OpenVPN® with SAML Authentication on OneLogin IdP

Overview

This guide provides an example on how to configure Aviatrix to authenticate against a OneLogin IdP. When SAML client is used, your Aviatrix Controller acts as the Identity Service Provider (ISP) that redirects browser traffic from client to IdP (e.g., OneLogin) for authentication.

Pre-Deployment Checklist

Before configuring SAML integration between Aviatrix and OneLogin, make sure the following is completed:

  1. Aviatrix Controller is set up and running.
  2. Have a valid OneLogin account with admin access.
  3. Download and install the Aviatrix SAML VPN client.

Aviatrix Controller

If you haven’t already deployed the Aviatrix Controller, follow the Controller Startup Guide.

OneLogin Account

A valid OneLogin account with admin access is required to configure the integration.

Aviatrix VPN Client

All users must use the Aviatrix VPN client to connect to the system. Download the client for your OS here.

Configuration Steps

Follow these steps to configure Aviatrix to authenticate against your OneLogin IDP:

  1. Create a OneLogin SAML App for Aviatrix.
  2. Create a SAML Endpoint in the Aviatrix Controller.

OneLogin SAML App

Before you start, pick a short name to be used for the SAML application name. In the notes below, we will refer to this as aviatrix_onelogin, but it can be any string.

We will use the string you select for the SAML application name to generate a URL for OneLogin to connect with Aviatrix. This URL is defined below as SP_ACS_URL. This URL should be constructed as:

https://<your controller ip or host name>/flask/saml/sso/<aviatrix_onelogin>”

Tip

Replace <your Controller IP or host name> with the actual host name or IP address of your controller and <aviatrix_onelogin> with the string you chose to refer to the SAML application.

  1. Log in to OneLogin as an administrator.

  2. Add a new App (Apps > Add Apps).

    imageOLAddAppsMenu

  3. Search for “SAML Test Connector.”

    imageOLNewAppSearch

  4. Select SAML Test Connector (Advanced).

  5. Enter the Configuration values and click Save.

    imageOLNewAppStep1

    You can download the rectangular image from here and the square image from here.

  6. Click on Configuration tab.

  7. Enter the values.

    Field Value
    RelayState Blank
    Audience(Entity ID) SP Entity ID
    Recipient SP_ACS_URL
    ACS (Consumer) URL Validator SP_ACS_URL
    ACS (Consumer) URL SP_ACS_URL
    Single Logout URL Blank
    Login URL SP Login(Test) URL
    SAML not valid before 3 (default)
    SAML not valid on or after 3 (default)
    SAML initiator Service Provider
    SAML nameID format Transient
    SAML issuer type Specific (default)
    SAML signature element Assertion
    Encrypt assertion Unmarked checkbox (default)
    SAML encryption method TRIPLEDES-CBC (default)
    Sign SLO Response Unmarked checkbox (default)
    SAML sessionNotOnOrAfter 1440 (default)
    Generate AttributeValue tag for empty values Unmarked checkbox (default)
    Sign SLO Request Unmarked checkbox (default)

    imageConfiguration

  8. Click Save.

  9. Select the Parameters tab.

  10. Add the following custom parameters (case sensitive).

    Field Value Flags
    Email Email Include in SAML assertion
    FirstName First Name Include in SAML assertion
    LastName Last Name Include in SAML assertion

    imageOLNewAppParams

  11. Optionally, add a field to map to the profile in Aviatrix.

    Field Value Flags
    Profile (User Defined) Include in SAML assertion

  12. Click Save.

  13. Click on More actions dropdown menu.

  14. Copy the Metadata URL.

    imageOLSSOTab

Aviatrix Controller SAML Endpoint

  1. Log in to your Aviatrix Controller.

  2. Select OpenVPN > Advanced on the left sidebar.

  3. select the SAML tab.

  4. Click + Add New.

  5. Follow the table below for details on the fields in the table:

    Field Description
    Endpoint Name Pick
    IPD Metadata Type URL
    IDP Metadata Text/URL Paste in the Metadata URL obtained from the OneLogin app.
    Entity ID Select Hostname
    Custom SAML Request Template Unmarked checkbox

    imageAvtxSAMLEndpoint

Testing the Integration

You can quickly validate that the configuration is complete by clicking Test next to the SAML endpoint.

imageAvtxTestSAML

Creating a VPN User

  1. Log in to the Aviatrix Controller.
  2. Select OpenVPN® > VPN Users on the left sidebar.
  3. Click + Add New.
  4. Select the VPC ID and LB/Gateway Name for your SAML Gateway.
  5. Enter a name in the User Name field.
  6. Enter any valid email address in the User Email field (this is where the cert file will be sent). Alternatively, you can download the cert if you do not enter an email address.
  7. Select the SAML Endpoint.
  8. Click OK.

Validating

  1. Log in to the Aviatrix Controller.
  2. Select OpenVPN® > VPN Users on the left sidebar.
  3. Download the configuration for your test user created in the previous step.
  4. Open the Aviatrix VPN Client application.
  5. Click Load Conf and select the file downloaded.
  6. Click Connect.