ONTAP Discussions

System Manager SAML with domain groups

elic_co
2,916 Views

Hey,

Is it possible/supported to use domain groups for SAML authentication?

user authentication works fine but there are many users involved so I prefer to configure it for domain groups.

thanks!

1 ACCEPTED SOLUTION

Ontapforrum
2,810 Views

Hi,

 

Domain/Groups are not supported for a SAML-enabled cluster.

 

There is a KB article:

OnCommand System Manager authentication is not working with Active Directory Domain Groups
https://kb.netapp.com/app/answers/answer_view/a_id/1087129


Only workaround: Use CLI to add a domain "user" to the cluster, but without "domain\" prefix. I guess you have already tested this and it works for you.

 

Example: To add user 'test1' for http & ontapi capability:
::*> security login create -vserver <cluster_vserver> -user-or-group-name test1 -application http -authentication-method saml
::*> security login create -vserver <cluster_vserver> -user-or-group-name test1 -application ontapi -authentication-method saml

View solution in original post

2 REPLIES 2

Ontapforrum
2,811 Views

Hi,

 

Domain/Groups are not supported for a SAML-enabled cluster.

 

There is a KB article:

OnCommand System Manager authentication is not working with Active Directory Domain Groups
https://kb.netapp.com/app/answers/answer_view/a_id/1087129


Only workaround: Use CLI to add a domain "user" to the cluster, but without "domain\" prefix. I guess you have already tested this and it works for you.

 

Example: To add user 'test1' for http & ontapi capability:
::*> security login create -vserver <cluster_vserver> -user-or-group-name test1 -application http -authentication-method saml
::*> security login create -vserver <cluster_vserver> -user-or-group-name test1 -application ontapi -authentication-method saml

elic_co
2,732 Views

thanks for the answer.

this is what i've done. is there any plan to add domain groups support anywhere soon?

Public