This blog post provides a quick walkthrough of configuring NetApp ONTAP System Manager to use VMware Identity Manager/Workspace ONE Access to provide SAML authentication for users. This blog post assumes that your VMware Identity Manager and NetApp ONTAP System Manager environments are online and functional.
The first step in this process is to ensure that you have user accounts defined within NetApp ONTAP System Manager to support your SAML users. If you are using existing NetApp ONTAP System Manager user accounts, you will need to modify these user accounts. If you are using new user accounts, you will define those now. To define or change user accounts, select CLUSTER from the left side of the NetApp ONTAP System Manager UI and choose Settings. Under the Security section, click the right arrow next to the Users and Roles section.
Select the + Add button on the resulting screen to add a new user account, or select the EDIT option from the option menu for an existing account.
Provide a USER NAME for the user account, select the proper ROLE , then under USER LOGIN METHODS , add HTTP and ONTAPI under APPLICATIONS. Select SAML under AUTHENTICATION for both applications. Click SAVE to save your changes.
Your next task is to define your SAML IdP within the NetApp ONTAP System Manager. You must obtain the URI to your VMware Identity Manager SAML IdP metadata to get started. Obtain this URI by logging into the VMware Identity Manager admin console at the URL
https://<vidm fqdn>/SAAS/admin/. Click on the CATALOG tab at the top of the user interface, then click the SETTINGS button.
Copy the link for the Identity Provider (IdP) metadata on the resulting screen, as shown in the following screenshot:
Next, in the NetApp ONTAP System Manager user interface, select the gear icon beside the SAML Authentication portion of the cluster settings.
On the result screen, select the Enable SAML Authentication checkbox, and paste the URI you copied earlier for the SAML Identity Provider metadata data into the IdP URI text box. Click the SAVE button to continue.
The resulting screen will provide the SAML Service Provider metadata HOST URI and the HOST METADATA XML. Copy the XML from the HOST METADATA text box.
Return to VMware Identity Manager to add the service provider metadata to a new application definition.
Back in the VMware Identity Manager administrator console, click the CATALOG tab, then click the NEW button.
On the resulting New SaaS Application wizard, provide a name for the application, such as “ONTAP System Manager”, then click the NEXT button.
Under the Configuration portion of the wizard, paste the service provide metadata that you copied from the NetApp ONTAP System Manager UI into the URL/XML field, then click NEXT.
Scroll down and click on Advanced Properties. Ensure that the following options are enabled: Sign Response, Sign Assertion, and Include Assertion Signature. Set the Signature Algorithm to SHA256 with RSA and the Digest Algorithm to SHA256.
Continue scrolling down to the Custom Attribute Mapping portion of the wizard. Click the + ADD ROW button twice to add two rows to the UI. Define the following values:
After defining these values, click the NEXT button.
On the Access Policies portion of the wizard, click the NEXT button to continue.
On the Summary portion of the wizard, click the SAVE AND ASSIGN button to save the definition and assign users who can access this new application.
Search for the user accounts you defined earlier in the NetApp ONTAP System Manager on the resulting Assign screen, then click the SAVE button.
Now that your application configuration has been added to VMware Identity Manager move back to the NetApp ONTAP System Manager interface and confirm that you have configured your SAML IdP and are ready to enable SAML authentication. Click the I have configured the IdP with the host URI or metadata checkbox, then click the Logout button.
NetApp ONTAP System Manager will log you out of your current session, and you’ll be redirected to VMware Identity Manager to authenticate. If you are already logged into VMware Identity Manager with a user account that should have access to NetApp ONTAP System Manager, then you will be automatically authenticated and redirected to the NetApp ONTAP System Manager UI.
Get Notified of Future Posts