Trying to get SAML token from azure to connect to Ontap APIs | NetApp | Page 1

kind ice Dec 11, 2024, 3:27 PM

#

Hello,

I'm trying to get an access token from Azure SAML from a PS script that would then authenticate me on the Ontap device i'm trying to get DATA from.

I can only connect to the Ontap via an application in Azure, with MFA.

I can recover the Token from the application but cannot use it to connect to the Ontap, the response from the API call is the login.microsoft.com page.

Anyone already made it work ? I can provide samples of the code used.

Cheers

still flame Dec 12, 2024, 1:49 AM

#

Can you explain more about your environment? What is your ONTAP device, what OS version is it on, is it on-premise or cloud, are you connecting to the device or a middle layer like BlueXP, and is it SSO enabled with Entra AD, etc..? One of the whole points of setting up an Enterprise App, other than granularity of permissions, and to user licensing, is to bypass MFA.

kind ice Dec 12, 2024, 7:44 AM

#

Thanks for the reply.

My Ontap is On-premise, it's a FAS2720 running 9.15.1P5.

I'm trying to connect to the Device directly with the cluster mgmgt IP. (https://<cluster_mgmt_ip>/api/<apicall>)

The device is SSO enabled with an Enterprise App on Azure indeed.

#

the idea would be to grab a valid token from the enterprise App to push it when i invoke my rest method

#

like :

Invoke-RestMethod -URi https://<cluster_mgmt_ip>/api/<apicall> -Token <Azure Token>

kind ice Dec 12, 2024, 9:17 AM

#

So right now I can get a token from the Azure App:

#

But the device doesn't want it :

#

kinda stuck

still flame Dec 12, 2024, 8:46 PM

#

I have a question: Why not just use a local account on the cluster?

#

From what I am seeing in the documentation, SAML is only supported for HTTP and ontapi for accessing the cluster admin svm, not any other svms.

still flame Dec 12, 2024, 9:45 PM

#

kind ice But the device doesn't want it :

I am looking in to your error. Looks like it may be a permission problem. What security role is assigned to the identity attached to the token? Does it have the proper rest role to the command you are trying to access?

#

I was thinking this might me an saml auth issue, but I think you are past that point.

#

I found a KB. https://kb.netapp.com/on-prem/ontap/DM/REST-API/REST_API_KBs/Unable_to_perform_REST_API_calls_user_not_authorized

NetApp Knowledge Base

Unable to perform REST API calls, user not authorized

kind ice Dec 12, 2024, 9:52 PM

#

I checked that and my user have access to Ontapi, the full /api path

#

i'll try some more tommorow will look into your link

still flame Dec 12, 2024, 9:53 PM

#

Looks like you have to create a custom role to get around the issue. That KB will send you in the right direction.

#

Good luck

#Trying to get SAML token from azure to connect to Ontap APIs