Solved: System Manager SAML with domain groups

elic_co · ‎2019-11-18

Hey,

Is it possible/supported to use domain groups for SAML authentication?

user authentication works fine but there are many users involved so I prefer to configure it for domain groups.

thanks!

Ontapforrum · ‎2019-11-19

Hi,

Domain/Groups are not supported for a SAML-enabled cluster.

There is a KB article:

OnCommand System Manager authentication is not working with Active Directory Domain Groups
https://kb.netapp.com/app/answers/answer_view/a_id/1087129

Only workaround: Use CLI to add a domain "user" to the cluster, but without "domain\" prefix. I guess you have already tested this and it works for you.

Example: To add user 'test1' for http & ontapi capability:
::*> security login create -vserver <cluster_vserver> -user-or-group-name test1 -application http -authentication-method saml
::*> security login create -vserver <cluster_vserver> -user-or-group-name test1 -application ontapi -authentication-method saml

View solution in original post

Ontapforrum · ‎2019-11-19

Hi,

Domain/Groups are not supported for a SAML-enabled cluster.

There is a KB article:

OnCommand System Manager authentication is not working with Active Directory Domain Groups
https://kb.netapp.com/app/answers/answer_view/a_id/1087129

Only workaround: Use CLI to add a domain "user" to the cluster, but without "domain\" prefix. I guess you have already tested this and it works for you.

Example: To add user 'test1' for http & ontapi capability:
::*> security login create -vserver <cluster_vserver> -user-or-group-name test1 -application http -authentication-method saml
::*> security login create -vserver <cluster_vserver> -user-or-group-name test1 -application ontapi -authentication-method saml

elic_co · ‎2019-11-21

thanks for the answer.

this is what i've done. is there any plan to add domain groups support anywhere soon?