Centrify IdP for SAML Integration

Overview

This guide provides an example on how to configure Aviatrix to authenticate against Centrify IdP. When SAML client is used, your Aviatrix controller acts as the Identity Service Provider (SP) that redirects browser traffic from client to IdP for authentication.

Visit one of the following links based on your use case:

If integrating Centrify IdP with Controller Login SAML Config If integrating Centrify IdP with OpenVPN with SAML Authentication

Before configuring SAML integration between Aviatrix and Centrify, make sure you have a valid Centrify account with administrator access.

Configuration Steps

Follow these steps to configure Aviatrix to authenticate against your Azure AD IdP:

Step 1. Retrieve Aviatrix SP Metadata from the Aviatrix Controller Step 2. Create a Centrify SAML Application for Aviatrix Step 3. Retrieve Centrify IdP metadata Step 4. Update Aviatrix SP Endpoint in the Aviatrix Controller Step 5. Test the Integration is Set Up Correctly

Retrieve Aviatrix SP Metadata from Aviatrix Controller

Before creating the Centrify SAML Application, Centrify requires the Service Provider (SP) metadata file from the Aviatrix Controller. You can create a temporary SP SAML endpoint to retrieve the SP metadata for now. Later on in the guide, the SP SAML endpoint will be updated.

Follow one of the links below according to your use case:

  1. If integrating Centrify IdP with Controller Login SAML Config
  2. If integrating Centrify IdP with OpenVPN with SAML Authentication

For Centrify, right click the SP Metadata button next to the SAML endpoint and save the file.

image3

Here you can retrieve the SP metadata by clicking on the SP metadata

image4

Tip

Copy the above metadata as text. It will be pasted into the Centrify IdP in the later steps.

Note

You can also use URL method if you have configured signed certificates for the Aviatrix Controller, but not for the initial self-signed certificate.

Create a Centrify SAML App for Aviatrix

  1. From the Centrify App->Add New App->Custom, select SAML and click on “Add”. Click yes and close the prompt. This lets you configure the application.
  2. Configure app settings. Enter a name for your application, click Save and go to the next page
image0
  1. In the Metadata XML section, paste the SP metadata that was copied in the previous section (Step 1) Click on “Save” and go to the next section
image5

Note

You can also use URL method if you have configured signed certificates for the Aviatrix Controller, but not for the initial self-signed certificate.

  1. Configure the following SAML attributes (Email is the unique identifier)

    FirstName LoginUser.FirstName
    LastName LoginUser.LastName
    Email LoginUser.Email

    Also, the custom logic needs to be set for the attributes to work

    setAttribute(“exampleAttr”, “DOMAIN\user”);

    image6

    You can preview the SAML response and this step and select the user. Make sure that there are no errors.

    Click “Save” and go to the next tab

  2. Add users

image7

Click “Save” and go the next tab

  1. Add any policies if you require them. Click “Save” and go to the next tab

  2. Use the default “Directory service field” mapping. Click “Save” and go to the next tab

    image8

  3. Configure the next pages if you require them, “Linked applications”,”Provisioning”, “App Gateway” if you require them. Click “Save”. The SAML configuration at the IdP is now complete

Retrieve Centrify IdP metadata

  1. Copy the metadata URL from the Trust page.

    image1

Update Aviatrix SP Endpoint

Note

This step is usually completed by the Aviatrix admin. Centrify IdP provides IdP Metadata through URL obtained in Retrieve Centrify IdP metadata (Step 3).

Continue with updating Aviatrix SAML Endpoint by visiting one of the following links based on your use case:

  1. If integrating Centrify IdP with Controller Login SAML Config
  2. If integrating Centrify IdP with OpenVPN with SAML Authentication

Note

Each endpoint only supports one type of access. If you need admin and read-only access, create two separate SAML apps. Hostname is the default for Entity ID, but if you have other apps using the same hostname, use a custom Entity ID.

Test the Integration

Tip

Be sure to assign users to the new application in Centrify prior to validating. If you do not assign your test user to the Aviatrix SAML application, you will receive an error.

Continue with testing the integration by visiting one of the following links based on your use case:

  1. If integrating Centrify IdP with Controller Login SAML Config
  1. Click Settings in the left navigation menu
  2. Select Controller
  3. Click on the SAML Login tab
  1. If integrating Centrify IdP with OpenVPN with SAML Authentication
  1. Expand OpenVPN® in the navigation menu and click Advanced
  2. Stay on the SAML tab

You can quickly validate that the configuration is complete by clicking on the Test button next to the SAML endpoint.