We seem to be having trouble proving API access at the simplest level - just a basic CLI test such as "curl -siku "mydomain\userid" "https://mycluster/api/cluster?fields=version"". In every attempt we see error:{"code":"6691623", "message":"User is not authorized." I am authorized - I use the same account every day via system manager but I normally have my account set for SAML, so, seeing the curl with -v invoked returns the usual SAML redirect in the output (when the account as SAML as the auth method), so, I modified that account to use "active directory domain" which is what prompted all this - trying to get a service account to login via domain pw. 

My question is if SAML is NOT the authentication method then why does the cluster keep trying to redirect like it is? There is nothing in AD that would force SAML, the app has to do that I believe. 

I setup a special domain account for this API access but we can't get any form of it to successfully authenticate (even to SM) because it appears that "any" login looks to be shot to the provider and the "authentication" setting PER user is almost or entirely ignored. Can someone explain why this would happen? I know SAML messed with AIQUM discovery but this seems wrong. Your first ONTAP REST API call is what I was following to ensure simplicity, negating any code issues from the vendor...

We have a monitoring app which previously used a local account on each cluster but this is not preferred, so the domain account method is being tried if you're wondering. I suppose another method is better but doesn't explain why "every" account logging in via curl doesn't just work with a valid pw.

thanks