Using SAML for User authentication with OneLogin as the Identity Provider
Configuring CloudConnexa User authentication to use SAML
The Administrator can configure CloudConnexa to authenticate access to User Portal, download of WPC Profile, and WPC connections using a SAML 2.0 compliant Identity Provider.
The Administrator needs to follow the steps below. The steps below use OneLogin as the Identity Provider. Basic configuration guides for some of the other popular Identity as a Service (IDaaS) providers are provided separately.
Sign in to the CloudConnexa Administration portal at https://cloud.openvpn.com.
Navigate to Settings section and click on the User Authentication tab
Click on the Edit button positioned on the top right
Click on the Configure button under the SAML option
The SAML Configuration web page opens in a new browser window/tab and show the information needed to configure CloudConnexa as a Service Provider in your Identity Provider
Sign in to the OneLogin administration console to configure CloudConnexa as a SAML service provider.
Navigate to Applications tab and click on the Add App button
Enter SAML Test Connector (Advanced) in the search bar to find the application and click on it
Provide a Display Name and click on the Save button to add the application and start configuring it
Navigate to Configuration
Enter the Issuer Name displayed in the SAML Configuration web page of CloudConnexa into Audience (Entity ID) input field of OneLogin
Enter the SSO URL displayed in the SAML Configuration web page of CloudConnexa into both the ACS (Consumer) URL Validator and ACS (Consumer) URL input fields of OneLogin
Select Assertion as the drop-down list value for the SAML signature element field and click on the Save button
OneLogin will only provide the NameID value to the Service Provider by default which CloudConnexa will map to the username of the User. If you want CloudConnexa to have more information about the User and to use the value of a specific User attribute to map the User into a CloudConnexa User Group, you need to configure additional parameters to be sent by navigating to the Parameters tab and clicking on the Add (+ icon)
Click on the Include in SAML assertion checkbox, provide a Field Name, and click on the Save button
Choose and select a Value that is one of the attributes of the User. You can search for the attribute too.
Click on the Include SAML assertion checkbox and click on the Save button
Repeat the above process for adding more parameters that will correspond to the username, email, first name, last name, and User Group of CloudConnexa User. Once done, navigate to the SSO tab
Click on the copy/paste icon next to the Issuer URL in order to copy the value in the field. This will be used later in the CloudConnexa configuration.
Now that CloudConnexa has been set up as an application, you need to provide applicable Users access to CloudConnexa application. One of the ways to do this is to:
Select the User and click on the Applications tab
Click on the Add (+ icon) to add an Application for the User
Select the newly configured CloudConnexa application and click on the Continue button
Go back to the browser tab/window displaying the CloudConnexa and take the following actions:
Click on the Next button
Provide an IdP Name and paste the Issuer URL value copied earlier in step ‘2.m’ into the IdP Metadata URL
If earlier in step ‘2.h’ you had set up additional parameters to map into CloudConnexa User information, do the following or else click on the Next button:
Expand the Advanced settings section
In the Attribute Mapping section provide the Identity Provider parameter names corresponding to the CloudConnexa User information fields that you want to be populated with information from the Identity Provider’s parameters (SAML attributes) and click on the Next button when done
Click on the Finish button after reviewing the SAML configuration
Now that the SAML configuration is done, we need to enable SAML as the User authentication method by clicking on the Edit button in the User Authentication tab
Select the SAML option
If earlier in step ‘2.h’ you had set up an additional parameter with the intention to map the value of that parameter to CloudConnexa User Group, do the following or else click on the Update Settings button:
Click on the Add Rule button
Enter in SAML IdP User Group(s) field one or more of the values that will present in the IDP provided parameter that you had mapped to the Group attribute in step ‘3.c.ii’and select the corresponding you want those values to map into. For example, the IdP User’s department value of ‘DEV’ could map to CloudConnexa User Group ‘Dev’ which has been configured to provide access to resources for developers. Repeat the step to add more rules as desired and click on the Update Settings button when done
Click the Confirm button on the confirmation dialog
SAML is now enabled
Login to User Portal
Now that SAML is enabled for the WPC when a User wants to sign in to the User Portal to download Connect Client or manage Devices etc., the User will sign in using SSO credentials. When the User visits the User Portal (for example, at https://test8.openvpn.com), the User will see the Identity Provider’s login screen
On successful first authentication, the Administrator will see the User details show up in the Administration portal.
In the screenshot above, you can see that the user1 has been added after SAML authentication because the Auth Source is shown as SAML.
Authentication during Profile download
Now that SAML is enabled for the WPC when a User wants to add the WPC Profile using Connect Client, the User will sign in using SSO credentials.
Authentication during WPC connection
Now that SAML is enabled for the WPC when a User belonging to a User Group whose Authentication Type parameter is set as Password and Profile wants to connect to the WPC using Connect Client, the User will sign in using SSO credentials.
