ONTAP System Manager and Windows 2019 AD SAML (IdP) 2-Factor Authentication

I setup SAML in my vsim lab and it was more work than expected, however it was a good learning experience. The tasks are simple but if you miss or don’t know a step, it will not work. For example, you need to run a PowerShell command to enable IdP logon even after you have everything else configured. You also need a saml user in ONTAP and Windows Active Directory Users and Computers. Also, any names changes (server federation, etc..) often require a removal and re-add of the ADFS role. Even though AD FS appears to work after an identity change, it may not even after a service restart or reboot.

Below is an long end-to-end example of how to setup SAML. You may choose different security, different password rules and a completely different IIS setup.

The Windows 2019 IP address is 192.168.150.12, the server name is WIN-CSM9334302E.LAB2.local and the login is Administrator@lab2.local : p@ssw0rd

The ONTAP 9.7P4 cluster-mgmt IP address is 192.168.150.230, the cluster name is code-prod and the login is admin | Netapp1!

1.1      SAML Setup Information

  • SAML – Security Assertion Markup Language
  • Cluster time must be in sync with the SAML server (if a “future” error, check and fix time)
  • Configuring SAML Authentication in ONTAP 
    • Starting with ONTAP 9.3, you can configure Security Assertion Markup Language (SAML) authentication for web services. When SAML authentication is configured and enabled, users are authenticated by an external Identity Provider (IdP) instead of the directory service providers such as Active Directory and LDAP
    • You must have configured the IdP for SAML authentication.
    • You must have the IdP URI
    • SAML authentication applies only to the http and ontapi applications
    • The http and ontapi applications are used by the following web services: Service Processor Infrastructure, ONTAP APIs, or OnCommand System Manager
    • SAML authentication is applicable only for accessing the admin SVM
  • Multifactor Authentication in ONTAP Best Practices and Implementation Guide
  • SAML MFA Video (AIQ UM and System Manager)

1.2      Windows Server – Add AD FS and IIS Server Roles

Windows Server

  • Go to “Server Manager –> Dashboard
  • Click the “Manage” menu pull down
  • Click “Add Roles and Features
  • On the “Before You Begin” page click “Next >”
  • On the “Installation Type” page, leave the default “Role-based or feature-based installation” radio button selection
  • Click “Next >”
  • On the “Server Selection” page, leave the default “Select a server from the server pool” radio button selection
  • Click “Next >”
  • Check the  “Active Directory Federation Services” check box (ADFS) for SAML
  • Check the  “Web Server (IIS)” check box because we need to bind the network interface to SSL (TCP port 443) for remote SAML access to ADFS
  • Leave all defaults “Include management tools (if applicable)”
  • Click the “Add Features” button
  • On the “Server Roles” page, click “Next >”
  • On the “Features” page, click “Next >”
  • On the “AD FS” page, click “Next >”
  • On the “Web Server Role (IIS)” page, click “Next >”
  • On the “Role Services” page, leave all defaults
  • Click “Next >”
  • On the “Confirmation” page, check the box “Restart the destination server automatically if required
  • Click the “Yes” button to the “On the “Server Selection” page” popup
  • On the “Confirmation” page, click “Install
  • View installation progress” and wait until the two roles are installed
  • On the “Results” page, click “Close

1.3      Windows Server – Configure AD FS

Windows Server

  • Go to “Server Manager –> Dashboard
  • Click the “Flag Exclamation Mark” menu pull down
  • On the “Post-deployment Configuration” alert, click the “Configure the federation service on this server.” link
  • On the “Welcome” page, leave the default “Create the first federation server in a federation server farm” radio button selection
  • Click “Next >”
  • On the “Connect to AD FS” page, leave the current “LAB2\Administrator” user default
  • Click “Next >”
  • On the “Specify Service Properties” page
    • SSL Certificate: pull down and select the local server
    • Federation Service Name: the default FQDN server name populates automatically
    • Federation Service Display Name: saml1
  • Click “Next >”
  • On the “Specify Service Account” page
    • Leave the default “Create a Group Managed Service Account” radio button selected
    • Account Name: saml1
  • Click “Next >”
  • On the “Specify Database” page, leave the “Create a database on this server using Windows Internal Database.” radio button selected
  • Click “Next >”
  • **IF YOU SETUP AD FS Before**
    • On the “Confirm Overwrite” page, check the “Overwrite the existing AD FS configuration database data.
    • Click “Next >”
  • On the “Review Options” page, click “Next >”
  • On the “Pre-requisite Checks” page, validate all prerequisite checks passed successfuly
  • Click “Configure
  • On the “Installation” and “Results” pages, view the errors (SSL and SPN are expected)
  • Click “Close

1.4      Windows Server – Configure IIS

  • We need to add a site to bind https to the SAML 192.168.150.12:443 SSL interface.

