Aviatrix User VPN with SAML Authentication on OneLogin IdP
This guide provides an example on how to configure Aviatrix to authenticate against a OneLogin IdP. When SAML client is used, your Aviatrix CoPilot acts as the Identity Service Provider (ISP) that redirects browser traffic from client to IdP (e.g., OneLogin) for authentication.
Pre-Deployment Checklist
Before configuring SAML integration between Aviatrix and OneLogin, make sure the following is completed:
-
The Aviatrix Controller is deployed.
-
Have a valid OneLogin Account with admin access.
-
Download and install the Aviatrix SAML VPN client.
OneLogin Account
A valid OneLogin account with admin access is required to configure the integration.
Aviatrix CoPilot
All users must use the Aviatrix VPN client to connect to the system. Download the client for your OS here.
Configuration Steps
Follow these steps to configure Aviatrix to authenticate against your OneLogin IDP:
-
Create a OneLogin SAML App for Aviatrix.
-
Create a SAML Endpoint in Aviatrix CoPilot.
OneLogin SAML App
Before you start, pick a short name to be used for the SAML application name. In the notes below, we will refer to this as aviatrix_onelogin, but it can be any string.
We will use the string you select for the SAML application name to generate a URL for OneLogin to connect with Aviatrix. This URL is defined below as SP_ACS_URL. This URL should be constructed as:
"https://<your coPilot ip or host name>/flask/saml/sso/<aviatrix_onelogin>"
|
Replace <your CoPilot IP or host name> with the actual host name or IP address of your CoPilot and <aviatrix_onelogin> with the string you chose to refer to the SAML application. |
-
Log in to OneLogin as an administrator.
-
Add a new App (Apps > Add Apps).
-
Search for "SAML Test Connector."
-
Select SAML Test Connector (Advanced).
-
Enter the Configuration values and click Save.
You can download the rectangular image from here:
You can download the square image from here:
-
Click on Configuration tab.
-
Enter the values.
Field Value RelayState
Blank
Audience(Entity ID)
SP Entity ID
Recipient
SP_ACS_URL
ACS (Consumer) URL Validator
SP_ACS_URL
ACS (Consumer) URL
SP_ACS_URL
Single Logout URL
Blank
Login URL
SP Login(Test) URL
SAML not valid before
3 (default)
SAML not valid on or after
3 (default)
SAML initiator
Service Provider
SAML nameID format
Transient
SAML issuer type
Specific (default)
SAML signature element
Assertion
Encrypt assertion
Unmarked checkbox (default)
SAML encryption method
TRIPLEDES-CBC (default)
Sign SLO Response
Unmarked checkbox (default)
SAML sessionNotOnOrAfter
1440 (default)
Generate AttributeValue tag for empty values
Unmarked checkbox (default)
Sign SLO Request
Unmarked checkbox (default)
-
Click Save.
-
Select the Parameters tab.
-
Add the following custom parameters (case sensitive).
Field Value Flags Email
Email
Include in SAML assertion
FirstName
First Name
Include in SAML assertion
LastName
Last Name
Include in SAML assertion
-
Optionally, add a field to map to the profile in Aviatrix.
Field Value Flags Profile
(User Defined)
Include in SAML assertion
-
Click Save.
-
Click on More actions dropdown menu.
-
Copy the Metadata URL.
Aviatrix CoPilot SAML Endpoint
-
Go to Aviatrix CoPilot > CloudFabric > UserVPN > select the Settings tab.
-
Under SAML, click + SAML Endpoint.
-
Enter the following information:
Field Description Name
Pick
IPD Metadata Type
URL
IDP Metadata Text/URL
Paste in the Metadata URL obtained from the OneLogin app.
Entity ID
Select Hostname.
Custom SAML Request Template
Turn this setting off.
Creating a VPN User
-
Create a new VPN user. Use the VPN gateway created above.