Aviatrix Controller Login with SAML Authentication

1. Overview

This guide provides an example on how to configure Aviatrix Controller to authenticate to an IDP. When SAML is used for Controller access authentication, your Aviatrix controller acts as the Identity Service Provider (ISP) that redirects browser traffic from client to IDP (e.g., Okta) for authentication.

For Okta specific example, follow the instructions in Aviatrix Controller Login on Okta IDP.

2. Pre-Deployment Checklist

Before configuring SAML integration between Aviatrix and IDP, make sure the following is completed:

  1. Aviatrix Controller is setup and running
  2. Have a valid IDP account with admin access

2.1 Aviatrix Controller

If you haven’t already deployed the Aviatrix controller, follow the Controller Startup Guide.

2.2 IDP Account

An IDP refers to an identity provider for SAML. This could be any provider that supports a SAML end point like Okta, OneLogin, Google, AWS SSO, Azure AD, Ping Identity, VmWare VIDM, ForgeRock’s OpenAM etc. (The listed ones were tested). You will require administrator access to create IDP endpoints for SAML.

3. Configuration Steps

Follow these steps to configure Aviatrix to authenticate against your Okta IDP:

  1. Create SAML App for Aviatrix
  2. Retrieve IDP Metadata
  3. Create Aviatrix SAML SP Endpoint
  4. Test the Integration is Set Up Correctly
  5. Validate

3.1 Create a SAML App for Aviatrix at the IDP

This step is usually done by the IDP adminstrator.

Create a SAML 2.0 app with the following settings that are based on the <aviatrix_sp_name> which is ‘controller’ for controller login:

  1. Assertion Consumer Service URL* = https://aviatrix_controller_hostname/flask/saml/sso/<aviatrix_sp_name>
  2. Audience URI(Entity ID)* = https://aviatrix_controller_hostname/
  3. SP Metadata URL = https://aviatrix_controller_hostname/flask/saml/metadata/<aviatrix_sp_name>
  4. SP Login URL = https://aviatrix_controller_hostname/flask/saml/login/<aviatrix_sp_name>
  5. Default RelayState* = <empty>

Important

After step 3.3, these values are also available in the controller under the Settings navigation item. Then, select Controller and go to the SAML Login tab.

aviatrix_sp_name is controller for controller login

RelayState is currently not used by the Aviatrix SP

The following SAML attributes are expected:

  1. FirstName
  2. LastName
  3. Email (unique identifier for SAML)

Note

These values are case sensitive

3.2 Retrieve IDP metadata

After creating the IDP, you need to retrieve IDP Metadata either in URL or text from the IDP application created in the previous step.

3.3 Create Aviatrix SAML Endpoint

Note

This step is usually completed by the Aviatrix admin.

  1. Login to the Aviatrix Controller

  2. Click Settings in the left navigation menu

  3. Select Controller

  4. Click on the SAML Login tab

  5. Click Enable button

    image0

  6. Click OK

3.4 Test the Integration

  1. Click Settings in the left navigation menu

  2. Select Controller

  3. Click on the SAML Login tab

  4. Click the Test button next to controller

    image1

  5. You should be redirected to IDP. Login with your test user credentials.

    Important

    If everything is configured correctly, once you have authenticated another windows should open with the test user’s access.

3.5 Validate

  1. Logout of the Aviatrix Controller

  2. Login to the Aviatrix Controller by clicking the SAML Login button

    image2

  3. You should be redirected to IDP. Login with your test user credentials.

    Important

    If everything is configured correctly, once you have authenticated you will be redirected to the dashboard’s controller.