ONTAP Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ONTAP Discussions

Ask a Question

How to authenticate Netapp Ontap XML api with SAML authentication

nyxtom
‎2021-06-08 01:32 PM
3,525 Views

Hello,

 

Currently I've been using the Netapp Ontap < 9.x XML api by making simple HTTP Post requests with basic authentication to the servlet: /servlets/netapp.servlets.admin.XMLrequest like many of the docs and examples have shown.

 

Recently, one of our systems has enabled SAML authentication and as a result I am currently unable to make requests to the same api using the standard HTTP Post and passing along the user/pass in the headers like I was before. Usually I will get a redirect for these HTTP Post requests.

 

How would I go about implementing authentication on top of what I already have to get it working again?

1 ACCEPTED SOLUTION

GidonMarcus
‎2021-06-13 03:32 PM
In response to nyxtom
3,375 Views

Right. So I misunderstood your original question. The short answer - I believe you can't/shouldn't (just use a password/certificate).

 

SAML is essentially a signed token that the IDP give the user agent to pass onto the SP (ONTAP).

GidonMarcus_0-1623622796947.png

*taken from Wikipedia.

 

If your IDP happy to give the token to your script - which will still likely require you to authenticate to the IDP (with a password)?, and your script  module can process the JS script the IDP returns to redirect you into the ONTAP login and ONTAP accepts it, that all might work...

 

But I think none of these will happen. The IDP will not authenticate a non-browser, the script module will not process the JS, and the NetApp login will not accept SAML token on the ZAPI site.

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK

View solution in original post

0 Kudos
3 REPLIES 3

GidonMarcus
‎2021-06-10 03:19 PM
3,434 Views

Hi

 

You need to choose how a given user will authenticate (SMAL/password/domain/public key).

http://docs.netapp.com/ontap-9/topic/com.netapp.doc.dot-cm-cmpr-991/security__login__create.html

http://docs.netapp.com/ontap-9/topic/com.netapp.doc.dot-cm-cmpr-991/security__login__modify.html

 

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK
0 Kudos

nyxtom
‎2021-06-11 07:37 AM
In response to GidonMarcus
3,413 Views

Right I got that far, but I'm not exactly sure on the actual implementation if it's based on SAML. Are there any examples for this sort of thing?

0 Kudos

GidonMarcus
‎2021-06-13 03:32 PM
In response to nyxtom
3,376 Views

Right. So I misunderstood your original question. The short answer - I believe you can't/shouldn't (just use a password/certificate).

 

SAML is essentially a signed token that the IDP give the user agent to pass onto the SP (ONTAP).

GidonMarcus_0-1623622796947.png

*taken from Wikipedia.

 

If your IDP happy to give the token to your script - which will still likely require you to authenticate to the IDP (with a password)?, and your script  module can process the JS script the IDP returns to redirect you into the ONTAP login and ONTAP accepts it, that all might work...

 

But I think none of these will happen. The IDP will not authenticate a non-browser, the script module will not process the JS, and the NetApp login will not accept SAML token on the ZAPI site.

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK
0 Kudos
All Community Forums
Public