OpenVPN® with SAML Authentication on Centrify IDP


This guide provides an example on how to configure Aviatrix to authenticate against Centrify IDP. When SAML client is used, your Aviatrix controller acts as the Identity Service Provider (SP) that redirects browser traffic from the client to IDP for authentication.

Pre-Deployment Checklist

Before configuring SAML integration between Aviatrix and AWS SSO, make sure the following is completed:

  1. The Aviatrix Controller is setup and running. Follow the Controller Startup Guide to launch the controller
  2. You have centrify up and running with administrator access
  3. You have downloaded and installed the Aviatrix VPN client.

Configuration Steps:

  1. From the Centrify App->Add New App->Custom, select SAML and clidk on “Add”. Click yes and

    close the prompt. This lets you configure the application

  2. Configure app settingsimage0
    Enter a name for your application, click Save and go to the next page
  3. Copy the metadata URL from the Trust page.


    Now go to your Aviatrix Controller. Create a new SAML endpoint from OpenVPN as paste the URL into the Metadata URL field. Give an endpoint name and click “OK”


  4. This creates a SAML endpoint at the Aviatrix controller

    image3 Here you can retrieve the SP metadata by clicking on the SP metadata


    Copy the above metadata as text

  5. Go back to the Centrify app and paste the information into the Metadata XML section. Click on “Save” and go to the next section



    You can also use the URL method if you have configured signed certificates for the Aviatrix Controller, but not for the initial self-signed certificate.

  6. Configure the following SAML attributes (Email is the unique identifier)

    FirstName LoginUser.FirstName
    LastName LoginUser.LastName
    Email LoginUser.Email

    Also, the custom logic needs to be set for the attributes to work

    setAttribute(“exampleAttr”, “DOMAIN\user”);


    You can preview the SAML response and this step and select the user. Make sure that there are no errors.

    Click “Save” and go to the next tab

  7. Add users


    Click “Save” and go the next tab

  8. Add any policies if you require them. Click “Save” and go to the next tab

  9. Use the default “Directory service field” mapping. Click “Save” and go to the next tab

    image8 .

  10. Configure the next pages if you require them, “Linked applications”,”Provisioning”, “App Gateway” if you require them. Click “Save”. The SAML configuration at the IDP is now complete

  11. Test the SAML integration. Go back to your Aviatrix controller and go to OpenVPN->Advanced->SAMl tab. Click test for the SAML endpoint.


    You should get redirected to the Centrify and it may ask for credentials, if you are already logged it redirects you back to the Controller page.


    Ignore the warning since you may not have a VPN client already running.

  12. To test the VPN integration, you need to perform 3 steps at the Aviatrix Controller

    1. Configure cloud account at Accounts->access account
    2. Create a VPN Gateway in the Gateway page. Check “VPN Enabled” and “SAML Enabled”
    3. Add a VPN user in the OpenVPN->VPN users page to the SAML VPN gateway with the respective endpoint. The certificate is emailed or can be downloaded here
  13. Test VPN connectivity by installing the Aviatrix VPN client. Load the VPN certificate and click connect. The browser should open up. Login at Centrify. The client then automatically connects to the VPN Gateway. Test connectivity by doing a ping to the private IP of the gateway.