#Configure SAML Authentication

I'm trying to understand how to configure SAML Auth but the directions state that I need to configure a "Remote User Group" but isn't the whole idea of setting up SAML Auth is to not configure anything in the Remote Authentication section?

for aiqum, remote authentication needs to be configured first and the users added. the users are added so we know what roles to assign them. but to add any users, remote authentication needs to be set up. it is a weird chain.

I am revisiting this, I can enable SAML but the backend IdP is EntraID and I evidently need to configure Roles in the backend to line up with the Roles in AIQUM becasue if I don't, the moment I hit save and try to login, I cannot. I think this is the last piece I need to config/understand. Thoughts?

In AIQUM and Ontap, roles are what you are allowed to do on the system, they shouldn't correlate to anything in Entra.

I do know some IdPs, and I think Entra is one, limit what users can access an application. If that's what you mean by roles, then that's an Entra side only config, and it doesn't map to anything in AIQUM or Ontap.

But just so you know, there's almost nothing documented for using Entra with AIQUM, as it's not a supported IdP for AIQUM. It should technically work, we just can't tell you all the gotchas.

For example, in the Ontap docs, we see that groups might be UUIDs, and so need a special mapping to work. If this is what you meant, and you want to use groups to log into AIQUM, then that could be problem. You might need to use the group UUID instead of the group name. If neither works, then you'd have to add the users directly as Remote Users in AIQUM instead of adding a Remote Group.