OpenVPN® with SAML Authentication on AWS SSO IdP

Overview

This guide provides an example on how to configure Aviatrix to authenticate against AWS SSO IdP. When SAML client is used, your Aviatrix Controller acts as the Identity Service Provider (ISP) that redirects browser traffic from client to IdP (e.g., AWS SSO) for authentication.

Pre-Deployment Checklist

Before configuring SAML integration between Aviatrix and AWS SSO, make sure the following is completed:

  1. The Aviatrix Controller is set up and running.

  2. You have a valid AWS account with AWS SSO enabled.

  3. You have downloaded and installed the Aviatrix SAML VPN client.

Aviatrix Controller

If you haven’t already deployed the Aviatrix Controller, follow the Controller Startup Guide and start with a Metered AMI.

AWS Account with AWS SSO Enabled

Enable AWS SSO on your AWS account before continuing with the configuration.

Tip

If your AWS account is a consolidated account, you cannot set up SSO. SSO can only be enabled with a master account.

Aviatrix VPN Client

All users must use the Aviatrix VPN client to connect to the system. Download the client for your OS here.

Configuration Steps

Follow these steps to configure Aviatrix to authenticate against your AWS SSO IDP:

  1. Create a AWS SSO SAML Application for Aviatrix in the AWS Console.

  2. Create a SAML Endpoint in the Aviatrix Controller.

AWS SSO Custom SAML Application (Part 1)

Before you start, pick a short name to be used for the SAML application name. In the notes below we will refer to this as aviatrix_awssso, but it can be any string.

We will use the string you select for the SAML application name to generate a URL for AWS SSO to connect with Aviatrix. This URL is defined below as SP_ACS_URL. This URL should be constructed as:

https://<<<your Controller IP or host name>>>/flask/saml/sso/<<<aviatrix_awssso>>>”

Tip

Replace <<<your Controller IP or host name>>> with the actual host name or IP address of your Controller and <<<aviatrix_awssso>>> with the string you chose to refer to the SAML application.

  1. Log in to your AWS console.

  2. Go to the AWS Single Sign-On service.

  3. Add a new Application (Applications > Add a new application).

    imageAddAppsMenu

  4. Click Custom SAML 2.0 application.

    imageSelectCustom

  5. Enter a Display Name.

  6. Copy the AWS SSO SAML metadata file URL.

    imageCopyURL

Aviatrix Controller SAML Endpoint

  1. Log in to your Aviatrix Controller.

  2. Enable SAML. Go to OpenVPN® > Edit Config > Modify Authentication. Select SAML. Skip this step if you have already done so.

  3. Select OpenVPN > Advanced on the left sidebar.

  4. Select the SAML tab.

  5. Click + Add New.

  6. Follow the table below for details on the fields in the table:

    Field

    Description

    Endpoint Name

    aviatrix_awssso

    IPD Metadata Type

    URL

    IDP Metadata Text/URL

    Paste in the AWS SSO SAML metadata file URL copied earlier from AWS SSO dashboard.

    Entity ID

    Select Hostname

    Custom SAML Request Template

    Mark this checkbox

    add_saml_endpoint

  7. Remove the XML element “<samlp:NameIDPolicy>..</samlp:NameIDPolicy>.”

    Note

    This is required to connect with AWS SSO. If you don’t do this, you will receive an error message when testing.

  8. Click OK.

  9. Right-click SP Metadata next to the SAML endpoint just created and save the file to your local machine.

    imageSPMetadataURL

    Tip

    Save this XML file to your local machine. It will be used in the next step.

AWS SSO Custom SAML Application (Part 2)

Return to the AWS SSO console.

  1. Scroll to Application metadata.

  2. Browse… to the SP Metadata file saved in the previous step.

  3. Leave the Application start URL blank.

  4. Click Save changes.

    imageAppMetadata

Adding Attribute Mappings

  1. Select the Attribute mappings tab.

  2. Add the following attributes:

    User attribute in the application

    Maps to this string value or user attribute in the AWS SSO

    FirstName

    ${user:givenName}

    LastName

    ${user:familyName}

    Email

    ${user:email}

As shown below:

attribute_mapping

  1. Click Save changes.

Validating

Tip

Be sure to assign users to the new application in AWS Single Sign-on service prior to validating. You can use AWS SSO Directory service under AWS SSO page to assign users. If you do not assign your test user to the Aviatrix User VPN application, you will receive an error.

You can quickly validate that the configuration is complete by clicking Test next to the SAML endpoint.

imageAvtxTestButton