SSO with OIDC in Aviatrix PaaS

Single sign-on (SSO) allows users to log in to various applications in your business using a single set of credentials. You must configure users with an OAuth Identity Provider (IdP), such as Microsoft. The OAuth application authenticates the user and then redirects the user to the Aviatrix Platform console.

Currently, Microsoft Azure Entra ID (OpenID Connect) is the only supported Identify Provider (IdP).

After a company enables SSO with Aviatrix PaaS, all users from that company must sign on to Aviatrix using SSO. If SSO is disabled, users that have existing accounts with email authentication will still be able to log in to Aviatrix PaaS, if the account is still subscribed to Aviatrix.

Setting up SSO with Aviatrix PaaS is a 3-step process:

Get the Aviatrix PaaS OAuth Callback URL

You need the Aviatrix PaaS OAuth callback (redirect) URL to set up the OAuth application in your IdP.

This URL is the address for the Aviatrix console, to which you will be redirected after you are successfully authenticated.

To get the callback URL:

  1. Log in to Aviatrix PaaS console.

  2. Go to Settings > Single Sign-On and click Manage.

  3. In Manage Single Sign-On, go to Aviatrix PaaS OAuth Callback URL, click the copy icon, and then save the URL.

    You must enter this URL when creating an application in your CSP account.

Next Step

Create an OAuth Application in Azure

You must have admin privileges for Azure portal to complete this task.

If you do not yet have an Aviatrix PaaS application and client secret, you need to create them. To create an application in Azure, you need the callback (redirect) URL from Aviatrix Platform.

For the OAuth application in Azure, you must copy the application (client) ID, client secret value, and the URI for the OpenID Connect (OIDC) metadata specification document. You will use this information to configure SSO in Aviatrix Platform.

To create an OAuth application:

  1. Log in to your Azure account.

  2. Go to All applications > App registrations.

  3. Click + New registration and enter the following:

    • Name:

      Enter a user-facing display name for the application, such as "aviatrix-paas".

    • Supported account types:

      Select "Accounts in this organizational directory only (Aviatrix…​Single Tenant)".

    • Redirect URI:

      Select the Web platform and enter the Callback URL you copied from Aviatrix Platform.

  4. Click Register.

  5. In the left navigation, click Certificates & secrets.

  6. Click + New client secret, enter a description and expiration date, and click Add.

    The new client secret displays in the list.

  7. Copy the Value and Secret ID you just created and save them to a safe place.

    You need the client value to enter in Aviatrix Platform.

    The secret value is only available at this time. You cannot retrieve it later. Be sure to copy and save it now.
  8. Go to All applications > App registrations > Owned applications.

  9. Click on the Aviatrix PaaS application you created.

  10. On the application Overview page, copy and save the Application (client) ID.

  11. Click the Endpoints tab.

  12. Scroll through the list, locate OpenID Connect metadata document, and then copy and save the URL.

Next Step

Verify Token Configuration

For SSO to work properly with Aviatrix PaaS, several Optional claims and Group claim must be set in Azure for the Aviatrix PaaS application.

  1. In Azure, go to App Registrations and select the Aviatrix PaaS application.

  2. In the navigation pane, click Token configuration.

  3. Verify that the following Claims are listed:

    • email

    • family_name

    • given_name

    • groups

  4. If the claims are not listed, do the following:

    1. Click + Add optional claim, select ID, and add the claims.

    2. Click + Add groups claim, in the ID section select Group ID, and add the group claim.

Next Step

Configure SSO in Aviatrix Platform

Before configuring single sign-on (SSO) in Aviatrix Platform, be sure you have collected the required information. For more information, see Create an OAuth Application in Azure.

You must have admin privileges in Aviatrix Platform to configure SSO.

To configure SSO:

  1. Log in to Aviatrix Platform console.

  2. Go to Settings.

  3. On the Single Sign-On card, click Manage.

  4. Select your OAuth identity provider (IdP) and enter the information you copied from your IdP:

    • Client (Application) ID

    • Client Secret value

    • OpenID Connect (OIDC) Document URL

  5. Click Save.

    The Client ID and OIDC Document URL display on the Single Sign-On card on the Settings page.

Anyone who has an SSO account with your company and has access to this Aviatrix account should now be able to log in to Aviatrix PaaS using SSO.

To sign in to an existing Aviatrix Platform with administrator privileges, you must be invited by an admin on the platform and given the admin role. Otherwise, you sign in with read-only privileges.

Next Step

Sign in with SSO

After SSO has been fully configured between your identity provider (IdP) and Aviatrix PaaS, you can sign in to the Aviatrix Platform console using your SSO account.

If you are signed in to your IdP, when you sign in to Aviatrix PaaS with your email address, you will be immediately redirected and automatically signed in to the Aviatrix console.

If you are not signed in to your IdP, when you sign in to Aviatrix PaaS an authentication window displays for you to sign in to your IdP. After signing in to your IdP, you are then redirected and automatically signed in to the Aviatrix console.

To sign in to an existing Aviatrix Platform with administrator privileges, you must be invited by an admin on the platform and given the admin role. Otherwise, you sign in with read-only privileges.

Next Step:

Disable Single Sign-On (SSO)

After a company enables SSO, all users from that company can sign on using SSO.

If SSO is disabled, users that have existing accounts with email authentication will still be able to sign in to Aviatrix PaaS, if the account is still subscribed to Aviatrix.

Disabling sign-on can restrict some users from accessing this system. Only users with email authentication will be able to log in. Disabling SSO cannot be undone from Aviatrix Platform.
At least one user with an email authentication must exist before disabling Single Sign-On.
  1. In Aviatrix Platform, go to Administration > User Access.

  2. If a user with email login is not configured, add a user.

    1. Click + User, enter the required information.

    2. Assign the Admin role to the user.

  3. Go to Settings.

  4. On the Single Sign-On card, set the toggle to Off.