This is on OnTap 9.4P3. We attempted to configure SAML for OCSM, but it failed terribly. We followed the steps in https://www.youtube.com/watch?v=7i6f3EzFY0s, created the two claims shown, and then received the error below when trying to login:
SAML Service Provider
Unknown or Unusable Identity Provider
The identity provider supplying your login credentials is not authorized for use with this service or does not support the necessary capabilities.
Identity provider lookup failed at (https://cardinal.imsweb.com/sysmgr/SysMgr.html)
EntityID: http://adfs.omni.imsweb.com/adfs/services/trust
opensaml::saml2md::MetadataException: Unable to locate metadata for identity provider (http://adfs.omni.imsweb.com/adfs/services/trust)
We contacted support and foundwere told that the third claim used for OCUM is also needed for OCSM (although it isn't discussed in that video for OCSM). After adding that, we are now getting to a login prompt and then this error:
SAML Service Provider
Authorization Failed
Based on the information provided to this application about you, you are not authorized to access the resource at "/sysmgr/SysMgr.html"
The account we are trying to login with does have SAML defined as an authentication method.
Cardinal::> security login show
Vserver: Cardinal
Second
User/Group Authentication Acct Authentication
Name Application Method Role Name Locked Method
-------------- ----------- ------------- ---------------- ------ --------------
omni\netapp http domain admin - none
omni\netapp http saml admin - none
omni\netapp ontapi domain admin - none
omni\netapp ontapi saml admin - none
omni\netapp ssh domain admin - non
Vserver: cardinal-svm
Second
User/Group Authentication Acct Authentication
Name Application Method Role Name Locked Method
-------------- ----------- ------------- ---------------- ------ --------------
OMNI\varonis ontapi domain vsadmin - none
28 entries were displayed.