2017-12-06 03:22 PM
ONTAP Recipes: Did you know you can…?
Easily enable SAML Authentication for OCSM in ONTAP 9.3
Security Assertion Markup Language (SAML) 2.0 is a widely adopted industry standard that allows any third-party SAML-compliant identity provider (IdP) to perform Multifactor authentication (MFA) using mechanisms unique to the IdP of the enterprise’s choosing and as a source of single sign-on (SSO).
There are three roles defined in the SAML specification:
In the ONTAP 9.3 implementation, a principal is the cluster administrator gaining access to ONTAP through OnCommand System Manager (OCSM) or OnCommand Unified Manager (OCUM). The IdP is third-party IdP software from an organization such as Microsoft Active Directory Federated Services (ADFS) or the open-source Shibboleth IdP. The SP is the SAML capability built into ONTAP that is used by OCSM or the OCUM web application.
Steps to enable SAML Authentication for OCSM in ONTAP 9.3:
2. Authenticate using administrator credentials.
Click Configuration > Authentication
3. Select the Enable SAML Authentication checkbox.
4. Configure System Manager to use IdP authentication:
5. Click Retrieve Host Metadata to retrieve the host URI and host metadata information.
6. Copy the host URI or host metadata details.
7. Click Save
8. Click Save and Confirm. Ensure that you have copied the host URI or metadata to the IdP and done the trust configuration on the IdP server. (Refer to your IdP documentation.)
The IdP login window is displayed.
9. Log in to System Manager by using the IdP login window. (You might see a prompt from the IdP stating that you are about to share specific attributes with the ONTAP cluster. You must allow sharing to occur for successful login.)
After the SAML IdP authentication succeeds, the session has a lifetime configured in the IdP. For other service providers (SPs) that use the same IdP, this allows the authentication to exist within the session lifetime period. If OCUM is one of the SPs that uses the same IdP, access to OCUM is allowed without an additional authentication. Thus, single sign-on (SSO) is enabled.
Steps to enable SAML Authentication for OCUM 7.3:
2. Launch the OCUM web GUI.
3. Authenticate using maintenance user credentials.
4. In the upper-right toolbar, click the gear icon and select Authentication in the left Setup menu.
5. If you haven’t enabled remote authentication, you must do so for SAML IdP users to have access to OCUM:
6. Navigate to Settings > Setup > Authentication > SAML Authentication Page.
7. Click View Host Metadata, copy the metadata into a file, and save it. This file will be used to configure OCUM in the IdP.
8. Select the Enable SAML Authentication checkbox, enter the IdP URL, and click Fetch IdP Metadata to populate OCUM with the IdP data.
9.Click Save and Yes in the warning dialog box.
10. Wait 5 minutes for the OCUM services to restart.
11. Configure the IdP (refer to your IdP documentation).
12. Launch the OCUM web GUI and get redirected to the IdP for authentication
13. Authenticate using a remote user defined in step 5 above
As in the OCSM section, after the SAML IdP authentication succeeds, the session has a lifetime configured in the IdP. For other SPs that use the same IdP, this allows the authentication to exist within the session lifetime period. If OCSM is one of the SPs that uses the same IdP, access to OCSM is allowed without an additional authentication after a successful OCUM authentication
For more information, see the ONTAP 9 documentation center and the OCUM 7.3 documentation.
2017-12-13 12:14 AM
Use this SAML Authentication demo that covers setting up and using SAML multifactor authentication for administrative access with NetApp OnCommand Unified Manager 7.3 and ONTAP 9.3 OnCommand System Manager with Microsoft Active Directory Federation Services (ADFS) as an identity provider.