Skip to main content

Tutorial: Manage the SAML Authentication Method from the Command-Line Interface

Abstract

Configure SAML authentication in OpenVPN Access Server using the CLI. Learn how to use IdP metadata or manual settings, enable SAML, and verify your configuration.

Overview

This tutorial shows how to configure SAML authentication in Access Server using the command-line interface (CLI).

With SAML, users sign in through an external identity provider (IdP), such as Entra ID, Okta, or Google Workspace.

You can configure SAML in two ways:

  • Recommended: Use IdP metadata (simpler and faster).

  • Manual: Define each setting individually.

Prerequisites

  • Root privileges on your Access Server's console.

  • A configured SAML IdP.

  • IdP metadata file or URL (recommended), or manual configuration details.

Step 1: Set authentication mode to SAML

  1. Connect to the console and get root privileges.

  2. Set the authentication mode to SAML:

    sacli --key "auth.module.type" --value "saml" ConfigPut
sacli start

Step 2: Configure SAML using IdP metadata (recommended)

Use one of the following methods:

Option A: Use metadata file

  • Specify the IdP metadata file:

    sacli --value_file="<PATH_TO_FILE_NAME>"1 SamlConfigureFromMetadata

    1

    The <PATH_TO_FILE_NAME> needs to be a full path like "/root/idp-metadata.xml".

    Tip

    Using metadata automatically configures the entity ID, endpoints, and certificate.

Option B: Use metadata URL

  • Specify the IdP metadata URL:

    sacli --url="<IDP_METADATA_URL>" SamlConfigureFromMetadata

Tip

Using metadata automatically configures the entity ID, endpoints, and certificate.

Step 3: (Alternative) Configure SAML manually

Use this method only if metadata isn't available.

  1. Define the IdP entity ID:

    sacli --key "auth.saml.0.idp_entityid" --value <IDP ENTITY ID> ConfigPut

  2. Define the IdP sign-on endpoint:

    sacli --key "auth.saml.0.idp_signon_endpoint" --value <IDP SIGNON ENDPOINT> ConfigPut

  3. Define the IdP certificate:

    sacli --key "auth.saml.0.idp_cert" --value_file "<PATH_TO_FILE_NAME>"1 ConfigPut

    1

    The <PATH_TO_FILE_NAME> needs to be a full path like "/root/idp-cert.pem".

Step 4: (Optional) Set a custom SAML hostname

Use this if you want SAML authentication to use a different hostname than your Admin Web UI or Client Web UI.

  • Run:

    sacli --key "auth.saml.0.sp_hostname" --value <HOSTNAME> ConfigPut

Step 5: Enable SAML authentication and apply the configuration

  1. Enable SAML authentication:

    sacli --key "auth.saml.0.enable" --value "true" ConfigPut

  2. Apply the configuration:

    sacli start

Step 6: Verify SAML authentication

  1. Open the Client Web UI.

  2. Attempt to sign in.

  3. Confirm:

    • You're redirected to your IdP.

    • Authentication completes successfully.

    • You're redirected back to the Client Web UI.

    Tip

    If authentication fails, check /var/log/openvpnas.log for SAML-related messages.

Optional configuration commands

These settings aren't required for most deployments.

  • Enable sending ForceAuthn (default is false):

    sacli --key "auth.saml.0.forceauthn" --value "true" ConfigPut

  • Enable sending AuthnContexts (default is true):

    sacli --key "auth.saml.0.requestauthncontext" --value "true" ConfigPut

  • Define AuthnContexts to be included in the AuthNRequest (default is PasswordProtectedTransport):

    sacli --key "auth.saml.0.authncontexts" --value "PasswordProtectedTransport" ConfigPut

    • To add multiple values, use space-separated values. Example:

      sacli --key "auth.saml.0.authncontexts" --value "PasswordProtectedTransport X509" ConfigPut

  • Set the SAML timeout in seconds (default is 180):

    sacli --key "auth.saml.0.timeout" --value "180" ConfigPut

  • Specify the IdP log-out endpoint:

    sacli --key "auth.saml.0.idp_logout_endpoint" --value <IDP LOGOUT ENDPOINT> ConfigPut
In this section:

Access Server's web server used by clients to download OpenVPN Connect and configuration profiles.