Tutorial: Authenticate Using SAML with Azure Active Directory (a.k.a. Microsoft Entra ID)
This tutorial shows the steps to authenticate your Users using SAML. You can configure CloudConexa SAML authentication to use Azure Active Directory as the Identity Provider.
Configuring CloudConnexa User authentication to use SAML
The Administrator can configure CloudConnexa to authenticate access to User Portal, download of WPC Profile, and WPC connections using a SAML 2.0 compliant Identity Provider.
The Administrator needs to follow the steps below. The steps below use Azure Active Directory as the Identity Provider. Basic configuration guides for some of the other popular Identity as a Service (IDaaS) providers are provided separately.
Login to CloudConnexa Administration portal at https://cloud.openvpn.com and do the following:
Navigate to Settings section and click on the User Authentication tab
Click on the Edit button positioned on the top right
Click on the Configure button under the SAML option
The SAML Configuration web page opens in a new browser window/tab and show the information needed to configure CloudConnexa as a Service Provider in your Identity Provider
Login to the administration console of the Identity Provider to configure CloudConnexa as a SAML Provider. The steps for Azure Active Directory are below:
On the Active Directory main page click on Enterprise application option.
Click on the New application button
Select the non-gallery application option in the Add your own app section
Provide name for your app and click Add. On the home page of your app, select the Set up single sign on option.
Then choose SAML option. On the Set up Single Sign-On with SAML page click on the Edit icon and:
Enter the Issue Name displayed in the SAML Configuration web page of CloudConnexa into Identifier (Entity ID) input field of Azure Active Directory
Enter the SSO URL displayed in the SAML Configuration web page of CloudConnexa into the Reply URL (Assertion Consumer Service URL) input field of Azure Active Directory
Scroll down the page to SAML Signing Certificate section. In this section you can copy the link shown in the App Federation Metadata URL field this will be needed later
Azure Active Directory will only provide the NameID value to the Service Provider by default which CloudConnexa will map to the username of the User. If you want CloudConnexa to have more information about the User and to use the value of a specific User attribute to map the User into a CloudConnexa User Group, you need to configure parameters to be sent from Azure Active Directory to App. You can do that by filling in the User Attributes & Claims section of your App
You can also configure Azure AD to send groups using Active Directory attributes synced from Active Directory instead of Azure AD objectIDs. Only groups synchronized from Active Directory will be included in the claims. For example, you can send the Mail-Enabled Security Groups synchronized from Office 365. See, Microsoft Documentation on how a group claim can return the ‘Security group’ for the ‘Group ID’ Source attribute.
Note
The User Attributes & Claims appear in a shortened format on some configuration web pages. The complete URL form is needed for configuration. Refer to Troubleshooting Azure AD.
Now that CloudConnexa has been set up as an application, you need to provide applicable Users access to CloudConnexa application by doing the following:
Go to the Enterprise application menu, choose your created app and select Assign Users and groups
Click on Add User
Click on Users, then choose the User you want to assign to application and click on the Select button
Then at the bottom of the page you will find active Assign button, click on it. The User should appear among the list of assigned Users
Go back to the browser tab/window displaying the CloudConnexa and take the following actions:
Click on the Next button
Provide an Idp Name, Select IdP Metadata URL, and paste the App Federation Metadata URL value copied earlier in step ‘2.f’ into the IdP Metadata URL text field
If earlier in step ‘2.g’ you had set up additional parameters to map into CloudConnexa User information, do the following or else click on the Next button:
Expand the Advanced settings section
In the Attribute Mapping section provide the Identity Provider parameter names corresponding to the CloudConnexa User information fields that you want to be populated with information from the Identity Provider’s parameters (SAML attributes) and click on the Next button when done
Click on the Finish button after reviewing the SAML configuration
Now that the SAML configuration is done, we need to enable SAML as the User authentication method by clicking on the Edit button in the User Authentication tab
Select the SAML option
If earlier in step 2.g’you had setup an additional parameter with the intention to map the value of that parameter to OpenVPN Cloud User Group, do the following or else click on the Update Settings button:
Click on the Add Rule button
Enter in SAML IdP User Group(s) field one or more of the values that will present in the IDP provided parameter that you had mapped to the Group attribute in step ‘3.c.ii’and select the corresponding you want those values to map into. For example, the IdP User’s department value of ‘DEV’ could map to CloudConnexa User Group ‘Dev’ which has been configured to provide access to resources for developers. Repeat the step to add more rules as desired and click on the Update Settings button when done
If you are passing attributes synced from Active Directory instead of Azure AD objectIDs as mentioned in step 2.g.i, you need to find the value of the EnternalDirectoryObjectID that will be sent accross. For example to find the EnternalDirectoryObjectID for an Office 365 Security Group named ‘Dev’, you would use PowerShell to connect and signin to Exchange Online and run the command below and use the value returned for EnternalDirectoryObjectID to map to CloudConnexa User Group ‘Dev’
Get-DistributionGroup "Dev" | Format-List Name,ExternalDirectoryObjectID
Click the Confirm button on the confirmation dialog
SAML is now enabled
Sign in to the User Portal
Now that SAML is enabled for the WPC when a User wants to sign in to the User Portal to download Connect Client or manage Devices etc., the User will sign in using SSO credentials. When the User visits the User Portal (for example, at https://test8.openvpn.com), the User will see the Identity Provider’s login screen
On successful first authentication, the Administrator will see the User details show up in the Administration portal.
In the screenshot above, you can see that the user1 has been added after SAML authentication because the Auth Source is shown as SAML.