Aviatrix Controller Login with SAML Authentication on Okta IDP
Overview
This guide provides an example on how to configure Aviatrix Controller to authenticate against an Okta IDP. When SAML client is used, your Aviatrix controller acts as the Identity Service Provider (ISP) that redirects browser traffic from client to IDP (e.g., Okta) for authentication.
Pre-Deployment Checklist
Before configuring SAML integration between Aviatrix and Okta, make sure the following is completed:
Aviatrix Controller is setup and running.
Have a valid Okta account with admin access.
Aviatrix Controller
If you haven’t already deployed the Aviatrix controller, follow the Controller Startup Guide.
Okta Account
A valid Okta account with admin access is required to configure the integration.
Configuration Steps
Follow these steps to configure Aviatrix to authenticate against your Okta IDP:
Create an Okta SAML App for Aviatrix
Retrieve Okta IDP metadata
Create Aviatrix SAML SP Endpoint
Test the Integration is Set Up Correctly
Create an Okta SAML App for Aviatrix
Note
This step is usually done by the Okta Admin.
Login to the Okta Admin portal
Follow Okta documentation to create a new application.
Field
Value
Platform
Web
Sign on method
SAML 2.0
General Settings
Field
Value
Description
App name
Aviatrix
This can be any value. It will be displayed in Okta only.
App logo
Aviatrix logo:
Aviatrix logo (optional)
App visibility
N/A
Leave both options unchecked
SAML Settings
General
Field
Value
Single sign on URL
https://[host]/flask/saml/sso/[Endpoint Name]
Audience URI (SP Entity ID)
https://[host]/
Default RelayState
https://[host]/#/dashboard
Name ID format
Unspecified
Application username
Okta username
[host]
is the hostname or IP of your Aviatrix controller.[Endpoint Name]
is an arbitrary identifier. This same value should be used when configuring SAML in the Aviatrix controller. The example usesaviatrix_saml_controller
for[Endpoint Name]
https://[host]/#/dashboard
must be set as the Default RelayState so that after SAML authenticates, user will be redirected to dashboard.Attribute Statements
Name
Name format
Value
FirstName
Unspecified
user.firstName
LastName
Unspecified
user.lastName
Email
Unspecified
user.email
Retrieve Okta IDP metadata
Note
This step is usually completed by the Okta admin.
After the application is created in Okta, go to the Sign On tab for the application. Copy the URL from the Identity Provider metadata link. This value will be used to configure the Aviatrix SP Endpoint.
Assign the application to your account
Create Aviatrix SAML Endpoint
Note
This step is usually completed by the Aviatrix admin.
Login to the Aviatrix Controller
Click Settings in the left navigation menu
Select Controller
Click on the SAML Login tab
Click ADD NEW button
Field
Value
IDP Metadata Type
URL
IDP Metadata URL
Value copied from Okta
(Paste the value copied from Okta Sign On)Entity ID
Hostname
Access
Use either admin or read-only
Click OK
Test the Integration
Tip
You will need to assign the new Okta application to a test user’s Okta account before clicking Test.
Click Settings in the left navigation menu
Select Controller
Click on the SAML Login tab
Click the Test button next to
SAML endpoint name
You should be redirected to Okta. Login with your test user credentials.
Important
If everything is configured correctly, once you have authenticated another windows should open with the test user’s access.
Validate
Logout of the Aviatrix Controller
Login to the Aviatrix Controller by clicking the SAML Login button
You should be redirected to Okta. Login with your test user credentials.
Important
If everything is configured correctly, once you have authenticated you will be redirected to the dashboard’s controller.
Configure Okta for Multifactor Authentication (OPTIONAL)
Once you have successfully configured Okta IDP with Aviatrix SP, you can configure Okta for Multifactor Authentication.
Please read this article from Okta on Multifactor setup.
See this article if you’re interested in using DUO in particular.
OpenVPN is a registered trademark of OpenVPN Inc.