OneLogin IdP for SAML Integration

Overview

This guide provides an example on how to configure OneLogin as an IdP for an Aviatrix SAML SP (endpoint). When SAML client is used, your Aviatrix controller acts as the Identity Service Provider (ISP) that redirects browser traffic from client to IdP (e.g., OneLogin) for authentication.

Before configuring SAML integration between Aviatrix and OneLogin, make sure you have a valid OneLogin account with administrator access.

Configuration Steps

Follow these steps to configure Aviatrix to authenticate against your OneLogin IdP:

Step 1. Create a temporary Aviatrix SP Endpoint in the Aviatrix Controller

Step 2. Create a OneLogin SAML App for Aviatrix in OneLogin’s Portal

Step 3. Retrieve OneLogin IdP metadata

Step 4. Update Aviatrix SP Endpoint in the Aviatrix Controller

Step 5. Test the Integration is Set Up Correctly

Step 1. Create an Aviatrix SP Endpoint

Visit one of the following links based on your use case and follow step1 (Create temporary Aviatrix SP Endpoint for Aviatrix) from the link’s Configuration section:

If integrating OneLogin IdP with Controller Login SAML Config

If integrating OneLogin IdP with OpenVPN with SAML Authentication

This step will ask you to pick a short name to be used for the SAML application name [Endpoint Name]. In the notes below we will refer to this as aviatrix_onelogin. It can be any string that will identify the SAML application you create in the IdP.

We will use the string you select for the SAML application name to generate a URL for OneLogin to connect with Aviatrix. This URL is defined below as SP_ACS_URL. This URL should be constructed as:

https://<your controller ip or host name>/flask/saml/sso/<aviatrix_onelogin>

Tip

Replace <your controller ip or host name> with the actual host name or IP address of your controller and <aviatrix_onelogin> with the [Endpoint Name] you chose to refer to the SAML application.

Step 2. Create a OneLogin SAML App for Aviatrix

Note

This step is usually done by the OneLogin Admin.

  1. Login to OneLogin as an administrator

  2. To add a new app go to Applications > Applications > click Add Apps

    imageOLAddAppsMenu

  3. Search for SAML Test Connector

    imageOLNewAppSearch

  4. Select SAML Test Connector (Advanced)

  5. Enter the Configuration values and click Save

    imageOLNewAppStep1

    You can download the rectangular image from here and the square image from here.

  6. Click on Configuration tab

  7. Enter the values

    Field

    Value

    RelayState

    Blank

    Audience(Entity ID)

    SP Entity ID

    Recipient

    SP_ACS_URL

    ACS (Consumer) URL Validator

    SP_ACS_URL

    ACS (Consumer) URL

    SP_ACS_URL

    Single Logout URL

    Blank

    Login URL

    SP Login(Test) URL

    SAML not valid before

    3 (default)

    SAML not valid on or after

    3 (default)

    SAML initiator

    Service Provider

    SAML nameID format

    Transient

    SAML issuer type

    Specific (default)

    SAML signature element

    Assertion

    Encrypt assertion

    Unchecked (default)

    SAML encryption method

    TRIPLEDES-CBC (default)

    Sign SLO Response

    Unchecked (default)

    SAML sessionNotOnOrAfter

    1440 (default)

    Generate AttributeValue tag for empty values

    Unchecked (default)

    Sign SLO Request

    Unchecked (default)

    imageConfiguration

  8. Click Save

  9. Click on the Parameters tab

  10. Add the following custom parameters (case sensitive)

    Field

    Value

    Flags

    Email

    Email

    Include in SAML assertion

    FirstName

    First Name

    Include in SAML assertion

    LastName

    Last Name

    Include in SAML assertion

    imageOLNewAppParams

  11. Optionally, add a field to map to the profile in Aviatrix

    Field

    Value

    Flags

    Profile

    (User Defined)

    Include in SAML assertion

  12. Click Save

Step 3. Retrieve OneLogin IdP metadata

  1. Click on More actions dropdown

  2. Copy the URL from the SAML Metadata for the next step. This URL will be provided to the Aviatrix SP Endpoint.

imageOLSSOTab

Step 4. Update Aviatrix SP Endpoint

Note

This step is usually completed by the Aviatrix admin. OneLogin IdP provides IdP Metadata through URL obtained in Retrieve OneLogin IdP metadata (Step 3).

Continue with updating Aviatrix SAML Endpoint by visiting one of the following links based on your use case:

  1. If integrating OneLogin IdP with Controller Login SAML Config

  2. If integrating OneLogin IdP with OpenVPN with SAML Authentication

    Field

    Description

    Endpoint Name

    [Endpoint Name]

    IPD Metadata Type

    URL

    IdP Metadata Text/URL

    Paste in the Issuer URL obtained from the OneLogin app.

    Entity ID

    Select Hostname

    Access

    Select admin or read-only access

    Custom SAML Request Template

    Unchecked

Note

Each endpoint only supports one type of access. If you need admin and read-only access, create two separate SAML apps. Hostname is the default for Entity ID, but if you have other apps using the same hostname, use a custom Entity ID.

Step 5. Test the Integration

Tip

Be sure to assign users to the new application in OneLogin prior to validating. If you do not assign your test user to the Aviatrix SAML application, you will receive an error.

Continue with testing the integration by visiting one of the following links based on your use case:

  1. If integrating OneLogin IdP with Controller Login SAML Configuration

  1. Click Settings in the left navigation menu

  2. Select Controller

  3. Click on the SAML Login tab

  1. If integrating OneLogin IdP with OpenVPN with SAML Auth

  1. Expand OpenVPN® in the navigation menu and click Advanced

  2. Stay on the SAML tab

You can quickly validate that the configuration is complete by clicking on the Test button next to the SAML endpoint.

imageAvtxTestSAML