Skip to main content
Azure Active Directory (AD) is now Microsoft Entra ID.
Aviatrix allows for centralized management of user access by integrating with your chosen Identity Provider (IdP) via SAML. This allows you to control user access to Controller and CoPilot, as well as user access to the cloud environment using Aviatrix UserVPN (if desired). This guide provides an example on how to configure Aviatrix to authenticate against Entra AD IdP. When SAML is configured, your Aviatrix CoPilot acts as the Service Provider (SP) that redirects browser traffic from client to IdP (e.g., Entra ID) for authentication.

Pre-Deployment Checklist

Before configuring SAML integration between Aviatrix and Entra ID, make sure the following is completed:
  1. The Aviatrix Controller and CoPilot are deployed.
  2. You have an Azure account.
  3. You have downloaded and installed the Aviatrix SAML VPN client (if you are configuring access to the cloud environment using Aviatrix UserVPN).

Aviatrix VPN Client

If configuring Aviatrix VPN access, download the client for your OS here.

Custom SAML Request Template

This can be used in either the Controller/CoPilot or the UserVPN SAML setup. 
<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="$ID" Version="2.0" IssueInstant="$Time" Destination="$Dest" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="$ACS">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">$Issuer</saml:Issuer>
</samlp:AuthnRequest>

Configuration Steps

Follow these steps to configure Aviatrix to authenticate against your Entra ID IdP:
  1. Create a SAML Endpoint in Aviatrix CoPilot:
    • For controlling user access to Controller and CoPilot: Administration > User Access > Access Management
    • For controlling user access to the cloud environment using UserVPN: Cloud Fabric > UserVPN > Settings
  2. Create an Entra ID SAML Application for Aviatrix in the Azure Console.

Entra ID Custom SAML Application

Before you start, pick a short name to be used for the SAML application name. In the notes below we will refer to this as aviatrix_EntraID. The string you select for the SAML application name is used to generate a URL for Azure AD to connect with Aviatrix. This URL is defined below as SP_ACS_URL. This URL should be constructed as: 
https://<your-CoPilot-IP-or-hostname>/flask/saml/sso/<aviatrix_EntraID>
Replace <your-CoPilot-IP-or-hostname> with the actual host name or IP address of your CoPilot and <aviatrix_EntraID> with the string you chose to refer to the SAML application.

Creating the SAML Endpoint

In CoPilot, go to one of the following locations, depending on your objective:

Access Management (Controller/CoPilot)

  1. At Administration > User Access > Access Management, click +SAML Endpoint and populate the Create SAML Endpoint dialog as follows.
    FieldDescription
    NameEntra ID - This name is later chosen from the login menu when authenticating. You can configure multiple SAML configurations if desired.
    Identity Provider Metadata TypeSelect URL
    Identity Provider Metadata URLhttps://www.aviatrix.com (temporary, because the IdP is not yet configured; you will change it later).
    Entity IDSelect Hostname
    Access Set ByController: if this is selected you need to create a separate SAML endpoint for each permission group you want to grant access to. SAML Identity Provider Attribute: This allows the Identity Provider to control what access is allowed for the authenticated user by sending the “Profile” attribute. If this is selected you can also choose to block empty profiles. When Block Empty Profiles is selected, users without explicitly set permissions are not granted access. If empty profiles are allowed, users who do not have a set profile from the IdP are treated as ‘read_only’ users.
    Custom SAML Request TemplateIf desired, copy the sample provided in the above section (Custom SAML Request Template).

UserVPN

For UserVPN SAML configuration, navigate to Cloud Fabric > UserVPN > Settings and configure the SAML endpoint with similar settings as described above for Access Management.