OpenVPN® with SAML Authentication on Azure AD IdP

Overview

This guide provides an example on how to configure Aviatrix to authenticate against Azure AD IdP. When SAML client is used, your Aviatrix controller acts as the Identity Service Provider (ISP) that redirects browser traffic from client to IdP (e.g., Azure AD) for authentication.

Pre-Deployment Checklist

Before configuring SAML integration between Aviatrix and Azure AD, make sure the following is completed:

1. An Aviatrix Controller is setup and running.
2. You have an Azure account.
3. You have downloaded and installed the Aviatrix SAML VPN client.

Aviatrix Controller

If you haven’t already deployed the Aviatrix controller, follow the Controller Startup Guide.

Azure Account

Configure Azure AD on your Azure account before continuing with the configuration.

Aviatrix VPN Client

All users must use the Aviatrix VPN client to connect to the system. Download the client for your OS here.

Configuration Steps

Follow these steps to configure Aviatrix to authenticate against your Azure AD IDP:

1. Create a Azure AD SAML Application for Aviatrix in the AWS Console
2. Create a SAML Endpoint in the Aviatrix Controller

Azure AD Custom SAML Application

Before you start, pick a short name to be used for the SAML application name. In the notes below we will refer to this as aviatrix_azuread. But, it can be any string.

We will use the string you select for the SAML application name to generate a URL for Azure AD to connect with Aviatrix. This URL is defined below as SP_ACS_URL. This URL should be constructed as:

https://<<<your controller ip or host name>>>/flask/saml/sso/<<<aviatrix_azuread>>>

Tip

Replace <<<your controller ip or host name>>> with the actual host name or IP address of your controller and <<<aviatrix_azuread>>> with the string you chose to refer to the SAML application.

Connect to Azure

Login to your Azure portal

Create Custom SAML Application

1. Go to the Azure Active Directory service

2. Select Enterprise Applications under Manage navigation menu item

3. Click + New application

   

   Note

   You must be an administrator to add new Enterprise Applications.

4. Click Non-gallery application

   

5. Enter a Display Name

   Note

   Custom applications requires an Azure AD Premium subscription.

   

6. Click Add

Assign Users to this Application

1. Click Users and groups below Manage

2. Click + Add user

3. Select a User and Role

4. Click Assign

   

Single Sign-on Configuration

Click Single sign-on below Manage

Application Domain and URLs

1. Select SAML-based Sign-on from the Single Sign-on Mode drop down

2. Fill out the fields

   Field	Value
   Identifier (Entity ID)	https://<<<your controller>>>
   Reply URL	SP_ACS_URL
   Show Advanced URL settings	checked
   Sign on URL	SP_ACS_URL
   Relay State	(leave blank)

   

User Attributes

1. Enter user.mail for User Identifier

2. Click View and edit all other user attributes

3. Add the following SAML Token Attributes (please find the right values from your Azure user details to match firstname, lastname and email). You can also add “Profile” and send the profile name of a VPN profile - at this time,we only support attaching one profile per user via SAML

   NAME	VALUE	NAMESPACE
   FirstName	user.givenname	(blank)
   LastName	user.surname	(blank)
   Email	user.mail	(blank)

   

SAML Signing Certificate

1. Find the Metadata XML link

2. Click the link to download the file

   

Save Application

Click Save

Aviatrix Controller SAML Endpoint

1. Log in to your Aviatrix Controller

2. Expand OpenVPN, select Advanced in the navigation menu

3. Go to the SAML tab

4. Click + Add New button

5. Follow the table below for details on the fields in the table:

   Field	Description
   Endpoint Name	Pick
   IPD Metadata Type	Text
   IDP Metadata Text/URL	Paste in the metadata XML file contents downloaded earlier.
   Entity ID	Select Hostname
   Custom SAML Request Template	Checked

   

6. Copy the following into the Custom SAML Request Template field:

   <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="$ID" Version="2.0" IssueInstant="$Time" Destination="$Dest" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="$ACS">
   <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">$Issuer</saml:Issuer>
   <samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" AllowCreate="true"> </samlp:NameIDPolicy>
   <samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact">
   <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
   urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
   </saml:AuthnContextClassRef>
   </samlp:RequestedAuthnContext>
   </samlp:AuthnRequest>
   

   Note

   This is required to connect with Azure AD. If you don’t do this, you will receive an error message when testing.

7. Click OK

Validate

Tip

Be sure to assign users to the new application in Azure AD prior to validating. If you do not assign your test user to the Aviatrix User VPN application, you will receive an error.

You can quickly validate that the configuration is complete by clicking on the Test button next to the SAML endpoint.