OpenVPN® with SAML Authentication on Google IdP
This guide provides an example on how to configure Aviatrix to authenticate against a Google IDP. When SAML client is used, your Aviatrix Controller acts as the Identity Service Provider (ISP) that redirects browser traffic from client to IDP (e.g., Google) for authentication.
Pre-Deployment Checklist
Before configuring SAML integration between Aviatrix and Google, make sure the following is completed:
-
Aviatrix Controller is set up and running.
-
Have a valid Google account with admin access.
-
Download and install the Aviatrix SAML VPN client.
Aviatrix Controller
If you haven’t already deployed the Aviatrix Controller, follow the Controller Startup Guide.
Aviatrix VPN Client
All users must use the Aviatrix VPN client to connect to the system. Download the client for your OS here.
Configuration Steps
Follow these steps to configure Aviatrix to authenticate against your Google IDP:
-
Create a custom Google SAML App for Aviatrix.
-
Launch an Aviatrix Gateway.
-
Create Aviatrix SAML SP Endpoint.
-
Test the Integration is Set Up Correctly.
-
Create Aviatrix VPN User.
Create a Google SAML App for Aviatrix
This step is usually done by the Google Admin. |
-
Log in to the Google Admin portal.
-
Follow Google documentation to create a new custom application.
Click Setup My Own Custom App.
Scroll down to Option 2. Click Download next to the "IDP metadata" label.
-
Basic Information
Field Value Description Application Name
Aviatrix
This can be any value. It will be displayed in Google only.
Description
This can be any value.
Upload logo
Aviatrix logo:
Aviatrix logo with red background_ Aviatrix logo with transparent background_
Aviatrix logo (optional)
-
Service Provider Details
Field Value ACS URL
https://[host]/flask/saml/sso/[SP Name]
Entity ID
https://[host]/
Start URL
https://[host]/flask/saml/sso/[SP Name]
Signed Response
Mark this checkbox
Name ID
Basic Information / Primary Email (Default)
Name ID Format
Unspecified
"[host]" is the hostname or IP of your Aviatrix Controller. For example, "https://controller.demo.aviatrix.live."
"[SP Name]" is an arbitrary identifier. This same value should be used when configuring SAML in the Aviatrix Controller.
-
Attribute Mapping
Attribute Category User field FirstName
Basic
First Name
LastName
Basic
Last Name
Email
Basic
Primary Email
-
Disable Signed Response.
-
Open the Service Provider Details for the SAML application just created. Unmark the Signed Response checkbox.
-
Click Save.
-
Launching an Aviatrix VPN Gateway
This step is usually completed by the Aviatrix admin. |
This step can be skipped if you already have created a SAML VPN Gateway. |
-
Log in to the Aviatrix Controller.
-
Select Gateway on the left sidebar.
-
Click the + New Gateway.
-
Enter a Gateway Name.
-
Select the appropriate Account Name, Region, VPC ID, Public Subnet, and Gateway Size.
-
Mark the VPN Access.
-
Check Enable SAML.
-
For information on the other settings, please refer to this document.
-
Click OK to create the Gateway.
Creating an Aviatrix SAML Endpoint
This step is usually completed by the Aviatrix admin. |
-
Log in to the Aviatrix Controller.
-
Select OpenVPN® > Advanced on the left sidebar.
-
Select the SAML tab.
-
Click + Add New.
Field Value Endpoint Name
SP Name
(Use the same name you entered in the Google Application previously)IDP Metadata Type
Text
IDP Metadata Text
Value Copied from Google
(Paste the value from Google SAML configuration downloaded in a previous step.)Entity ID
Hostname
-
Click OK.
Testing the Integration
-
Start the Aviatrix VPN Client.
If you don’t start the client, you will receive a warning from the browser in the last step of this process.
-
Log in to the Aviatrix Controller.
-
Select OpenVPN® > Advanced in the left navigation menu.
-
Select the SAML tab.
-
Click Test next to the "SP Name" created in the previous step.
You will need to assign the new Google application to a test user’s Google account before clicking Test.
-
You should be redirected to Google. Log in with your test user credentials.
If everything is configured correctly, once you have authenticated you will be redirected back to the controller and the window will close.
Creating a VPN User
-
Log in to the Aviatrix Controller.
-
Select OpenVPN® > VPN Users in the left navigation menu.
-
Click + Add New.
-
Select the VPC ID and LB/Gateway Name for your SAML Gateway.
-
Enter the Google username in the User Name field.
-
Enter any valid email address in the User Email field (this is where the cert file will be sent). Alternatively, you can download the cert if you do not enter an email address.
-
Select the SAML Endpoint.
-
Click OK.
Validating
-
Log in to the Aviatrix Controller.
-
Select OpenVPN® > VPN Users in the left navigation menu.
-
Download the configuration for your test user created in the previous step.
-
Open the Aviatrix VPN Client application.
-
Click Load Conf and select the file downloaded.
-
Click Connect.
SAML VPN only supports shared certificates. You can share the certificate among VPN users or create more VPN users. |
OpenVPN is a registered trademark of OpenVPN Inc.