ONTAP Discussions

How to authenticate Netapp Ontap XML api with SAML authentication

nyxtom
1,394 Views

Hello,

 

Currently I've been using the Netapp Ontap < 9.x XML api by making simple HTTP Post requests with basic authentication to the servlet: /servlets/netapp.servlets.admin.XMLrequest like many of the docs and examples have shown.

 

Recently, one of our systems has enabled SAML authentication and as a result I am currently unable to make requests to the same api using the standard HTTP Post and passing along the user/pass in the headers like I was before. Usually I will get a redirect for these HTTP Post requests.

 

How would I go about implementing authentication on top of what I already have to get it working again?

1 ACCEPTED SOLUTION

GidonMarcus
1,244 Views

Right. So I misunderstood your original question. The short answer - I believe you can't/shouldn't (just use a password/certificate).

 

SAML is essentially a signed token that the IDP give the user agent to pass onto the SP (ONTAP).

GidonMarcus_0-1623622796947.png

*taken from Wikipedia.

 

If your IDP happy to give the token to your script - which will still likely require you to authenticate to the IDP (with a password)?, and your script  module can process the JS script the IDP returns to redirect you into the ONTAP login and ONTAP accepts it, that all might work...

 

But I think none of these will happen. The IDP will not authenticate a non-browser, the script module will not process the JS, and the NetApp login will not accept SAML token on the ZAPI site.

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK

View solution in original post

3 REPLIES 3

GidonMarcus
1,303 Views

Hi

 

You need to choose how a given user will authenticate (SMAL/password/domain/public key).

http://docs.netapp.com/ontap-9/topic/com.netapp.doc.dot-cm-cmpr-991/security__login__create.html

http://docs.netapp.com/ontap-9/topic/com.netapp.doc.dot-cm-cmpr-991/security__login__modify.html

 

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK

nyxtom
1,282 Views

Right I got that far, but I'm not exactly sure on the actual implementation if it's based on SAML. Are there any examples for this sort of thing?

GidonMarcus
1,245 Views

Right. So I misunderstood your original question. The short answer - I believe you can't/shouldn't (just use a password/certificate).

 

SAML is essentially a signed token that the IDP give the user agent to pass onto the SP (ONTAP).

GidonMarcus_0-1623622796947.png

*taken from Wikipedia.

 

If your IDP happy to give the token to your script - which will still likely require you to authenticate to the IDP (with a password)?, and your script  module can process the JS script the IDP returns to redirect you into the ONTAP login and ONTAP accepts it, that all might work...

 

But I think none of these will happen. The IDP will not authenticate a non-browser, the script module will not process the JS, and the NetApp login will not accept SAML token on the ZAPI site.

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK
Public