SSO Configuration

The appliance supports SAML 2.0–based Single Sign-On (SSO) for logging into the browser user interface (BUI). SSO allows users to authenticate through an external Identity Provider (IdP), such as Oracle Identity Cloud Service (IDCS), instead of entering credentials directly on the appliance.

SSO is used for authentication only. User accounts and group membership, and authorization are managed through the configured LDAP directory service. See LDAP Configuration.

An SSO user must have a directory role or directory user preconfigured on the ZFS Storage Appliance for BUI login authorization. See Configuring Users for more information about users and roles.

SSO configuration is part of the HTTPS service. The appliance acts as a SAML service provider (SP) and relies on HTTPS for secure communication with the IdP. When SSO is enabled, and the required directory user/role exists, the authentication process occurs as follows:

  1. The user selects the Single Sign-On (SSO) login option on the BUI login page.
  2. The appliance redirects the user to the configured IdP.
  3. The user authenticates with the IdP.
  4. The IdP returns a SAML assertion to the appliance.
  5. The appliance validates the assertion and extracts the user identity.
  6. The appliance queries the LDAP directory to locate the user account and retrieve group membership and privileges.
  7. Access is provided based on permissions granted to appliance users and roles.

SSO requires the following:

  • HTTPS must be enabled and configured with a valid certificate. See HTTPS Configuration.

  • LDAP must be configured. Users authenticated by the IdP must exist in LDAP. Add the associated LDAP user to the appliance’s user list or create a directory role for the LDAP group the SSO user is a member of.

  • IdP metadata must be provided to establish trust.

SSO does not use roles or group membership provided by the IdP. All authorization decisions are based on ZFS Storage Appliance roles the SSO user is associated with.

Local and directory (LDAP/AD) user accounts remain available for administrative access and recovery scenarios and are not authenticated through SSO.

To configure Single Sign-On, see the following sections: