#ONTAP SAML Login

Hello, i am trying to get SAML login to work. It serms the group login is not working. I just found out that domain group login seems to not be available. Is that still true? Is there any plan to support this in a later release?

yes, you still need to specify every user that you want to be able to use a SAML login manually via security login create

this was supposedly added in ONTAP 9.15.1, and the RFE also shows 9.14.1 as fixed. if you're on one of those versions or higher, make sure you have the group rule added and that the group is added without the domain in ONTAP. if it's still not working, open a support case.

RFE: https://mysupport.netapp.com/site/bugs-online/product/ONTAP/BURT/1156840

https://kb.netapp.com/on-prem/ontap/DM/System_Manager/SM-KBs/How_to_use_domain_group_in_ONTAP_System_Manager_SAML_Authentication_with_Entra_ID_as_IDP (this is the only KB I found this updated in, groups should work this way even if you're using another supported IdP)

This needs to be added to the rules: Token groups - Qualified by Domain Name / urn:oid:1.3.6.1.4.1.5923.1.5.1.1

ooh that is nice to know! Some time ago we had a lively discussion (and remote session) with a NetApp engineer from the UK about how to properly configure Entra ID as IDP (which was very badly documented back then). This was one of the things we missed and asked him to bring to Engineering. Cool that it seems to be in now, we have to try that

let us know how it turns out!

@buoyant crown might also be interesting for you (although the KB still says "NetApp does not support this feature" 😄 )

entra support? we have an rfe to watch:
https://mysupport.netapp.com/site/bugs-online/product/ONTAP/JiraNgage/CONTAP-389471

yeah.... just saw that big orange disclaimer...

watching that since forever... no idea why NetApp still keeps on insisting that Entra ID is not supported (even though many are doing it)

that, I don't have an answer for. I do know it's being used and people are asking support about configuring it, which is how we're ending up with KBs about it.

ah wait, it was this one I watched, guess there's another one now
https://mysupport.netapp.com/site/bugs-online/product/SYSTEMMGR/BURT/1420905

that's for azure ad

treating them as seperate products looks like

which it isn't but okay

i believe the CONTAP RFE might have superseded the older one you have.

ok, another bug to watch then, at least it's public now

I do think i have setup everything correctly and I am on 9.14. I did quite some digging already and it even seems like ontap internal logs recognize that i my user has roles attached. But i just always see the error that it my user is not allowed to login unless i specifically assign a role to the username.

Ill follow up with logs

Thing is, i am even a bit more unsupported than Entra ID as I am using KeyCloak

yeah, keycloak would push over into the we'll try but no promises category. still if it works for users we should be able to get it going.
i'd like to see what you have for the group too in the security users output as well as the logs if you can. if you prefer, DM me or email me at first name dot last name at netapp.com.

Email would be awesome, this is my private account and i am having a hard time to get the logs onto here

Will follow up tomorrow