Skip to main content

SAML Authentication for Access Server VPN Users

Abstract

Authenticate your VPN clients with SAML, an open standard for exchanging authentication and authorization data between an identity provider and a service provider.

Introduction

Access Server 2.11 and newer supports Security Assertion Markup Language (SAML), an XML-based standard for exchanging authentication and authorization data between Access Server as the Service Provider (SP) and a SAML Identity Provider (IdP).

The advantage of SAML is that it can provide a single sign-on (SSO) experience. This means you can use the same SAML IdP credentials to access various applications and services that support SAML authentication, eliminating the need to add new credentials for each application or service.

The Access Server SAML process

When you enable SAML for authentication on your Access Server, users do not sign in with Access Server-specific credentials. Instead, they use their credentials for the IdP, giving them a single sign-on (SSO) experience. Here’s how the sign-in flows might look (two examples).

SP-initiated flow

  1. The user opens the Access Server Client Web UI.

  2. They click on Sign in via SAML on the sign-on page.

  3. They are automatically sent to the SAML IdP sign-on page.

  4. They authenticate with their SAML IdP credentials.

  5. The user is sent to the Client Web UI to download the required software and/or import a connection profile using a token URL.

IdP-initiated flow

  1. The user opens the SAML IdP sign-on page.

  2. They authenticate with their SAML IdP credentials.

  3. They click on the Access Server SAML application.

  4. The user is sent to the Client Web UI to download the required software and/or import a connection profile using a token URL.

OpenVPN Connect process

  1. The user opens OpenVPN Connect.

  2. They click on their profile to connect to the VPN.

  3. OpenVPN Connect directs them to the IdP sign-on in a browser.

  4. After successful authentication, they connect to the VPN.

Setting up Access Server SAML with your IdP

Setting up SAML with Access Server requires several configuration steps:

  1. Provide the Service Provider information to the Identity Provider.

  2. Provide the Identity Provider information to the Service Provider.

  3. Enable SAML with Access Server.

  4. Assign users access through the IdP.

  5. Users successfully sign in.

We provide detailed tutorials to help you set up SAML with several IdPs:

If you're looking for SAML with CloudConnexa, refer to the SAML CloudConnexa documentation.

SAML and TOTP MFA

Important

By design, SAML authentication on Access Server doesn't work with the TOTP MFA toggle in the Admin Web UI.

When you use SAML as your authentication method and set up multi-factor authentication (MFA), ensure that the MFA occurs with the IdP. With Access Server, you can enable TOTP MFA by simply clicking a toggle, or enabling it on a user or group. If some users are configured with TOTP MFA through Access Server, ensure you differentiate from SAML users with groups or by setting the TOTP MFA at the user level.

Another use case to configure SAML and TOTP MFA outside of your IdP is by adding DUO MFA. We walk you through these steps in this tutorial:

In this section: