ONTAP Recipes: Easily enable SAML Authentication for OCSM in ONTAP 9.3

ONTAP Recipes: Did you know you can…? 

Easily enable SAML Authentication for OCSM in ONTAP 9.3

Security Assertion Markup Language (SAML) 2.0 is a widely adopted industry standard that allows any third-party SAML-compliant identity provider (IdP) to perform Multifactor authentication (MFA) using mechanisms unique to the IdP of the enterprise’s choosing and as a source of single sign-on (SSO). 

There are three roles defined in the SAML specification:

• The Principal
• The IdP
• The Service Provider (SP)

In the ONTAP 9.3 implementation, a principal is the cluster administrator gaining access to ONTAP through OnCommand System Manager (OCSM) or OnCommand Unified Manager (OCUM). The IdP is third-party IdP software from an organization such as Microsoft Active Directory Federated Services (ADFS) or the open-source Shibboleth IdP. The SP is the SAML capability built into ONTAP that is used by OCSM or the OCUM web application.

Steps to enable SAML Authentication for OCSM in ONTAP 9.3:

1. Open System Manager using the cluster management interface (DNS name or IP address). https://cluster-mgmt-LIF

 2. Authenticate using administrator credentials.

Click Configuration > Authentication

3. Select the Enable SAML Authentication checkbox.

4. Configure System Manager to use IdP authentication:

• Enter the URI of the IdP.
• Enter the DNS name or IP address of the host system.
• Optional: If required, change the host system certificate to a CA-signed certificate.

5. Click Retrieve Host Metadata to retrieve the host URI and host metadata information.

6. Copy the host URI or host metadata details.

7. Click Save

8. Click Save and Confirm. Ensure that you have copied the host URI or metadata to the IdP and done the trust configuration on the IdP server. (Refer to your IdP documentation.)

The IdP login window is displayed.

9. Log in to System Manager by using the IdP login window. (You might see a prompt from the IdP stating that you are about to share specific attributes with the ONTAP cluster. You must allow sharing to occur for successful login.)

After the SAML IdP authentication succeeds, the session has a lifetime configured in the IdP. For other service providers (SPs) that use the same IdP, this allows the authentication to exist within the session lifetime period. If OCUM is one of the SPs that uses the same IdP, access to OCUM is allowed without an additional authentication. Thus, single sign-on (SSO) is enabled.

Steps to enable SAML Authentication for OCUM 7.3:

1. Ensure that you have network connectivity between OCUM, the IdP, and OCUM web clients.

 2. Launch the OCUM web GUI.

 3. Authenticate using maintenance user credentials.

 4. In the upper-right toolbar, click the gear icon and select Authentication in the left Setup menu.

 5. If you haven’t enabled remote authentication, you must do so for SAML IdP users to have access to OCUM:

• Select the Enable Remote Authentication checkbox.
• Set the authentication service to Active Directory or OpenLDAP (Microsoft Lightweight Directory Services is not supported).
• Enter the administrator name and password. For AD, specify Base Distinguished Name; for LDAP, specify Bind Distinguished Name, Bind Password, and Base Distinguished Name.
• In the Authentication Servers section, enter the authentication server’s DNS name or IP address.
• Use Test Authentication to ensure that Remote Authentication Settings are operational.
• Navigate to the Settings > Management > Users Page and add users of type remote user or remote group with the OnCommand administrator role.

6. Navigate to Settings > Setup > Authentication > SAML Authentication Page.

7. Click View Host Metadata, copy the metadata into a file, and save it. This file will be used to configure OCUM in the IdP.

8. Select the Enable SAML Authentication checkbox, enter the IdP URL, and click Fetch IdP Metadata to populate OCUM with the IdP data.

9.Click Save and Yes in the warning dialog box.

10. Wait 5 minutes for the OCUM services to restart.

11. Configure the IdP (refer to your IdP documentation).

• Populate the IdP with the OCUM metadata from step 7.
• Add OCUM as a Relying Party.
• Add claim rules. Set Name to urn:oid:0.9.2342.19200300.100.1.1 and Unqualified Name to urn:oid:1.3.6.1.4.1.5923.1.5.1.1.

12. Launch the OCUM web GUI and get redirected to the IdP for authentication

13. Authenticate using a remote user defined in step 5 above

As in the OCSM section, after the SAML IdP authentication succeeds, the session has a lifetime configured in the IdP. For other SPs that use the same IdP, this allows the authentication to exist within the session lifetime period. If OCSM is one of the SPs that uses the same IdP, access to OCSM is allowed without an additional authentication after a successful OCUM authentication

For more information, see the ONTAP 9 documentation center and the OCUM 7.3 documentation.