OpenVPN® with SAML Authentication on Centrify IDP

Overview

This guide provides an example on how to configure Aviatrix to authenticate against Centrify IDP. When SAML client is used, your Aviatrix controller acts as the Identity Service Provider (SP) that redirects browser traffic from client to IDP for authentication.

Pre-Deployment Checklist

Before configuring SAML integration between Aviatrix and AWS SSO, make sure the following is completed:

  1. Aviatrix Controller is setup and running. Follow the Controller Startup Guide to launch the controller
  2. Have centrify up and running with administrator access
  3. Download and install the Aviatrix VPN client.

Configuration Steps:

  1. From the Centrify App->Add New App->Custom, select SAML and clidk on “Add”. Click yes and

    close the prompt. This lets you configure the application

  2. Configure app settingsimage0
    Enter a name for your application, click Save and go to the next page
  3. Copy the metadata URL from the Trust page.

    image1

    Now go to your Aviatrix Controller. Create a new SAML endpoint from OpenVPN as paste the URL into the Metadata URL field. Give an Endpoint name and click “OK”

    image2

  4. This creates a SAML endpoint at the Aviatrix controller

    image3 Here you can retrieve the SP metadata by clicking on the SP metadata

    image4

    Copy the above metadata as text

  5. Go back to the Centrify app and paste the information into the Metadata XML section. Click on “Save” and go to the next section

    image5

    Note

    You can also use URL method if you have configured signed certificates for the Aviatrix Controller, but not for the initial self-signed certificate.

  6. Configure the following SAML attributes (Email is the unique identifier)

    FirstName LoginUser.FirstName
    LastName LoginUser.LastName
    Email LoginUser.Email

    Also, the custom logic needs to be set for the attributes to work

    setAttribute(“exampleAttr”, “DOMAIN\user”);

    image6

    You can preview the SAML response and this step and select the user. Make sure that there are no errors.

    Click “Save” and go to the next tab

  7. Add users

    image7

    Click “Save” and go the next tab

  8. Add any policies if you require them. Click “Save” and go to the next tab

  9. Use the default “Directory service field” mapping. Click “Save” and go to the next tab

    image8 .

  10. Configure the next pages if you require them, “Linked applications”,”Provisioning”, “App Gateway” if you require them. Click “Save”. The SAML configuration at the IDP is now complete

  11. Test the SAML integration. Go back to your Aviatrix controller, Go to OpenVPN->Advanced->SAMl tab. Click test for the SAML endpoint.

    image9

    You should get redirected to the Centrify and it may ask for credentials, if you are already logged it redirects you back to the controller page

    image10

    Ignore the warning since you may not have a VPN client already running

  12. To test the VPN integration, you need to perform 3 steps at the aviatrix controller

    1. Configure cloud account at Accounts->access account
    2. Create a VPN Gateway in the Gateway page. Check “VPN Enabled” and “SAML Enabled”
    3. Add a VPN user in the OpenVPN->VPN users page. To the SAML VPN gateway with the respective endpoint. Certificate is emailed or can be downloaded here
  13. Test VPN connectivity by installing the Aviatrix VPN client. Load the VPN certificate and click connect. The browser should open up and login at Centrify. The client then automatically connects to the VPN Gateway. Test connectivity by doing a ping to the private IP of the gateway.