OpenVPN® with SAML Authentication on Okta IDP

Overview

This guide provides an example on how to configure Aviatrix to authenticate against an Okta IDP. When SAML client is used, your Aviatrix Controller acts as the Identity Service Provider (ISP) that redirects browser traffic from client to IDP (e.g., Okta) for authentication.

Pre-Deployment Checklist

Before configuring SAML integration between Aviatrix and Okta, make sure the following is completed:

1. The Aviatrix Controller is set up and running.

2. You have a valid Okta account with admin access.

3. You have downloaded and installed the Aviatrix SAML VPN client.

Aviatrix Controller

If you haven’t already deployed the Aviatrix Controller, follow the Controller Startup Guide.

Okta Account

A valid Okta account with admin access is required to configure the integration.

Aviatrix VPN Client

All users must use the Aviatrix VPN client to connect to the system. Download the client for your OS here.

Configuration Steps

Follow these steps to configure Aviatrix to authenticate against your Okta IDP:

1. Create an Okta SAML App for Aviatrix.

2. Retrieve Okta IDP metadata.

3. Launch an Aviatrix Gateway.

4. Create Aviatrix SAML SP Endpoint.

5. Test the Integration is Set Up Correctly.

6. Create Aviatrix VPN User.

7. Validate.

Creating an Okta SAML App for Aviatrix

Note

This step is usually done by the Okta Admin.

1. Log in to the Okta Admin portal.

2. Follow Okta documentation to create a new application.

   Field	Value
   Platform	Web
   Sign on method	SAML 2.0

   

3. General Settings

   Field	Value	Description
   App name	Aviatrix	This can be any value. It will be displayed in Okta only.
   App logo	Aviatrix logo: Aviatrix logo with red background Aviatrix logo with transparent background	Aviatrix logo (optional)
   App visibility	N/A	Leave both options unchecked

   

4. SAML Settings

   • General

   Field	Value
   Single sign on URL	https://[host]/flask/saml/sso/[SP Name]
   Audience URI (SP Entity ID)	https://[host]/
   Default RelayState
   Name ID format	Unspecified
   Application username	Okta username

   [host] is the hostname or IP of your Aviatrix Controller. For example, “https://controller.demo.aviatrix.live.”

   [SP Name] is an arbitrary identifier. This same value should be used when configuring SAML in the Aviatrix Controller.

   

   • Attribute Statements

     Name	Name format	Value
     FirstName	Unspecified	user.firstName
     LastName	Unspecified	user.lastName
     Email	Unspecified	user.email

     

Retrieving Okta IDP Metadata

Note

This step is usually completed by the Okta admin.

After the application is created in Okta, go to the Sign On tab for the application. Then, click View Setup Instructions.

Look for the section titled “Provide the following IDP metadata to your SP provider.”

Important

Copy the text displayed. This value will be used to configure the SAML “IDP Metadata URL” field on the Aviatrix Controller.

You need to assign the application to your account. Please follow steps 11 through 14 at Okta documentation.

Launching an Aviatrix VPN Gateway

Note

This step is usually completed by the Aviatrix admin.

1. Log in to the Aviatrix Controller.

2. Click Gateway on the left sidebar.

3. Click + New Gateway.

4. Enter a Gateway Name.

5. Select the appropriate Account Name, Region, VPC ID, Public Subnet, and Gateway Size.

6. Mark the VPN Access.

7. Mark the Enable SAML.

8. For information on the other settings, please refer to this document.

9. Click OK to create the Gateway.

Creating Aviatrix SAML Endpoint

Note

This step is usually completed by the Aviatrix admin.

1. Login to the Aviatrix Controller.

2. Click OpenVPN® on the left sidebar.

3. Select Advanced.

4. Select the SAML tab.

5. Click + Add New.

   

   Field	Value
   Endpoint Name	SP Name (Use the same name you entered in the Okta Application previously)
   IDP Metadata Type	Text
   IDP Metadata Text	Value Copied from Okta (Paste the value copied from Okta SAML configuration)
   Entity ID	Hostname

6. Click OK.

Testing the Integration

1. Start the Aviatrix VPN Client.

   Note

   If you don’t start the client, you will receive a warning from the browser in the last step of this process

2. Log in to the Aviatrix Controller.

3. Click OpenVPN® on the left sidebar.

4. Select Advanced.

5. Select the SAML tab.

6. Click Test next to the “SP Name” created in the previous step.

   Tip

   You will need to assign the new Okta application to a test user’s Okta account before clicking Test.

7. You should be redirected to Okta. Log in with your test user credentials.

   Important

   If everything is configured correctly, once you have authenticated you will be redirected back to the Controller and the window will close.

Create a VPN User

1. Log in to the Aviatrix Controller.

2. Select OpenVPN® > VPN Users on the left sidebar.

3. Click + Add New.

4. Select the VPC ID and LB/Gateway Name for your SAML Gateway.

5. Enter a name in the User Name field.

6. Enter any valid email address in the User Email field (this is where the cert file will be sent). Alternatively, you can download the cert if you do not enter an email address.

7. Select the SAML Endpoint.

8. Click OK.

Validate

1. Log in to the Aviatrix Controller.

2. Click OpenVPN® > VPN Users on the left sidebar.

3. Download the configuration for your test user created in the previous step.

4. Open the Aviatrix VPN Client application.

5. Click Load Conf and select the file downloaded.

6. Click Connect.

Note

SAML VPN supports shared certificates. You can share the certificate among VPN users or create more VPN users.

Configuring Okta for Multi Factor Authentication (Optional)

Once you have successfully configured Okta IDP with Aviatrix SP, you can configure Okta for Multi Factor Authentication.

Please read this article from Okta on Multifactor setup.

See this article if you’re interested in using Duo in particular.

OpenVPN is a registered trademark of OpenVPN Inc.