Summary

Everpure Fusion introduces SAML 2.0 integration, allowing organizations to delegate authentication to their corporate identity provider. This modern SSO approach replaces local or LDAP user interface logins with a cloud-like, single, secure sign-on experience. 

image_pdfimage_print

As your storage environment scales, identity and access control can either become a strength—or a bottleneck.

Everpure Fusion™ turns individual arrays into a globally managed fleet with a unified control plane. A storage admin sitting at any array can gain visibility and control across the entire fleet, whether it lives in one data center or is distributed across regions and clouds.

Done right, that’s an enormous productivity win. Done poorly, it’s a security and compliance risk.

To operate securely at fleet scale, Everpure Fusion needs to answer two questions for every operation:

  • Who is this?
  • What are they allowed to do?

The answers come from how you design authentication (proving identity) and authorization (granting the right level of access). This blog walks through the core options Everpure Fusion supports, how they work together, and practical patterns to help you pick the right mix for your environment.

Why identity and access matter so much for Everpure Fusion

Most traditional storage management models are system-centric: log into an array, make changes, and move to the next. Access control is defined and managed one box at a time.

Everpure Fusion changes that by acting as a distributed, intelligent control plane integrated directly into the Purity OS on FlashArray™ and FlashBlade®. Every system can participate in a unified, fleet-wide management experience, without a separate management appliance or single point of failure.

The intelligent control plane unlocks outcomes like:

  • Fleet-wide visibility instead of siloed dashboards
  • Consistent operations from any management endpoint
  • Policy-driven automation instead of one-off, manual commands

To deliver those outcomes safely, Everpure Fusion relies on three pillars:

  • Integrated IAM: Everpure Fusion plugs into your enterprise identity and access management to centralize authentication and authorization.
  • Strict RBAC: Permission groups limit who can create fleets, add arrays, provision workloads, or change policy.
  • Secure-by-default connectivity: Inbound/outbound remote provisioning and management with mutual TLS (mTLS) ensures every operation is authenticated and encrypted.

Everpure Fusion doesn’t replace the built-in security controls of Purity; it interconnects them so the same strong posture applies consistently across every array in the fleet.

Option 1: Array local users—simple, secure access management

Array local users are accounts created directly on an individual FlashArray or FlashBlade system. Their credentials and roles live on that array only, and authorization is scoped to that single system.

Local users are useful in an Everpure Fusion world in many ways:

  • Lab, PoC, or early evaluation environments
  • “Break-glass” administrator accounts when the directory or IdP is unavailable
  • Very small environments that haven’t adopted centralized identity yet
  • Fast setup: No dependency on external services; you can log in minutes after racking a system.
  • Self-contained: Credentials stay local, which can help in highly isolated networks or early testing.
  • No central governance: Joiners, movers, leavers, and role changes are all managed array by array.
  • Manual Life-cyle management: All creation, updates, and deletion of local users/groups are done on the array (via GUI or pureds local user/group). There’s no automatic sync to enterprise identity providers..
  • Not zero-trust aligned: Large enterprises typically demand centralized policy, MFA, and strong audit—hard to deliver with purely local users.

Bottom line: Local accounts are a helpful safety net and on-ramp, and you should leverage other options for your Everpure Fusion security strategy.

Option 2: LDAP—the foundation for fleet operations

Active Directory (AD) or other LDAP directories, such as OpenLDAP, are the system of record for identities and groups in most enterprises. They define who users are, which groups they belong to, and what organizational roles they hold.

Purity integrates with AD/LDAP and maps directory identities and groups to roles via RBAC. Everpure Fusion builds directly on that model.

Today, LDAP-backed identity is still the backbone for Everpure Fusion fleet operations:

  • Arrays integrate with AD/LDAP, so admins log in with their corporate credentials.
  • Purity maps users and groups to roles like array_admin, storage_admin, and readonly.
  • Those roles govern what users can do: form fleets, add or remove arrays, provision workloads, or execute remote operations.
  • Arrays in a fleet use the same directory, so identity and access behavior is consistent across the environment.

LDAP provides a stable identity fabric for Everpure Fusion to enforce policy at fleet scale.

  • Centralized control: HR and IAM changes flow naturally into access decisions—no more chasing local accounts during offboarding.
  • Operational consistency: The same corporate role model applies across your Everpure storage platform.
  • Automation-ready: LDAP-backed identities can be associated with API tokens, so automation inherits your enterprise governance model.
  • Legacy experience: Traditional username/password prompts can feel dated compared to SSO.
  • MFA is an add-on, not native: You can enforce stronger password policies, but full MFA best practices usually live in your IdP, not in LDAP.
  • Perception: Some customers see “LDAP-only login” as a blocker for adopting Everpure Fusion in highly regulated segments and want to move quickly to SSO.
  • As the baseline identity integration for any Everpure Fusion deployment
  • Organizations that want quick time to value by leveraging the directory they already trust
  • Environments planning to add SAML-based SSO on top while keeping AD/LDAP as the authoritative source underneath

Option 3: SAML 2.0 SSO—modern, federated access with SSO and MFA

SAML 2.0 lets Everpure arrays and Everpure Fusion fleets delegate authentication to a corporate Identity Provider (IdP) such as Microsoft Entra ID (Azure AD), Okta, or PingFederate.

Instead of logging in separately to each array with LDAP credentials, admins authenticate through a familiar SSO portal. The IdP then issues a SAML assertion that represents their identity and entitlements.

Implementing SAML on FlashArray and FlashBlade allows organizations to replace local or LDAP-driven user interface logins with SSO, while continuing to use their existing IdP or security stack.

