Two-factor authentication process in SSMC

SSMC orchestrates a workflow consisting of several steps to perform X.509 based two-factor authentication for the array management user on 3PAR/Primera arrays. Also, SSMC executes an enhanced version of the workflow for Primera arrays running firmware version 4.3 or later. The two variants of the sequence are as follows:

Workflow for Primera arrays running firmware version 4.3 or later

  1. SSMC requests a client certificate from the browser if SSMC is configured for two-factor authentication.

  2. Web browser used to access SSMC presents a client certificate to SSMC.

  3. SSMC evaluates trust for the issuer of the client certificate received from the browser.

  4. SSMC passes the client certificate to the array if SSMC trusts the issuer of the client certificate.

  5. SSMC presents its own client certificate to the storage array besides the user certificate sent by the browser.

  6. HPE Storage OS on the storage array evaluates trust for the issuer of the SSMC client certificate.

  7. Storage array validates the client certificate coming from browser and from SSMC if the storage array trusts the issuer of the SSMC certificate.

  8. Array parses the user identifier from the user certificate when the user certificate validation is successful.

  9. Array binds to the configured LDAP server using the service account user.

  10. HPE Storage OS searches for an LDAP entry matching the user identifier that is fetched from the user certificate.

  11. OS evaluates the LDAP group membership to determine the user role if the HPE Storage OS finds a matching LDAP user.

  12. User logged into SSMC with the determined identity and role.

Workflow for all other Primera/3PAR arrays

  1. SSMC requests a client certificate from the browser if SSMC is configured for two-factor authentication.

  2. Web browser used to access SSMC presents a client certificate to SSMC.

  3. SSMC evaluates trust for the issuer of the client certificate received from the browser.

  4. SSMC parses the user identifier from the client certificate if SSMC trusts the issuer of the client certificate.

  5. SSMC presents its own client certificate to the storage array besides the user identifier parsed from the browser supplied client certificate.

  6. HPE Storage OS on the storage array evaluates trust for the issuer of the SSMC client certificate.

  7. Storage array binds to the configured LDAP server using the service account user if the storage array trusts the issuer of the SSMC certificate.

  8. HPE Storage OS searches for an LDAP entry matching the user identifier that SSMC provided.

  9. OS evaluates the LDAP group membership to determine the user role if the HPE Storage OS finds a matching LDAP user.

  10. User logged into SSMC with the determined identity and role.

IMPORTANT:

Ensure that the two-factor authentication is configured properly on all systems in SSMC Administrator Console. Even a single misconfiguration affects the functionality of SSO login.