Google IdP for SAML Integration¶
This guide provides an example on how to configure Aviatrix to authenticate against a Google IdP. When SAML client is used, your Aviatrix controller acts as the Identity Service Provider (ISP) that redirects browser traffic from client to IdP (e.g., Google) for authentication.
Before configuring SAML integration between Aviatrix and Google, make sure you have a valid Google account with administrator access.
Follow these steps to configure Aviatrix to authenticate against your Google IdP:
Step 1. Create a temporary Aviatrix SP Endpoint in the Aviatrix Controller
Step 2. Create a Google SAML Application for Aviatrix
Step 3. Retrieve Google IdP metadata
Step 4. Update Aviatrix SP Endpoint in the Aviatrix Controller
Step 5. Test the Integration is Set Up Correctly
Step 1. Create an Aviatrix SP Endpoint¶
Visit one of the following links based on your use case and follow step1 (Create temporary Aviatrix SP Endpoint for Aviatrix) from the link’s Configuration section:
This step will ask you to pick a short name to be used for the SAML application name
[Endpoint Name]. In the notes below we will refer to this as aviatrix_google. It can be any string that will identify the SAML application you create in the IdP.
We will use the string you select for the SAML application name to generate a URL for Google IdP to connect with Aviatrix. This URL is defined below as SP_ACS_URL. This URL should be constructed as:
https://<<<your controller ip or host name>>>/flask/saml/sso/<<<aviatrix_google>>>
Replace <<<your controller ip or host name>>> with the actual host name or IP address of your controller and <<<aviatrix_google>>> with the
[Endpoint Name] you chose to refer to the SAML application.
Step 2. Create a Google SAML App for Aviatrix¶
This step is usually done by the Google Admin.
Login to the Google Admin portal
Follow Google documentation to create a new custom application.
Click on the Setup My Own Custom App
Field Value Description Application Name Aviatrix This can be any value. It will be displayed in Google only. Description This can be any value. Upload logo
Aviatrix logo (optional)
Service Provider Details
[host]is the hostname or IP of your Aviatrix controller. For example,
[Endpoint Name]is an arbitrary identifier. This same value should be used when configuring SAML in the Aviatrix controller.
Disable “Signed Response”
- Open the Service Provider Details for the SAML application just created. Uncheck Signed Response.
- Click Save
Step 3. Retrieve Google IdP metadata¶
Step 4. Update Aviatrix SP Endpoint¶
This step is usually completed by the Aviatrix admin. Google IdP provides IdP Metadata through text obtained in Retrieve Google IdP metadata (Step 3).
Continue with updating Aviatrix SAML Endpoint by visiting one of the following links based on your use case:
If integrating Google IdP with Controller Login SAML Config
If integrating Google IdP with OpenVPN with SAML Authentication
Each endpoint only supports one type of access. If you need admin and read-only access, create two separate SAML apps. Hostname is the default for Entity ID, but if you have other apps using the same hostname, use a custom Entity ID.
- Click OK
Step 5. Test the Integration¶
Be sure to assign users to the new application in Google prior to validating. If you do not assign your test user to the Aviatrix SAML application, you will receive an error.
Continue with testing the integration by visiting one of the following links based on your use case:
- If integrating Google IdP with Controller Login SAML Config
- Click Settings in the left navigation menu
- Select Controller
- Click on the SAML Login tab
- If integrating Google IdP with OpenVPN with SAML Authentication
- Expand OpenVPN® in the navigation menu and click Advanced
- Stay on the SAML tab
You can quickly validate that the configuration is complete by clicking on the Test button next to the SAML endpoint.