OpenVPN® with SAML Authentication

1. Overview

There are two methods to authenticate a VPN client against Okta: Okta API Token or Aviatrix SAML client.

This document shows you how to setup VPN authentication using Aviatrix SAML client.

Aviatrix user VPN is the only OpenVPN® based remote VPN solution that provides a VPN client with SAML authentication capability.

This step-by-step guide shows you how to use Aviatrix SAML client to authenticate an IDP. When SAML client is used, Aviatrix controller acts as the service provider (SP) that redirects browser traffic from client to the IDP for authentication.

2. Pre-Deployment Checklist

Before configuring the SAML integration between Aviatrix and your IDP, make sure the following is completed:

  1. Aviatrix Controller is setup and running
  2. Have a valid IDP account with admin access
  3. Download and install the Aviatrix SAML client

2.1 Aviatrix Controller

If you haven’t already deployed the Aviatrix controller, follow these instructions to deploy the Aviatrix controller.

2.2 IDP Account

An IDP refers to an identity provider for SAML. This could be any provider that supports a SAML end point like Okta, OneLogin, Google, AWS SSO, Azure AD, Ping Identity, VmWare VIDM, ForgeRock’s OpenAM etc. (The listed ones were tested). You will require administrator access to create IDP endpoints for SAML.

2.3 Aviatrix VPN Client

All users must use the Aviatrix VPN client to connect to the system. Download the client for your OS here.

3. Configuration

The configuration consists of 4 parts:

  1. Create SAML App for Aviatrix
  2. Retrieve IDP Metadata
  3. Launch Aviatrix Gateway
  4. Create Aviatrix SAML SP
  5. Create Aviatrix VPN user(s)

3.1 Create a SAML App for Aviatrix at the IDP

This step is usually done by the IDP adminstrator.

Create a SAML 2.0 app with the following settings:

  1. App Name = Aviatrix VPN (arbitrary)
  2. Assertion Consumer Service URL* = https://aviatrix_controller_hostname/flask/saml/sso/aviatrix_sp_name
  3. Audience URI(Entity ID)* = https://aviatrix_controller_hostname/
  4. SP Metadata URL = https://aviatrix_controller_hostname/flask/saml/metadata/aviatrix_sp_name
  5. SP Login URL = https://aviatrix_controller_hostname/flask/saml/login/aviatrix_sp_name
  6. Default RelayState* = <empty>
  7. Name ID format = Unspecified
  8. Application username = Okta username

Note

After step 3.4, these values are also available in the controller under the OpenVPN® navigation item. Then, select Advanced and go to the SAML tab.

The following SAML attributes are expected:

  1. FirstName
  2. LastName
  3. Email (unique identifier for VPN)
  4. (Optional; only if required) Profile

Note

These values are case sensitive

3.2 Retrieve IDP metadata

After creating the IDP, you need to revtrieve IDP Metadata either in URL or text from the IDP application created in the previous step.

3.3 Launch Aviatrix Gateway

This step is usually completed by the Aviatrix admin.

  1. Login to the Aviatrix controller

  2. Click Gateway in the navigation menu

  3. Click + New Gateway

  4. Select the appropriate values for where to provision this Gateway

  5. Check VPN Access and then Enable SAML

    image6

  6. Leave the default settings for everything else

  7. Click OK to launch the gateway

3.4 Create Aviatrix SAML SP (Endpoint)

This step is usually completed by the Aviatrix admin.

  1. Login to the Aviatrix Controller

  2. Expand OpenVPN® in the navigation menu and click Advanced

  3. Stay on the SAML tab and click + Add New

    Field Description
    Endpoint Name aviatrix_sp_name (this is the same name that you chose during the IDP configuration)
    IPD Metadata Type Text or URL (depending on what was provided by the SAML provider)
    IDP Metadata Text/URL Paste in the IDP metadata URL/Text copied from the SAML provider configuration
    Entity ID Select Hostname or Custom
    Custom Entity ID Only visible if Entity ID is Custom
    Custom SAML Request Template  

3.4.1 Test the integration

Note

Have an instance of the VPN client running. If you do not, it might throw a warning

  1. Login to the Aviatrix Controller
  2. Expand OpenVPN® in the navigation menu and click Advanced
  3. Stay on the SAML tab
  4. Select the row that was created in the previous step (aviatrix_sp_name)
  5. Click on the Test action
  6. You should be redirected to the IDP, now you can log in and should be redirected back to the controller

3.5 Create VPN user(s)

Field Description
VPC ID Select the VPC/VNet where the Gateway was created
LB/Gateway Name Select the appropriate load balancer or gateway
User Name Name of the VPN user
User Email Any valid email address (this is where the cert file will be sent). Alternatively you can download the cert if you dont enter email
SAML Endpoint Select the SAML endpoint

Note

SAML supports shared certificates. You can share the certificate among VPN users or create more VPN users.

3.6 Test VPN Connectivity

Download and install the Aviatrix VPN client for your platform from here Launch the Aviatrix client and load the certificate (“Load config”)that you downloaded/received from email on step 3.5 Click on “Connect”. This should launch the browser instance and prompt you for authentication, if not already logged in. If the connection is successfull, the client icon should turn green. You can ensure VPN connectivity by trying to ping the private IP of the gateway you launched or any other instance in the same cloud network

OpenVPN is a registered trademark of OpenVPN Inc.