SANtricity 11 Manuals (CA08872-010)

to Japanese version

Access Management with SAML

For Access Management, administrators can use the Security Assertion Markup Language (SAML) 2.0 capabilities embedded in the array.

Configuration workflow

SAML configuration works as follows:

  1. An administrator logs in to SANtricity System Manager with a user profile that includes Security Admin permissions.

    The admin user has full access to all functions in SANtricity System Manager.

  2. The administrator goes to the SAML tab under Access Management.

  3. An administrator configures communications with the Identity Provider (IdP). An IdP is an external system used to request credentials from a user and determine if the user is successfully authenticated. To configure communications with the storage system, the administrator downloads the IdP metadata file from the IdP system, and then uses SANtricity System Manager to upload the file to the storage system.

  4. An administrator establishes a trust relationship between the Service Provider and the IdP. A Service Provider controls user authorization; in this case, the controller in the storage system acts as the Service Provider. To configure communications, the administrator uses SANtricity System Manager to export a Service Provider metadata file for each controller. From the IdP system, the administrator then imports those metadata files to the IdP.

    Administrators should also make sure that the IdP supports the ability to return a Name ID on authentication.

  5. The administrator maps the storage system’s roles to user attributes defined in the IdP. To do this, the administrator uses SANtricity System Manager to create the mappings.

  6. The administrator tests the SSO login to the IdP URL. This test ensures the storage system and IdP can communicate.

    Once SAML is enabled, you cannot disable it through the user interface, nor can you edit the IdP settings. If you need to disable or edit the SAML configuration, contact our support for assistance.

  7. From SANtricity System Manager, the administrator enables SAML for the storage system.

  8. Users log in to the system with their SSO credentials.

Management

When using SAML for authentication, administrators can perform the following management tasks:

  • Modify or create new role mappings

  • Export Service Provider files

Access restrictions

When SAML is enabled, users cannot discover or manage storage for that array from Unified Manager or the legacy Storage Manager interface.

In addition, the following clients cannot access storage system services and resources:

  • Command-line interface (CLI)

  • Software Developer Kits (SDK) clients

  • In-band clients

  • HTTP Basic Authentication REST API clients

  • Login using standard REST API endpoint

Top of Page