OpenVPN® with SAML Authentication on Google IDP¶
Overview¶
This guide provides an example on how to configure Aviatrix to authenticate against a Google IDP. When SAML client is used, your Aviatrix controller acts as the Identity Service Provider (ISP) that redirects browser traffic from client to IDP (e.g., Google) for authentication.
Pre-Deployment Checklist¶
Before configuring SAML integration between Aviatrix and Google, make sure the following is completed:
- Aviatrix Controller is setup and running.
- Have a valid Google account with admin access.
- Download and install the Aviatrix SAML VPN client.
Aviatrix Controller¶
If you haven’t already deployed the Aviatrix controller, follow the Controller Startup Guide.
Google Account¶
A Google account with admin access is required to configure the integration.
Configuration Steps¶
Follow these steps to configure Aviatrix to authenticate against your Google IDP:
- Create a custom Google SAML App for Aviatrix
- Launch an Aviatrix Gateway
- Create Aviatrix SAML SP Endpoint
- Test the Integration is Set Up Correctly
- Create Aviatrix VPN User
- Validate
Create a Google SAML App for Aviatrix¶
Note
This step is usually done by the Google Admin.
Login to the Google Admin portal
Follow Google documentation to create a new custom application.
Click on the Setup My Own Custom App
Scroll down to Option 2. Click the Download button next to the IDP metadata label.
Basic Information
Field Value Description Application Name Aviatrix This can be any value. It will be displayed in Google only. Description This can be any value. Upload logo Aviatrix logo:
Aviatrix logo (optional) Service Provider Details
Field Value ACS URL https://[host]/flask/saml/sso/[SP Name]
Entity ID https://[host]/
Start URL https://[host]/flask/saml/sso/[SP Name]
Signed Response Checked Name ID Basic Information / Primary Email (Default) Name ID Format UNSPECIFIED [host]
is the hostname or IP of your Aviatrix controller. For example,https://controller.demo.aviatrix.live
[SP Name]
is an arbitrary identifier. This same value should be used when configuring SAML in the Aviatrix controller.Attribute Mapping
Disable “Signed Response”
- Open the Service Provider Details for the SAML application just created. Uncheck Signed Response.
- Click Save
Launch Aviatrix VPN Gateway¶
Note
This step is usually completed by the Aviatrix admin.
Note
This step can be skipped if you already have created a SAML VPN Gateway
Log in to the Aviatrix controller
Click Gateway in the left navigation menu
Click the + New Gateway button
Enter a Gateway Name
Select the appropriate Account Name, Region, VPC ID, Public Subnet and Gateway Size
Check VPN Access
Check Enable SAML
For information on the other settings, please refer to this document
Click OK to create the Gateway
Create Aviatrix SAML Endpoint¶
Note
This step is usually completed by the Aviatrix admin.
Login to the Aviatrix Controller
Click OpenVPN® in the left navigation menu
Select Advanced
Click on the SAML tab
Click + Add New button
Field Value Endpoint Name SP Name
(Use the same name you entered in the Google Application previously)IDP Metadata Type Text IDP Metadata Text Value Copied from Google
(Paste the value from Google SAML configuration downloaded in a previous step.)Entity ID Hostname Click OK
Test the Integration¶
Start the Aviatrix VPN Client
Note
If you don’t start the client, you will receive a warning from the browser in the last step of this process
Login to the Aviatrix Controller
Click OpenVPN® in the left navigation menu
Select Advanced
Click on the SAML tab
Click the Test button next to the
SP Name
created in the previous stepTip
You will need to assign the new Google application to a test user’s Google account before clicking Test.
You should be redirected to Google. Login with your test user credentials.
Important
If everything is configured correctly, once you have authenticated you will be redirected back to the controller and the window will close.
Create a VPN User¶
- Log in to the Aviatrix Controller
- Click OpenVPN® in the left navigation menu
- Select VPN Users
- Click + Add New
- Select the VPC ID and LB/Gateway Name for your SAML Gateway
- Enter the Google username in the User Name field
- Enter any valid email address in the User Email field (this is where the cert file will be sent). Alternatively, you can download the cert if you do not enter an email address.
- Select the SAML Endpoint
- Click OK
Validate¶
- Log in to the Aviatrix Controller
- Click OpenVPN® in the left navigation menu
- Select VPN Users
- Download the configuration for your test user created in the previous step
- Open the Aviatrix VPN Client application
- Click Load Conf and select the file downloaded
- Click Connect
Note
SAML VPN only supports shared certificates. You can share the certificate among VPN users or create more VPN users
OpenVPN is a registered trademark of OpenVPN Inc.