#Hi folks Using Ansible Tower 2 9 19 with

The only two authentication methods we support are basic authentication (user/password) and SSL certificate. I don't think ZAPI has any way to do MFA.

Hi Laurent . We tried it with the "use_rest" parameter set to "Always" and it still did not work when MFA was enabled

Also, I should have noted in my initial post: We use an AD domain account for Ansible to log into ONTAP, so we had the folks who manage our SAML/IDP setup configure that account to bypass the MFA process. This way, the only ONTAP accounts that would be prompted with a MFA request would be human user accounts, not automation accounts, such as the the AD domain user account we use with Ansible.

Are you seeing an error? if so can you send us what the playbook is returning

let me recreate the error and I'll send the output

Here is my Ansible Task:

• name: Gather Cluster Info for "{{ inventory_hostname }}"
  na_ontap_info:
  state: info
  hostname: "{{ inventory_hostname }}"
  username: "{{ domain }}\{{ username }}"
  password: "{{ password }}"
  validate_certs: no
  use_rest: Always
  https: yes
  gather_subset:
  - aggregate_info
  - vserver_info
  - volume_info
  register: ontap_cluster_info
  delegate_to: localhost

Here is my ONTAP user settings:

Vserver: b1pascntap01
Second
User/Group Authentication Acct Authentication
Name Application Method Role Name Locked Method

CENTURA\SVC_Netapp_WFA http domain admin - none
CENTURA\SVC_Netapp_WFA http saml admin - none
CENTURA\SVC_Netapp_WFA ontapi domain admin - none
CENTURA\SVC_Netapp_WFA ontapi saml admin - none
CENTURA\SVC_Netapp_WFA ssh domain admin - none

I can't seem to upload the error message.. it is too long to enter into Discord app as text, and when I try to do as a file upload, the file upload fails.

BTW, use_rest does not do anything with na_ontap_info as only ZAPI is supported for this module.

But for REST, we also rely on HTTP, so MFA is not available.

We have the SVC_NETAPP_WFA account bypassed for MFA, so I wonder if I remove the SAML entries from the ONTAP user definition if just DOMAIN authentication will work

I'm not too sure about username: "{{ domain }}\{{ username }}"
I'm my experience: ```
# Note, without quotes, use a single backslash in AD user names
# with quotes, it needs to be escaped as a double backslash
# user: "ANSIBLE_CIFS\user1"
# user: ANSIBLE_CIFS\user1

This ansible task works as-is when we disable SAML/MFA on the ONTAP

You may also want to try with na_ontap_debug:
https://github.com/ansible-collections/netapp.ontap/wiki/Debugging

The ansible task does have double \ ... not a single \

So the first step may be to try from swagger, using the Try it out feature, or curl

curl -X GET "https://<ip_address/api/cluster?fields=version" -H  "accept: application/json" -H  "authorization: Basic xxxxxxx"

Now, the question is whether you can even reach swagger: https://<your IP>/docs/api/#/cluster/cluster_get

I am able to get to the SWAGGER GUI interface as SVC_NETAPP_WFA user

or ```
curl -X GET "https://10.193.78.222/api/cluster?fields=version" -H "accept: application/json" -H "authorization: Basic YWRtaW46bmV0YXBwMSE=" -uusername:password

but the interesting thing is, the username\password dialog box was a pop-up dialog box, which looks like it came from our ADFS vs. when SAML is disabled, and the username/password is embedded in the web GUI

so, while it looks like they did disable the MFA part, the login is still getting re-directed to ADFS, which is probably what Ansible is not liking

Yes, if you're using a WEB GUI, it may go through SSO.

My Ansible task is set up as use_rest:Always ... isn't that also https?

no. It's independent. na_ontap_info is only using ZAPI, so it would be interesting to use na_ontap_debug as it checks for both REST and ZAPI, or na_ontap_rest_info which is REST only.

Curious... if na_ontap_info only uses ZAPI, why does the documentation show the use_rest parameter?

https://docs.ansible.com/ansible/2.9/modules/na_ontap_info_module.html

But based on the above, the issue is that your user may still go through MFA. The long error output may be a sign of that. Could you email it to ng-ansibleteam@netapp.com?

yes sir, can do

It's because it's part of a set of global parameters. Ansible doc automatically includes it in every module documentation.

oye... thats confusing 🙂

I just sent the e-mail with the error attached

got it!

I even tried it with these ONTAP user settings (basically, I just removed the SAML entries), and it still fails:

                                                             Second

User/Group Authentication Acct Authentication
Name Application Method Role Name Locked Method

CENTURA\SVC_Netapp_WFA http domain admin - none
CENTURA\SVC_Netapp_WFA ontapi domain admin - none
CENTURA\SVC_Netapp_WFA ssh domain admin - none

Yes, this confirms we're getting back a MFA challenge. It's a guess, as we're expecting XML and netapp-lib chocks on the response as it is malformed XML.
But this is extremely likely. It confirms the automation account is still using MFA.

To fully confirm, it would be nice to trace the HTTP traffic. We have a builtin capability to enable a trace, but I'm not sure it would capture the raw data (before attempting to decode the XML):
https://github.com/ansible-collections/netapp.ontap/wiki/Debugging#tracing-zapi-and-rest-api-calls

For Info if you want to use rest you need to use this module

https://docs.ansible.com/ansible/devel/collections/netapp/ontap/na_ontap_rest_info_module.html#ansible-collections-netapp-ontap-na-ontap-rest-info-module

There about 10 modules where we couldn't do a add rest support because there were major difference between REST and ZAPI. And so we have these module documented in the REST suppot wiki page https://github.com/ansible-collections/netapp.ontap/wiki/Rest_Support

so, to recap some of the previous comments:

• ZAPI doesn't support MFA
• REST doesn't support MFA

The thing I'm a little confused on is, if I configure my ONTAP account to use DOMAIN authentication, and not SAML authentication, why is the ONTAP cluster forcing this user's login over to the SAML ADFS service for authentication? I would think it would just use traditional DOMAIN authentication... It seems like the ONTAP cluster is enforcing the SAML authentication on all ONTAP accounts, regardless of what application/authentication methods are defined for each user

I think in general, APIs do not support MFA. But the question is why the user SVC_Netapp_WFA still triggers a MFA challenge if it was specifically excluded. Is it a misconfiguration in ONTAP, or is it not possible for HTPP/HTTPS traffic?

Not much to configure on the ONTAP for saml, and when we enable it, it works fine for human users, so it seems like we have it configured correctly... here is the config on the ONTAP:

   Identity Provider URI: https://xxx/federationmetadata.xml
   Service Provider Host: x.x.x.x
   Certificate Authority: b1pascntap01
      Certificate Serial: 16F664B688A5D976
             Common Name: b1pascntap01
         Is SAML Enabled: true

Obviously, I edited the iDP and SP info, just to be safe

I'm talking about the configuration for SVC_Netapp_WFA.

Why is ONTAP still sending us a SAML challenge if it is marked as excluded?