ONTAP Discussions

How to authenticate Netapp Ontap XML api with SAML authentication

nyxtom

Hello,

 

Currently I've been using the Netapp Ontap < 9.x XML api by making simple HTTP Post requests with basic authentication to the servlet: /servlets/netapp.servlets.admin.XMLrequest like many of the docs and examples have shown.

 

Recently, one of our systems has enabled SAML authentication and as a result I am currently unable to make requests to the same api using the standard HTTP Post and passing along the user/pass in the headers like I was before. Usually I will get a redirect for these HTTP Post requests.

 

How would I go about implementing authentication on top of what I already have to get it working again?

3 REPLIES 3

Re: How to authenticate Netapp Ontap XML api with SAML authentication

GidonMarcus

Hi

 

You need to choose how a given user will authenticate (SMAL/password/domain/public key).

http://docs.netapp.com/ontap-9/topic/com.netapp.doc.dot-cm-cmpr-991/security__login__create.html

http://docs.netapp.com/ontap-9/topic/com.netapp.doc.dot-cm-cmpr-991/security__login__modify.html

 

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK

Re: How to authenticate Netapp Ontap XML api with SAML authentication

nyxtom

Right I got that far, but I'm not exactly sure on the actual implementation if it's based on SAML. Are there any examples for this sort of thing?

Re: How to authenticate Netapp Ontap XML api with SAML authentication

GidonMarcus

Right. So I misunderstood your original question. The short answer - I believe you can't/shouldn't (just use a password/certificate).

 

SAML is essentially a signed token that the IDP give the user agent to pass onto the SP (ONTAP).

GidonMarcus_0-1623622796947.png

*taken from Wikipedia.

 

If your IDP happy to give the token to your script - which will still likely require you to authenticate to the IDP (with a password)?, and your script  module can process the JS script the IDP returns to redirect you into the ONTAP login and ONTAP accepts it, that all might work...

 

But I think none of these will happen. The IDP will not authenticate a non-browser, the script module will not process the JS, and the NetApp login will not accept SAML token on the ZAPI site.

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK
Earn Rewards for Your Review!
GPI Review Banner
All Community Forums
Public