OpenVPN® with SAML Authentication on OneLogin IdP¶
Overview¶
This guide provides an example on how to configure Aviatrix to authenticate against a OneLogin IdP. When SAML client is used, your Aviatrix controller acts as the Identity Service Provider (ISP) that redirects browser traffic from client to IdP (e.g., OneLogin) for authentication.
Pre-Deployment Checklist¶
Before configuring SAML integration between Aviatrix and OneLogin, make sure the following is completed:
- Aviatrix Controller is setup and running.
- Have a valid OneLogin account with admin access.
- Download and install the Aviatrix SAML VPN client.
Aviatrix Controller¶
If you haven’t already deployed the Aviatrix controller, follow the Controller Startup Guide.
OneLogin Account¶
A valid OneLogin account with admin access is required to configure the integration.
Configuration Steps¶
Follow these steps to configure Aviatrix to authenticate against your OneLogin IDP:
- Create a OneLogin SAML App for Aviatrix
- Create a SAML Endpoint in the Aviatrix Controller
OneLogin SAML App¶
Before you start, pick a short name to be used for the SAML application name. In the notes below we will refer to this as aviatrix_onelogin. But it can be any string.
We will use the string you select for the SAML application name to generate a URL for OneLogin to connect with Aviatrix. This URL is defined below as SP_ACS_URL. This URL should be constructed as:
https://<your controller ip or host name>/flask/saml/sso/<aviatrix_onelogin>
Tip
Replace <your controller ip or host name> with the actual host name or IP address of your controller and <aviatrix_onelogin> with the string you chose to refer to the SAML application.
Login to OneLogin as an administrator
Add a new App (Apps* > **Add Apps)
Search for SAML Test Connector
Select SAML Test Connector (IdP)
Enter the Configuration values and click Save
You can download the rectangular image from here and the square image from here.
Click on Configuration tab
Enter the values
Field Value RelayState Blank Audience SP_ACS_URL Recipient SP_ACS_URL ACS (Consumer) URL Validator SP_ACS_URL ACS (Consumer) URL SP_ACS_URL Single Logout URL Blank Click Save
Click on the Parameters tab
Add the following custom parameters (case sensitive)
Field Value Flags Email Email Include in SAML assertion FirstName First Name Include in SAML assertion LastName Last Name Include in SAML assertion Optionally, add a field to map to the profile in Aviatrix
Field Value Flags Profile (User Defined) Include in SAML assertion Click Save
Click on SSO tab
Note the Issuer URL for the next step.
Aviatrix Controller SAML Endpoint¶
Login to your Aviatrix Controller
Expand OpenVPN, select Advanced in the navigation menu
Go to the SAML tab
Click + Add New button
Follow the table below for details on the fields in the table:
Field Description Endpoint Name Pick IPD Metadata Type URL IDP Metadata Text/URL Paste in the Issuer URL obtained from the OneLogin app. Entity ID Select Hostname Custom SAML Request Template Unchecked
Test the Integration¶
You can quickly validate that the configuration is complete by clicking on the Test button next to the SAML endpoint.
Create a VPN User¶
- Log in to the Aviatrix Controller
- Click OpenVPN® in the left navigation menu
- Select VPN Users
- Click + Add New
- Select the VPC ID and LB/Gateway Name for your SAML Gateway
- Enter a name in the User Name field
- Enter any valid email address in the User Email field (this is where the cert file will be sent). Alternatively, you can download the cert if you do not enter an email address.
- Select the SAML Endpoint
- Click OK
Validate¶
- Log in to the Aviatrix Controller
- Click OpenVPN® in the left navigation menu
- Select VPN Users
- Download the configuration for your test user created in the previous step
- Open the Aviatrix VPN Client application
- Click Load Conf and select the file downloaded
- Click Connect