ONTAP Discussions

SAML Authentication - Token Groups (FAS/AFF)


Hi there,


I've implemented SAML auth (AD FS) on our backup FAS2720 for a test drive and finally got it working after some struggle.


Referring to this article:


Pre-requisites for enabling SAML authentication in ONTAP System Manager - NetApp Knowledge Base


If I understand the article correctly, group authentication doesn't work, I have to manually specify user names with their roles and saml auth-type as logins - that's also what I experienced during testing.


However, why the heck is the article specifying a "Token Groups - unqualified name" claim rule if groups are not even used?? And even more, the shibd.log tells me "skipping unmapped SAML 2.0 Attribute with Name: urn:oid:".


So I wonder what that is for - just preparation for the future/group support in future version? Or what else is the token groups claim intended to be used for?


At least AD FS allows me to mitigate and control access further - I'm using an AD FS access control policy to limit access to certain groups plus mandatory MFA as a kind of "pre-filter". Only thing lacking as mentioned is not being able to map AD groups to NetApp security roles. On the other this also provides some tight security because group memberships do not decide the effective permissions on the filer. 


Regards, Markus