Skip to main content

Configure SAML

To configure authentication for Access Management, you can use the Security Assertion Markup Language (SAML) capabilities embedded in the storage array. This configuration establishes a connection between an Identity Provider and the Storage Provider.

About this task

An Identity Provider (IdP) is an external system used to request credentials from a user and to determine if that user is successfully authenticated. The IdP can be configured to provide multi-factor authentication and to use any user database, such as Active Directory. Your security team is responsible for maintaining the IdP. A Service Provider (SP) is a system that controls user authentication and access. When Access Management is configured with SAML, the storage array acts as the Service Provider for requesting authentication from the Identity Provider. To establish a connection between the IdP and storage array, you share metadata files between these two entities. Next, you map the IdP user entities to the storage array roles. And finally, you test the connection and SSO logins before enabling SAML.

Note
SAML and Directory Services. If you enable SAML when Directory Services is configured as the authentication method, SAML supersedes Directory Services in System Manager. If you disable SAML later, the Directory Services configuration returns to its previous configuration.
Attention
Editing and Disabling. Once SAML is enabled, you cannot disable it through the user interface, nor can you edit the IdP settings. If you need to disable or edit the SAML configuration, contact Technical Support for assistance.

Configuring SAML authentication is a multi-step procedure.

  1. Step 1: Upload the IdP metadata file
    To provide the storage array with IdP connection information, you import IdP metadata into System Manager.
  2. Step 2: Export Service Provider files
    To establish a trust relationship between the IdP and the storage array, you import the Service Provider metadata into the IdP.
  3. Step 3: Map roles
    To provide users with authorization and access to System Manager, you must map the IdP user attributes and group memberships to the storage array's predefined roles.
  4. Step 4: Test SSO login
    To ensure that the IdP system and storage array can communicate, you can optionally test an SSO login. This test is also performed during the final step for enabling SAML.
  5. Step 5: Enable SAML
    Your final step is to enable SAML user authentication.