Windows Server

  • Go to “Server Manager –> Dashboard
  • Click the “Tools” menu pull down
  • Click “Internet Information Services (IIS) Manager
  • Expand the server to view the “Sites” folder
  • Right click “Sites” and select “Add Website…
  • In the Add Website page
    • Site name:              SAML
    • Physcal path:          %SystemDrive%\inetpub\wwwroot   # I match the default site
    • Click the “Connect as…” button
      • Click the “Specific user:’ radio button
      • Click the “Set…” button
        • Set Credentials (I set to Administrator for the lab)
          • Administrator
          • p@ssw0rd
          • p@ssw0rd
          • click “OK
        • Click “OK
      • Click the “Test Settings…” button
      • Click the “Close” button
    • Binding Type:          https
    • IP address:             All Unassigned
    • Port:                       443
    • SSL Certificate:       Server FQDN (pull down)
  • Click “OK” with the settings below

1.5      ONTAP – Configure SAML

cmode-prod

Setup SAML

security saml-sp create -idp-uri https://WIN-CSM9334302E.LAB2.local/FederationMetadata/2007-06/FederationMetadata.xml -sp-host 192.168.150.230 -verify-metadata-server false

Warning: This restarts the web server. Any HTTP/S connections that are active will be disrupted.

Do you want to continue? {y|n}: y

[Job 137] Job succeeded: Access the SAML SP metadata using the URL:

https://192.168.150.230/saml-sp/Metadata

Configure the IdP and Data ONTAP users for the same directory server domain to ensure that users are the same for different authentication methods. See the “security login show” command for the Data ONTAP user configuration.

Confirm existing users have SAML accounts

  • Any existing user that accesses the http or ontapi application is automatically configured for SAML authentication.
  • If you want to create users for the http or ontapi application after SAML is configured, specify SAML as the authentication method for the new users

security login show

Show SAML – it is not enabled yet, because we must configure Windows ADFS first

security saml-sp show

       Identity Provider URI: https://WIN-CSM9334302E.LAB2.local/FederationMetadata/2007-06/FederationMetadata.xml

       Service Provider Host: 192.168.150.230

       Certificate Authority: cmode-prod

          Certificate Serial: 15F2B2D85EAFA202

                 Common Name: cmode-prod

             Is SAML Enabled: false

security saml-sp status show

Node                            SAML SP Status         Enabled

——————————  ———————  ———-

cmode-prod-01                   config-success         false

cmode-prod-02                   config-success         false

1.6      Windows Server – Configure AD FS for ONTAP

Windows Server

Download the ONTAP Metadata to the downloads folder

Chrome Browser

https://192.168.150.230/saml-sp/Metadata

AD FS Setup

  • Go to “Server Manager –> Dashboard
  • Click the “Tools” menu pull down
  • Click “AD FS Management

View AD FS Federation Service Properties

  • Right click “AD FS
  • Select “Edit Federation Service Properties…”
  • View and click “OK

Configure an AD FS Relying Party Trust

  • Right click “AD FS
  • Select “Add Relying Party Trust…”
  • Leave the default “Claims aware” radio button selected
  • Click the “Start” button
  • Select the “Import data about the relying party from a file” radio button
  • Federation metadata file location:C:\Users\Administrator\Downloads\Metadata
    • This is the file we downloaded from the ONTAP cluster with the URL given on SAML setup
    • Hint: browse to the downloads folder, then choose “All Files (*.*)” since the file does not have an xml extension, or copy/paste the full path above
  • Click “Next >”
  • Display name:  cmode-prod
  • Click “Next >”
  • Select “Permit everyone and require MFA from extranet access
  • Click “Next >”
  • Leave “Configure claims issuance policy for this application” checked
  • Click “Close”
  • In “Reyling Party Trusts”, Right click cmode-prod
  • Select “Edit Claim Issuance Policy…”

