windows Windows 2008r2 with ADFS2.0.

What part of ADFS configuration that would be?




Re: SAML and OnTap 9.4

That will be in the Relying Party Trusts configuration.  With SAML, you have to configure the trust on both the provider and the consumer.

Re: SAML and OnTap 9.4

Checked the config on ADFS

Looks OK 

Please see screenshots attached 

Cloud Volumes ONTAP
Review Banner
All Community Forums