Skip to main content

Configuring SAML authentication for web services

Starting with ONTAP 9.4, you can configure multifactor authentication (MFA) for web services by using Security Assertion Markup Language (SAML) authentication. You can use SAML authentication for Service Processor Infrastructure (spi), ONTAP APIs, and ThinkSystem Storage Manager for DM Series.

When you configure SAML authentication, users are authenticated by an external Identity Provider (IdP). The IdP is a third-party software such as Microsoft Active Directory Federated Services (ADFS) IdP or open source Shibboleth IdP. The ONTAP cluster acts as the SAML Service Provider (SP) host. Authentication is performed by exchanging metadata between the IdP and SP.

  • Configuring SAML authentication
    Starting with ONTAP 9.4, you can configure Security Assertion Markup Language (SAML) authentication for web services. When SAML authentication is configured and enabled, users are authenticated by an external Identity Provider (IdP) instead of the directory service providers such as Active Directory and LDAP.
  • Disabling SAML authentication
    You can disable SAML authentication when you want to stop authenticating web users by using an external Identity Provider (IdP). When SAML authentication is disabled, the configured directory service providers such as Active Directory and LDAP are used for authentication.
  • Troubleshooting issues with SAML configuration
    If configuring Security Assertion Markup Language (SAML) authentication fails, you can manually repair each node on which the SAML configuration failed and recover from the failure. During the repair process, the web server is restarted and any active HTTP connections or HTTPS connections are disrupted.