CoPilot SAML Authentication

Overview

This guide provides an example on how to configure Aviatrix CoPilot to authenticate to an IdP. When SAML is used for Aviatrix CoPilot access authentication, your Aviatrix CoPilot acts as the Identity Service Provider (ISP) that redirects browser traffic from client to IdP (e.g., Okta) for authentication.

The Aviatrix CoPilot SAML login supports multiple SAML endpoints with varying access and utilizing different IdP’s.

For different IdP’s, there will be links to each individual IdP integration.

Setting up SAML authentication for the VPN client is something separate, although the interfaces are similar.

SAML Configuration Checklist

Before configuring SAML integration between Aviatrix and IdP, make sure the following is completed:

  • The Aviatrix CoPilot is up and running

  • You have a valid IdP account with admin access

An IdP refers to an identity provider for SAML. This could be any provider that supports a SAML endpoint such as Okta, OneLogin, Google, AWS SSO, Azure AD, or PingOne. You will require administrator access to create IdP endpoints for SAML. Check IdP-specific SAML Integration to see a list of guides for supported IdP’s.

Configuring SAML Authentication

Follow these steps to configure Aviatrix to authenticate against IdP:

Create a Temporary Aviatrix SP Endpoint

This step is usually completed by the Aviatrix admin. This endpoint will be updated later on in the guide. At this step, we will be using placeholder values.

Choose an endpoint name for your Aviatrix SAML endpoint which will be used throughout the guide. This guide will use aviatrix_saml_copilot as an example for the endpoint name.

  1. Log in to Aviatrix CoPilot.

  2. Go to Administration > User Access > Access Management.

  3. Under Login Authentication, click +SAML Endpoint.

    image3-1-1

    The Create SAML Endpoint dialog displays.

    400
  4. Enter the following information:

    Field Value

    Name

    Enter a unique identifier for the service provider.

    IPD Metadata Type

    Text or URL (depending on what was provided by the SAML provider). For now, choose URL.

    Identity Provider Metadata Text/URL

    IdP metadata URL/Text copied from the SAML provider configuration For now, put in a placeholder URL, such as "https://www.google.com".

    If you select the Text option, you must enter the text and then any related xml code?

    Entity ID

    Hostname/Custom. Select Hostname for now.

    If you select Custom you must enter a Custom Entity ID.

    Access Set By

    Select Controller or SAML Identity Provider Attribute.

    If you select Controller, you must select a Permission Group.

    If you select SAML Identity Provider Attribute, you can choose to Block Empty Profiles.

    Sign Auth Requests

    Custom SAML Request Template

    For now leave blank. Depending on your specific IdP, you may have to check this option. If so, replace the sample template with your own template.

Each endpoint only supports one type of access. If you need admin and read-only access, create two separate SAML apps. <what does this mean?>

  1. Click Save.

  2. Depending on your IdP provider, you may need to upload SP metadata.

    1. After the temporary SAML endpoint is created, click the vertical ellipsis 25 icon and select Download SP Metadata next to the SAML endpoint.

    2. Copy the SP metadata as text.

Create a SAML App for Aviatrix CoPilot with the IdP

This step is usually done by the IdP administrator. This section shows only a generalized process for creating a SAML application.

Create a SAML 2.0 app with the IdP Provider with the following values from the SAML endpoint you created above.

  • Assertion Consumer Service URL: to obtain this, in Aviatrix CoPilot click the vertical ellipsis 25 next to the SAML endpoint and click Copy Assertion Consumer Service URL.

  • Audience URI (Entity ID)

  • SP Metadata URL

  • SP Login URL

  • Default RelayState = <empty>

The following SAML attributes are expected:

  • FirstName

  • LastName

  • Email (unique identifier for SAML)

These values are case-sensitive.

IdP-specific SAML App Integration

You require administrator access to create IdP endpoints for SAML.

These are guides with specific IdP’s that were tested to work with Aviatrix SAML integration:

Retrieve IdP Metadata

After creating the IdP, you need to retrieve IdP Metadata either in URL or text form from the IdP application created in the previous step.

  • Azure AD - provides IdP metadata URL and needs a custom SAML request template

  • Okta - provides IdP metadata URL

  • OneLogin - provides IdP metadata URL

Update Aviatrix SP Endpoint

This step is usually completed by the Aviatrix admin. Take note of the IdP Metadata type along with Text/URL your IdP provides, and if you need a custom SAML request template in the previous section.

  1. Log in to Aviatrix CoPilot.

  2. Go to Administration > User Access > Access Management.

  3. Under Login Authentication / SAML, click the Edit edit icon icon next to the SAML endpoint.

  4. Edit the fields as follows:

    Field Value

    Identity Provider Metadata Type

    Text or URL (depending on what was provided by the SAML provider)

    IdP Metadata Text/URL

    IdP metadata URL/Text copied from the SAML provider configuration

    Entity ID

    Select Hostname or Custom

    Custom Entity ID

    Only visible if Entity ID is Custom

    Permission Group

    Select admin or read-only access

    Custom SAML Request Template

    Depending on your specific IdP, you may have to check this option. FOr more information, see Aviatrix User VPN with SAML Authentication.

Hostname is the default for Entity ID, but if you have other apps using the same hostname, use a custom Entity ID.

  1. Click OK.

Validate the Integration

  1. Log out of Aviatrix CoPilot.

  2. Choose your SAML endpoint name from the dropdown box.

  3. Log in to Aviatrix CoPilot by selecting the SAML Provider and clicking Sign In with SAML.

    400
  4. You should be redirected to IdP. Log in with your test user credentials.

If everything is configured correctly, after you have authenticated, you will be redirected to the CoPilot dashboard.