Sign in Subscribe

ONTAP SAML with Okta

ONTAP SAML with Okta

Introduction

ONTAP System Manager SAML authentication is officially supported and tested with Active Directory Federated Services (ADFS), Cisco DUO and Shibboleth.
Most external Identity Providers should work if configured correctly as it is stated in the NetApp Knowledge Base but I could not find a guide for Okta.
Since we configured it, I can share our experience.

What does it change in ONTAP ?

Enabling SAML authentication in ONTAP makes SAML the only way to log into ONTAP System Manager.
If you ever need to login using a local account without SAML you will need to disable SAML first and the only way is through the Service Processor of one of the nodes. It is not possible from a direct SSH connection to the cluster, so keep this in mind.

How to enable SAML in ONTAP with Okta ?

Okta application configuration

In Okta, you need to create an SAML 2.0 application with the following general settings. You need to use your ONTAP cluster management IP (x.x.x.x).

Single Sign On URL

https://x.x.x.x/saml-sp/SAML2/POST

Audience Restriction

https://x.x.x.x/saml-sp

Then in the Attribute Statements you need to create an entry with these parameters.

Name

urn:oid:0.9.2342.19200300.100.1.1

Name Format

URI Reference

Value

user.login

The Value should be the user attribute in Okta that matches the account name you will create on the NetApp side.

In our case it is the attribute user.login.

NetApp SAML and user configuration

To do this we will need the URI from our Okta application.

This URL should not contain the Token groups Unqualified name as detailed in this NetApp KB Article.

What are the pre-requisites for enabling SAML authentication in ONTAP System Manager?
Active Directory Domain Groups configured on a cluster do not currently work with SAML. KB article covers pre-requisites for configuring a cluster for SAML.
NetApp Knowledge Base

Here is the correct URL example mentioned in the NetApp article.

Correct URL example

https://netapp.okta.com/app/abc1a23a1234567abcd/sso/saml/metadata

So, first of all we want to create our users on the NetApp cluster.

security login create -user-or-group-name user@domain.com -role admin -authentication-method saml -application http

Then we can configure SAML for our system through this command.

saml-sp create -idp-uri https://your_domain.okta.com/app/your_app_id/sso/saml/metadata

Finally, we enable it.

saml-sp modify -is-enabled true

How to disable SAML ?

As explained before, you will have to connect to the service-processor of one node in the cluster to disable SAML.

Once logged into the SP, enter the system console command and log into ONTAP.

Then you can disable it from the cluster shell.

saml-sp modify -is-enabled false