OpenVPN® with SAML Client on AWS SSO IdP¶

Overview¶

This guide provides an example on how to configure Aviatrix to authenticate against AWS SSO IdP. When SAML client is used, your Aviatrix controller acts as the Identity Service Provider (ISP) that redirects browser traffic from client to IdP (e.g., AWS SSO) for authentication.

Pre-Deployment Checklist¶

Before configuring SAML integration between Aviatrix and AWS SSO, make sure the following is completed:

Aviatrix Controller is setup and running.
Have a valid AWS account with AWS SSO enabled.
Download and install the Aviatrix SAML VPN client.

Aviatrix Controller¶

If you haven’t already deployed the Aviatrix controller, follow these detailed instructions.

AWS Account with AWS SSO Enabled¶

Enable AWS SSO on your AWS account before continuing with the configuration.

Aviatrix VPN Client¶

All users must use the Aviatrix VPN client to connect to the system. Download the client for your OS here.

Configuration Steps¶

Follow these steps to configure Aviatrix to authenticate against your AWS SSO IDP:

Create a AWS SSO SAML Application for Aviatrix in the AWS Console
Create a SAML Endpoint in the Aviatrix Controller

AWS SSO Custom SAML Application (Part 1)¶

Before you start, pick a short name to be used for the SAML application name. In the notes below we will refer to this as aviatrix_awssso. But, it can be any string.

We will use the string you select for the SAML application name to generate a URL for AWS SSO to connect with Aviatrix. This URL is defined below as SP_ACS_URL. This URL should be constructed as:

https://<<<your controller ip or host name>>>/flask/saml/sso/<<<aviatrix_awssso>>>

Tip

Replace <<<your controller ip or host name>>> with the actual host name or IP address of your controller and <<<aviatrix_awssso>>> with the string you chose to refer to the SAML application.

Login to your AWS console
Go to the AWS Single Sign-On service
Add a new Application (Applications > Add a new application)
Click Custom SAML 2.0 application
Enter a Display Name
Copy the AWS SSO SAML metadata file URL

Aviatrix Controller SAML Endpoint¶

Login to your Aviatrix Controller
Expand OpenVPN, select Advanced in the navigation menu
Go to the SAML tab
Click + Add New button

Follow the table below for details on the fields in the table:

Field	Description
Endpoint Name	Pick
IPD Metadata Type	URL
IDP Metadata Text/URL	Paste in the AWS SSO SAML metadata file URL copied earlier from AWS SSO dashboard.
Entity ID	Select Hostname
Custom SAML Request Template	Checked

imageAvtxSAMLEndpoint

Remove the XML element <samlp:NameIDPolicy>..</samlp:NameIDPolicy>

Note

This is required to connect with AWS SSO. If you don’t do this, you will receive an error message when testing.
Click OK
Right click on the SP Metadata button next to the SAML endpoint just created and save the file to your local machine.

Tip

Save this XML file to your local machine. It will be used in the next step.

AWS SSO Custom SAML Application (Part 2)¶

Return back to the AWS SSO console

Scroll to Application metadata
Browse... to the SP Metadata file saved in the previous step
Leave the Application start URL blank
Click Save changes

Add Attribute Mappings¶

Click on the Attribute mappings tab
Add the following attributes:

User attribute in the application Maps to this string value or user attribute in the AWS SSO

FirstName ${user:givenName}

LastName ${user:familyName}

Email ${user:email}
Click Save changes

Validate¶

Tip

Be sure to assign users to the new application in AWS Signle Sign-on service prior to validating. If you do not assign your test user to the Aviatrix User VPN application, you will receive an error.

You can quickly validate that the configuration is complete by clicking on the Test button next to the SAML endpoint.

imageAvtxTestButton

User attribute in the application	Maps to this string value or user attribute in the AWS SSO
FirstName	${user:givenName}
LastName	${user:familyName}
Email	${user:email}