OpenVPN® with SAML Authentication on Centrify IdP

This guide provides an example on how to configure Aviatrix to authenticate against Centrify IDP. When SAML client is used, your Aviatrix Controller acts as the Identity Service Provider (SP) that redirects browser traffic from the client to IDP for authentication.

Pre-Deployment Checklist

Before configuring SAML integration between Aviatrix and AWS SSO, make sure the following is completed:

  1. The Aviatrix Controller is set up and running. Follow the AWS Controller Startup Guide or the Azure Getting Started Guide to launch the Controller.

  2. You have Centrify up and running with administrator access.

  3. You have downloaded and installed the Aviatrix VPN client.

Configuration Steps

  1. From the Centrify App > Add New App > Custom, select SAML and click Add. Click yes and close the prompt. This lets you configure the application.

images0
  1. Enter a name for your application, click Save, and go to the next page.

  2. Copy the metadata URL from the Trust page.

    images1
  3. Now go to your Aviatrix Controller. Create a new SAML endpoint from OpenVPN as paste the URL into the Metadata URL field. Give an endpoint name and click OK.

images2

This creates a SAML endpoint at the Aviatrix Controller.

images3

Here you can retrieve the SP metadata by clicking on the SP metadata.

images4
  1. Copy the above metadata as text.

  2. Go back to the Centrify app and paste the information into the Metadata XML section. Click Save and go to the next section.

    images5

    You can also use the URL method if you have configured signed certificates for the Aviatrix Controller, but not for the initial self-signed certificate.

  3. Configure the following SAML attributes (Email is the unique identifier)

    FirstName

    LoginUser.FirstName

    LastName

    LoginUser.LastName

    Email

    LoginUser.Email

  4. Also, the custom logic needs to be set for the attributes to work

    setAttribute("exampleAttr", "DOMAIN\user");
images6
  1. You can preview the SAML response and this step and select the user. Make sure that there are no errors.

  2. Click Save and go to the next tab.

  3. Add users.

    images7
  4. Click Save and go the next tab.

  5. Add any policies if you require them. Click Save and go to the next tab.

  6. Use the default “Directory service field" mapping. Click Save and go to the next tab.

    images8
  7. Configure the next pages if you require them: Linked applications, Provisioning, and App Gateway if you require them. Click Save. The SAML configuration at the IDP is now complete.

  8. Test the SAML integration. Go back to your Aviatrix Controller and go to OpenVPN > Advanced > SAML tab. Click test for the SAML endpoint.

    images9

You should get redirected to the Centrify and it may ask for credentials. If you are already logged, it redirects you back to the Controller page.

images10

Ignore the warning since you may not have a VPN client already running.

Testing the VPN Integration

To test the VPN integration, you need to perform 3 steps at the Aviatrix Controller.

  1. Configure cloud account at Accounts > access account.

  2. Create a VPN Gateway in the Gateway page. Mark the VPN Enabled and SAML Enabled checkboxes.

  3. Add a VPN user in the OpenVPN > VPN users page to the SAML VPN gateway with the respective endpoint. The certificate is emailed or can be downloaded here.

  4. Test VPN connectivity by installing the Aviatrix VPN client. Load the VPN certificate and click connect. The browser should open up. Log in at Centrify. The client then automatically connects to the VPN Gateway. Test connectivity by doing a ping to the private IP of the gateway.