We will add 3 Claim Rules

  • Claim rules to add                           Value
  • SAM-account-name                         Name ID
  • SAM-account-name                         urn:oid:0.9.2342.19200300.100.1.1
  • Token groups – Unqualified Names  urn:oid:1.3.6.1.4.1.5923.1.5.1.1
  • Click the “Add Rule…” button
  • Leave the default “Send LDAP Attributes as Claims” pull down
  • Click “Next >”
  • Claim rule name:                 rule1
  • Attribute store:                    Active Directory (pull down)
  • LDAP Attribute                    SAM-account-name                            
  • Outgoing Claim Type           Name ID
  • Click the “Finish” button
  • Click the “Add Rule…” button
  • Leave the default “Send LDAP Attributes as Claims” pull down
  • Click “Next >”
  • Claim rule name:                 rule2
  • Attribute store:                    Active Directory (pull down)
  • LDAP Attribute                    SAM-account-name                            
  • Outgoing Claim Type           urn:oid:0.9.2342.19200300.100.1.1
  • Click the “Finish” button
  • Click the “Add Rule…” button
  • Leave the default “Send LDAP Attributes as Claims” pull down
  • Click “Next >”
  • Claim rule name:                 rule3
  • Attribute store:                    Active Directory (pull down)
  • LDAP Attribute                    Token groups – Unqualified Names                           
  • Outgoing Claim Type           urn:oid:1.3.6.1.4.1.5923.1.5.1.1
  • Click the “Finish” button
  • Click “OK

Active Directory Users

  • Go to “Server Manager –> Dashboard
  • Click the “Tools” menu pull down
  • Click “Active Directory Users and Computers
  • Click on “Managed Service Accounts” and you will see the “saml1” account that we created with adfs setup
  • Click the “Action” menu
  • Click “New >
  • Click “User

Create a user to match the same credentials as the ONTAP admin user (this is the 2-factor similar to publickey for mfa)

  • First name: “admin
  • User logon name: “admin
  • Click “Next
  • Enter the password “Netapp1!” twice to match the ONTAP user
  • Uncheck User must change password at the next logon
  • CheckPassword never expires” and acknowledge the warning
  • Click “Next >”
  • Click “Finish”


After ADFS is setup, you MUST run powershell as administrator and allow IdP login

  • If these commands fail, reboot the server to apply all AD FS settings
  • In the task bar search window type “powershell
  • Right clickWindows PowerShell Desktop app” and select “Run as administrator

Show AD FS login which is disabled by default

Get-AdfsProperties | Select-Object EnableIdpInitiatedSignonpage

EnableIdpInitiatedSignonPage

—————————-

                       False

Enable AD FS IDP Login

Set-AdfsProperties –EnableIdpInitiatedSignonPage $True

Show AD FS login enabled

Get-AdfsProperties | Select-Object EnableIdpInitiatedSignonpage

EnableIdpInitiatedSignonPage

—————————-

                       True

Test IDP Login

Chrome Browser

https://win-csm9334302e.lab2.local/adfs/ls/idpinitiatedsignon

  • Leave the default “Sign in to this site.” Radio button selected
  • Click the “Sign in” button
  • Enter credentials

admin@lab2.local

Netapp1!

  • Click the “Sign in” button
  • Click the “Sign out” button

1.7      ONTAP – Enable SAML

cmode-prod

Enable SAML – Once enabled you can only disable from the console (ctrl-g to the service-processor or SP direct) or from a SAML authenticated user.  In the VSIM you need VMware access to the VM web or remote console

security saml-sp show

security saml-sp status show

security saml-sp modify -is-enabled true

security saml-sp show

       Identity Provider URI: https://WIN-CSM9334302E.LAB2.local/FederationMetadata/2007-06/FederationMetadata.xml

       Service Provider Host: 192.168.150.230

       Certificate Authority: cmode-prod

          Certificate Serial: 15F2B2D85EAFA202

                 Common Name: cmode-prod

             Is SAML Enabled: true

security saml-sp status show

Node                            SAML SP Status         Enabled

——————————  ———————  ———-

cmode-prod-01                   config-success         true

cmode-prod-02                   config-success         true

2 entries were displayed.

Windows Server

Open the Chrome Browser and click on the “cmode-prod” bookmark

  • You will be redirected to the IdP (SAML ADFS login on the Windows server)

Confirm the pre-populated account and password “admin@lab2.local and “Netapp1!” click  “Sign in”.

You are logged in with SAML to ONTAP since the “admin” user matches the AD user

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s