Okta IdP for SAML Integration

Overview

This guide provides an example on how to configure Okta as an IdP for an Aviatrix SAML SP (endpoint). When SAML client is used, your Aviatrix controller acts as the Identity Service Provider (ISP) that redirects browser traffic from client to IdP (e.g., Okta) for authentication.

Before configuring SAML integration between Aviatrix and Okta, make sure you have a valid Okta account with administrator access.

Configuration Steps

Follow these steps to configure Aviatrix to authenticate against your Okta IdP:

Step 1. Create a temporary Aviatrix SP Endpoint in the Aviatrix Controller

Step 2. Create an Okta SAML App for Aviatrix in the Okta Portal

Step 3. Retrieve Okta IdP metadata

Step 4. Update Aviatrix SP Endpoint in the Aviatrix Controller

Step 5. Test the Integration is Set Up Correctly

Step 1. Create an Aviatrix SP Endpoint

Visit one of the following links based on your use case and follow step1 (Create temporary Aviatrix SP Endpoint for Aviatrix) from the link’s Configuration section:

If integrating Okta IdP with Controller Login SAML Config

If integrating Okta IdP with OpenVPN with SAML Authentication

Step 2. Create an Okta SAML App for Aviatrix

Note

This step is usually done by the Okta Admin.

  1. Login to the Okta Admin portal

  2. Follow Okta documentation to create a new application.

    Field Value
    Platform Web
    Sign on method SAML 2.0

    image0

  3. General Settings

    Field Value Description
    App name Aviatrix This can be any value. It will be displayed in Okta only.
    App logo

    Aviatrix logo:

    Aviatrix logo (optional)
    App visibility N/A Leave both options unchecked

    image1

  4. SAML Settings

    • General
    Field Value
    Single sign on URL https://[host]/flask/saml/sso/[Endpoint Name]
    Audience URI (SP Entity ID) https://[host]/
    Default RelayState  
    Name ID format Unspecified
    Application username Okta username

    [host] is the hostname or IP of your Aviatrix controller. For example, https://controller.demo.aviatrix.live

    [Endpoint Name] is an arbitrary identifier. This same value should be used when configuring SAML in the Aviatrix controller. The example uses dev for [Endpoint Name]

    image2

    • Attribute Statements

      Name Name format Value
      FirstName Unspecified user.firstName
      LastName Unspecified user.lastName
      Email Unspecified user.email

      image3

  5. You need to assign the application to your account. Please follow steps 11 through 14 at Okta documentation

Step 3. Retrieve Okta IdP metadata

Note

This step is usually completed by the Okta admin.

  1. After the application is created in Okta, go to the Sign On tab for the application.
  2. Copy the URL from the Identity Provider metadata link. This value will be used to configure the Aviatrix SP Endpoint.
image4

Step 4. Update Aviatrix SP Endpoint

Note

This step is usually completed by the Aviatrix admin. Okta IdP provides IdP Metadata through text or URL obtained in Retrieve Okta IdP metadata (Step 3).

Continue with updating Aviatrix SAML Endpoint by visiting one of the following links based on your use case:

  1. If integrating Okta IdP with Controller Login SAML Config
  2. If integrating Okta IdP with OpenVPN with SAML Authentication

Note

Each endpoint only supports one type of access. If you need admin and read-only access, create two separate SAML apps. Hostname is the default for Entity ID, but if you have other apps using the same hostname, use a custom Entity ID.

Step 5. Test the Integration

Tip

Be sure to assign users to the new application in Okta prior to validating. If you do not assign your test user to the Aviatrix SAML application, you will receive an error.

Continue with testing the integration by visiting one of the following links based on your use case:

  1. If integrating Okta IdP with Controller Login SAML Config
  1. Click Settings in the left navigation menu
  2. Select Controller
  3. Click on the SAML Login tab
  1. If integrating Okta IdP with OpenVPN with SAML Authentication
  1. Expand OpenVPN® in the navigation menu and click Advanced
  2. Stay on the SAML tab

You can quickly validate that the configuration is complete by clicking on the Test button next to the SAML endpoint.

Configure Okta for Multifactor Authentication (OPTIONAL)

Once you have successfully configured Okta IdP with Aviatrix SP, you can configure Okta for Multifactor Authentication.

Please read this article from Okta on Multifactor setup.

See this article if you’re interested in using DUO in particular.

OpenVPN is a registered trademark of OpenVPN Inc.