  • An admin signs into the array WebUI using SSO.
  • The IdP returns a SAML assertion with attributes or groups that map to Purity roles like array_admin, storage_admin, ops_admin, or readonly.
  • Everpure Fusion uses those roles to authorize fleet-wide operations, without repeatedly prompting for credentials.

This brings Everpure Fusion in line with how enterprises already secure access to critical applications.

  • Stronger security posture
    • Enforce MFA centrally on storage admin access
    • Apply conditional access policies (for example, device posture, location, risk level)
    • Centralize login auditing and anomaly detection in your existing security tools
  • Centralized RBAC
    • Map IdP groups to Purity roles so access is determined by corporate identity, not ad hoc configuration
    • Manage role changes in one place instead of on every array
  • Better experience for admins
    • One SSO flow instead of multiple login prompts
    • Easier, safer credential hygiene with fewer passwords to rotate and remember
  • Primarily GUI-focused: SAML is designed for browser-based logins. CLI/SSH and many automation scenarios still rely on AD/LDAP and API tokens.
  • Assertion-driven roles: Role information is delivered at login time in the SAML assertion, so close collaboration between IAM, security, and storage teams is key to getting the mapping right.
  • Enterprises that have made SSO + MFA the default for administrative access
  • Customers where LDAP-only logins are a barrier to Everpure Fusion adoption
  • Organizations that want storage to live inside the same identity and policy framework as their other mission-critical platforms

Option 4: Per Array OAuth2 and API tokens—secure access for automation

For scripts, internal platforms, and CI/CD systems interacting with Everpure Fusion and Purity via APIs, OAuth2-style access tokens are the right mechanism for authentication and authorization.

Instead of hardcoding user passwords, you issue a scoped token that represents a specific identity and role.

  • You generate API tokens per Array tied to identities defined in your enterprise IAM—typically AD/LDAP-backed accounts.
  • Fusion securely communicates  over mTLS-secured channels to call REST API.
  • Fusion uses the generated tokens to support remote execution across arrays within a Fleet.
  • Purity and Everpure Fusion enforce RBAC based on the underlying identity and role, so automation is constrained just like a human admin would be.
  • Secure automation
    • Eliminate shared “root” logins in scripts and pipelines.
    • Make token rotation and revocation a normal part of change management.
  • Full traceability
    • Every API call is attributable to a specific principal, which simplifies audit, forensics, and compliance.
    • Easy to link automation activity back to owners and change tickets.
  • Developer flexibility
    • Integrate Everpure Fusion into your automation ecosystem—CLI, APIs, Ansible, Terraform, ITSM tools, and more.
    • Treat storage as a service that can be safely consumed by platforms, not just people.
  • Lifecycle discipline: Tokens must be issued, rotated, and revoked under clear policies.
  • Scope management: Tokens should be tied to the minimum necessary privileges; over-privileged tokens can become high-value targets if they leak.
  • Organizations embracing infrastructure as code, platform engineering, or internal self-service portals.
  • Environments where storage operations need to be embedded in broader workflows—not just executed by humans from a CLI.

Putting it all together: Patterns that deliver outcomes

Different customers land at different points on the maturity curve. Here are three practical patterns you can use when designing or positioning Everpure Fusion.

  • Use AD/LDAP as the primary identity source from day one.
  • Keep local users as tightly controlled break-glass accounts.
  • Introduce API tokens for repeatable automations once a few workflows are standardized.

Outcome:
A directory-backed foundation that’s easy to manage today and ready for SSO tomorrow

  • Deploy SAML 2.0 SSO for WebUI access on FlashArray and FlashBlade, bringing Everpure Fusion into the standard enterprise SSO experience.
  • Map IdP groups to Purity roles, so adding or removing someone from “Storage Admins” automatically updates access.
  • Keep AD/LDAP as the authoritative identity store and for non-SSO paths.
  • Use API tokens tied to directory identities for automation, integrations, and internal tooling.

Outcome:
A modern, MFA-enforced admin experience with centralized governance, while still supporting CLI and automation without workarounds

  • Make SAML SSO + MFA mandatory for all interactive admin access, with conditional access policies for high-risk operations.
  • Enforce strict RBAC and least privilege, with regular review cycles for role assignments and IdP group membership.
  • Use short-lived, narrowly scoped API tokens for automation, with strong approval and logging around token issuance and rotation.
  • Combine the integrated IAM, mTLS (FlashBlade REST API), and outbound-only architecture of Everpure Fusion with your existing network segmentation, SIEM, and SOC practices.

Outcome:
A hardened, auditable storage control plane that aligns with zero-trust principles—without crushing agility for operations teams

How to position Everpure Fusion identity and access strategy

When you’re talking to your stakeholders about Everpure Fusion, frame identity and access in terms of business outcomes:

  • Meet customers where they are: Everpure Fusion supports enterprise LDAP, SAML SSO, and token-based automation so teams can modernize at their own pace—not via a risky big-bang change.
  • Extend, not replace, enterprise IAM: Everpure Fusion plugs into existing directories and IdPs and uses them as the source of truth. Storage remains under the control of storage teams, while IAM and security own identity policy.
  • Combine security with speed: With SSO, MFA, RBAC, and secure automation working together, you don’t have to choose between control and agility. You get tighter security, better admin experience, and faster outcomes from your storage investments.

Everpure Fusion doesn’t just unify your storage. It unifies how people and systems securely access and operate it, across any environment and at any scale—turning your storage control plane into a strategic enabler for the Enterprise Data Cloud.

Want to learn more about Everpure Fusion? Check out the following links to dive deeper: