ONTAP 9 Manuals ( CA08871-402 )

Set up multifactor authentication

Security Assertion Markup Language (SAML) authentication allows users to log in to an application by using a secure identity provider (IdP).

In ONTAP System Manager, in addition to standard ONTAP authentication, SAML-based authentication is provided as an option for multifactor authentication.

Security Assertion Markup Language (SAML) is an XML-based framework for authentication and authorization between two entities: a service provider and an identity provider.

Enable SAML authentication

To enable SAML authentication with ONTAP System Manager, perform the following steps. If your cluster is running ONTAP 9.7, the ONTAP System Manager steps you need to follow are different. Refer to the ONTAP System Manager online help available on your system.

After you enable SAML authentication, only remote users can access the ONTAP System Manager GUI. Local users cannot access the ONTAP System Manager GUI after SAML authentication is enabled.

Workflow diagram of task to set up multfactor authentication with SAML

Before you begin
  • The IdP that you plan to use for remote authentication must be configured.

    See the documentation that is provided by the IdP that you have configured.

  • You must have the URI of the IdP.

About this task

The following IdPs have been validated with ONTAP System Manager:

  • Active Directory Federation Services

  • Cisco DUO (validated with the following ONTAP versions:)

    • 9.7P21 and later 9.7 releases

    • 9.8P17 and later 9.8 releases

    • 9.9.1P13 and later 9.9 releases

    • 9.10.1P9 and later 9.10 releases

    • 9.11.1P4 and later 9.11 releases

    • 9.12.1 and later releases

  • Shibboleth

Steps
  1. Click Cluster > Settings.

  2. Next to SAML Authentication, click gear icon.

  3. Ensure there is a check in the Enable SAML Authentication checkbox.

  4. Enter the URL of the IdP URI (including "https://").

  5. Modify the host system address, if needed.

  6. Ensure the correct certificate is being used:

    • If your system was mapped with only one certificate with type "server", then that certificate is considered the default and it isn’t displayed.

    • If your system was mapped with multiple certificates as type "server", then one of the certificates is displayed. To select a different certificate, click Change.

  7. Click Save. A confirmation window displays the metadata information, which has been automatically copied to your clipboard.

  8. Go to the IdP system you specified and copy the metadata from your clipboard to update the system metadata.

  9. Return to the confirmation window (in ONTAP System Manager) and check the checkbox I have configured the IdP with the host URI or metadata.

  10. Click Logout to enable SAML-based authentication. The IdP system will display an authentication screen.

  11. In the IdP system, enter your SAML-based credentials. After your credentials are verified, you will be directed to the ONTAP System Manager home page.

Disable SAML authentication

To disable SAML authentication, perform the following steps:

About this task

Disabling SAML authentication does not delete the SAML configuration.

Steps
  1. Click Cluster > Settings.

  2. Under SAML Authentication, click the Enabled toggle button.

  3. Optional: You can also click gear icon next to SAML Authentication, and then uncheck the Enable SAML Authentication checkbox.

Top of Page