OneLogin IdP for SAML Integration
Overview
This guide provides an example on how to configure OneLogin as an IdP for an Aviatrix SAML SP (endpoint). When SAML client is used, your Aviatrix controller acts as the Identity Service Provider (ISP) that redirects browser traffic from client to IdP (e.g., OneLogin) for authentication.
Before configuring SAML integration between Aviatrix and OneLogin, make sure you have a valid OneLogin account with administrator access.
Configuration Steps
Follow these steps to configure Aviatrix to authenticate against your OneLogin IdP:
Step 1. Create a temporary Aviatrix SP Endpoint in the Aviatrix Controller
Step 2. Create a OneLogin SAML App for Aviatrix in OneLogin’s Portal
Step 3. Retrieve OneLogin IdP metadata
Step 4. Update Aviatrix SP Endpoint in the Aviatrix Controller
Step 5. Test the Integration is Set Up Correctly
Step 1. Create an Aviatrix SP Endpoint
Visit one of the following links based on your use case and follow step1 (Create temporary Aviatrix SP Endpoint for Aviatrix) from the link’s Configuration section:
If integrating OneLogin IdP with Controller Login SAML Config
If integrating OneLogin IdP with OpenVPN with SAML Authentication
This step will ask you to pick a short name to be used for the SAML application name [Endpoint Name]
. In the notes below we will refer to this as aviatrix_onelogin. It can be any string that will identify the SAML application you create in the IdP.
We will use the string you select for the SAML application name to generate a URL for OneLogin to connect with Aviatrix. This URL is defined below as SP_ACS_URL. This URL should be constructed as:
https://<your controller ip or host name>/flask/saml/sso/<aviatrix_onelogin>
Tip
Replace <your controller ip or host name> with the actual host name or IP address of your controller and <aviatrix_onelogin> with the
[Endpoint Name]
you chose to refer to the SAML application.
Step 2. Create a OneLogin SAML App for Aviatrix
Note
This step is usually done by the OneLogin Admin.
Login to OneLogin as an administrator
To add a new app go to Applications > Applications > click Add Apps
Search for SAML Test Connector
Select SAML Test Connector (Advanced)
Enter the Configuration values and click Save
You can download the rectangular image from here and the square image from here.
Click on Configuration tab
Enter the values
Field
Value
RelayState
Blank
Audience(Entity ID)
SP Entity ID
Recipient
SP_ACS_URL
ACS (Consumer) URL Validator
SP_ACS_URL
ACS (Consumer) URL
SP_ACS_URL
Single Logout URL
Blank
Login URL
SP Login(Test) URL
SAML not valid before
3 (default)
SAML not valid on or after
3 (default)
SAML initiator
Service Provider
SAML nameID format
Transient
SAML issuer type
Specific (default)
SAML signature element
Assertion
Encrypt assertion
Unchecked (default)
SAML encryption method
TRIPLEDES-CBC (default)
Sign SLO Response
Unchecked (default)
SAML sessionNotOnOrAfter
1440 (default)
Generate AttributeValue tag for empty values
Unchecked (default)
Sign SLO Request
Unchecked (default)
Click Save
Click on the Parameters tab
Add the following custom parameters (case sensitive)
Field
Value
Flags
Email
Email
Include in SAML assertion
FirstName
First Name
Include in SAML assertion
LastName
Last Name
Include in SAML assertion
Optionally, add a field to map to the profile in Aviatrix
Field
Value
Flags
Profile
(User Defined)
Include in SAML assertion
Click Save
Step 3. Retrieve OneLogin IdP metadata
Click on More actions dropdown
Copy the URL from the SAML Metadata for the next step. This URL will be provided to the Aviatrix SP Endpoint.
Step 4. Update Aviatrix SP Endpoint
Note
This step is usually completed by the Aviatrix admin. OneLogin IdP provides IdP Metadata through URL obtained in Retrieve OneLogin IdP metadata (Step 3).
Continue with updating Aviatrix SAML Endpoint by visiting one of the following links based on your use case:
If integrating OneLogin IdP with Controller Login SAML Config
If integrating OneLogin IdP with OpenVPN with SAML Authentication
Field
Description
Endpoint Name
[Endpoint Name]
IPD Metadata Type
URL
IdP Metadata Text/URL
Paste in the Issuer URL obtained from the OneLogin app.
Entity ID
Select Hostname
Access
Select admin or read-only access
Custom SAML Request Template
Unchecked
Note
Each endpoint only supports one type of access. If you need admin and read-only access, create two separate SAML apps. Hostname is the default for Entity ID, but if you have other apps using the same hostname, use a custom Entity ID.
Step 5. Test the Integration
Tip
Be sure to assign users to the new application in OneLogin prior to validating. If you do not assign your test user to the Aviatrix SAML application, you will receive an error.
Continue with testing the integration by visiting one of the following links based on your use case:
If integrating OneLogin IdP with Controller Login SAML Configuration
Click Settings in the left navigation menu
Select Controller
Click on the SAML Login tab
If integrating OneLogin IdP with OpenVPN with SAML Auth
Expand OpenVPN® in the navigation menu and click Advanced
Stay on the SAML tab
You can quickly validate that the configuration is complete by clicking on the Test button next to the SAML endpoint.