SAML setup with G Suite

Sign Up For OpenVPN Cloud

Configuring OpenVPN Cloud user authentication to use SAML

The administrator can configure OpenVPN Cloud to authenticate access to User Portal, download of VPN profile, and VPN connections using a SAML 2.0 compliant Identity Provider.

The administrator needs to follow the steps below. The steps below use G Suite as the Identity Provider. Basic configuration guides for some of the other popular Identity as a Service (IDaaS) providers are provided separately.

  1. Sign in to the OpenVPN Cloud administration portal at https://cloud.openvpn.com/.

    1. Navigate to Settings section and click on the User Authentication tab.

    2. Click on the Edit button positioned on the top right

    3. Click on the Configure button under the SAML option

    4. The SAML Configuration webpage opens in a new browser window/tab and show the information needed to configure OpenVPN Cloud as a Service Provider in your Identity Provider.

  2. Login to the administration console of the Identity Provider to configure OpenVPN Cloud as a SAML Service Provider. The steps for G Suite are below:

    1. Click on the menu and navigate to Apps and select SAML apps

    2. Click on the yellow round + button at the bottom right corner to add new app

    3. Then you will be offered to complete short journey that consists of 5 steps:

      Step 1. Enable SSO for SAML Application. In the opened window click on SETUP MY OWN CUSTOM APP button.

      Step 2. Google IdP Information. Here is the Identity Provider (IdP) info that we need to use later for configuring OpenVPN Cloud. Download the IdP metadata file. Click Next.

      Step 3. Basic information for your Custom App. Provide a name for your app. Click Next.

      Step 4. Service Provider Details. Here we need to provide service provider details:

      1. Enter the Issuer Name displayed in the SAML Configuration webpageof OpenVPN Cloud into Entity ID input field

      2. Enter the SSO URL displayed in the SAML Configuration webpage of OpenVPN Cloud into the ACS URL input field and Click Next.
        Step 5. Attribute Mapping. G Suite will only provide the NameID value to the Service Provider by default which OpenVPN Cloud will map to the username of the User. If you want OpenVPN Cloud to have more information about the user and to use the value of a specific user attribute to map the user into an OpenVPN Cloud User Group, you need to configure parameters to be sent from G Suite to App. For default configuration, you can skip this step. Click Finish button.

    4. Now that OpenVPN Cloud has been setup as an application you can assign it to all users, you need to again proceed to Apps -> SAML apps. Among the listed apps find our just created application. Click on 3 grey dots at the end of the line and choose option On for everyone.

  3. Go back to the browser tab/window displaying the OpenVPN Cloud and take the following actions:

    1. Click on the Next button

    2. Provide an IdP Name, Select IdP Metadata XML, and do the following:

      • Open the IdP metadata file that you had downloaded in step ‘2.c.Step 2’ and copy the XML text shown

      • Paste the text into the IdP Metadata XML text field

    3. If earlier in step ‘2.c.Step 5′ you had setup additional parameters to map into OpenVPN Cloud User information, do the following or else click on the Next button:

      1. Expand the Advanced settings section

      2. In the Attribute Mapping section provide the Identity Provider parameter names corresponding to the OpenVPN Cloud User information fields that you want to be populated with information from the Identity Provider’s parameters (SAML attributes) and click on the Next button when done

    4. Click on the Finish button after reviewing the SAML configuration

    5. Now that the SAML configuration is done, we need to enable SAML as the user authentication method by clicking on the Edit button in the User Authentication tab

    6. Select the SAML option

    7. If earlier in step ‘2.c.Step 5’ you had setup an additional parameter with the intention to map the value of that parameter to OpenVPN Cloud User Group, do the following or else click on the Update Settings button:

      1. Click on the Add Rule button

      2. Enter in SAML IdP User Group(s) field one or more of the values that will present in the IDP provided parameter that you had mapped to the Group attribute in step ‘3.c.ii’and select the corresponding you want those values to map into. For example, the IdP user’s department value of ‘DEV’ could map to OpenVPN Cloud User Group ‘Dev’ which has been configured to provide access to resources for developers. Repeat the step to add more rules as desired and click on the Update Settings button when done

    8. Click the Confirm button on the confirmation dialog

    9. SAML is now enabled

Login to User Portal

Now that SAML is enabled for the VPN when a User wants to sign in to the User Portal to download Connect Client or manage devices etc., the user will sign in using SSO credentials. When the user visits the User Portal (for example, at https://test8.openvpn.cloud), the user will see the Identity Provider’s login screen

On successful first authentication, the Administrator will see the user details show up in the administration portal.

In the screenshot above, you can see that the user1 has been added after SAML authentication because the Auth Source is shown as SAML.