ONTAP Discussions

How to authenticate Netapp Ontap XML api with SAML authentication

nyxtom

Hello,

 

Currently I've been using the Netapp Ontap < 9.x XML api by making simple HTTP Post requests with basic authentication to the servlet: /servlets/netapp.servlets.admin.XMLrequest like many of the docs and examples have shown.

 

Recently, one of our systems has enabled SAML authentication and as a result I am currently unable to make requests to the same api using the standard HTTP Post and passing along the user/pass in the headers like I was before. Usually I will get a redirect for these HTTP Post requests.

 

How would I go about implementing authentication on top of what I already have to get it working again?

1 ACCEPTED SOLUTION

GidonMarcus

Right. So I misunderstood your original question. The short answer - I believe you can't/shouldn't (just use a password/certificate).

 

SAML is essentially a signed token that the IDP give the user agent to pass onto the SP (ONTAP).

GidonMarcus_0-1623622796947.png

*taken from Wikipedia.

 

If your IDP happy to give the token to your script - which will still likely require you to authenticate to the IDP (with a password)?, and your script  module can process the JS script the IDP returns to redirect you into the ONTAP login and ONTAP accepts it, that all might work...

 

But I think none of these will happen. The IDP will not authenticate a non-browser, the script module will not process the JS, and the NetApp login will not accept SAML token on the ZAPI site.

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK

View solution in original post

3 REPLIES 3

GidonMarcus

Hi

 

You need to choose how a given user will authenticate (SMAL/password/domain/public key).

http://docs.netapp.com/ontap-9/topic/com.netapp.doc.dot-cm-cmpr-991/security__login__create.html

http://docs.netapp.com/ontap-9/topic/com.netapp.doc.dot-cm-cmpr-991/security__login__modify.html

 

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK

nyxtom

Right I got that far, but I'm not exactly sure on the actual implementation if it's based on SAML. Are there any examples for this sort of thing?

GidonMarcus

Right. So I misunderstood your original question. The short answer - I believe you can't/shouldn't (just use a password/certificate).

 

SAML is essentially a signed token that the IDP give the user agent to pass onto the SP (ONTAP).

GidonMarcus_0-1623622796947.png

*taken from Wikipedia.

 

If your IDP happy to give the token to your script - which will still likely require you to authenticate to the IDP (with a password)?, and your script  module can process the JS script the IDP returns to redirect you into the ONTAP login and ONTAP accepts it, that all might work...

 

But I think none of these will happen. The IDP will not authenticate a non-browser, the script module will not process the JS, and the NetApp login will not accept SAML token on the ZAPI site.

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK

View solution in original post

Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner
Public