How SAML Authentication works with Access Server

Introduction

OpenVPN Access Server 2.11 and newer supports Security Assertion Markup Language (SAML), an XML-based standard for exchanging authentication and authorization data between Access Server as the Service Provider (SP) and a SAML Identity Provider (IdP).

The advantage of SAML is that it can provide a single sign-on (SSO) experience. Meaning you can use the same SAML IdP credentials to access various applications and services that support SAML authentication. This removes the need to add new credentials for each application or service. 

The Access Server SAML Process

When you enable SAML for authentication on your Access Server, a user does not sign in with Access Server-specific credentials. Instead, they use their credentials for the IdP, giving them a single sign-on (SSO) experience. Here’s how the sign-in flows might look (two examples).

Example 1: SP-initiated flow:

  1. The user opens the Access Server Client Web UI.
  2. They click on Sign in via SAML on the sign-on page.
  3. They are automatically sent to the SAML IdP sign-on page.
  4. They authenticate with their SAML IdP credentials.
  5. The user is sent to the Client Web UI to download the required software and/or import a connection profile using a token URL.

Example 2: IdP-initiated flow:

  1. The user opens the SAML IdP sign-on page.
  2. They authenticate with their SAML IdP credentials.
  3. They click on the Access Server SAML application.
  4. The user is sent to the Client Web UI to download the required software and/or import a connection profile using a token URL.

Example 3: OpenVPN Connect process:

  1. The user opens OpenVPN Connect.
  2. They click on their profile to connect to the VPN.
  3. OpenVPN Connect directs them to the IdP sign-on in a browser.
  4. After successful authentication, they connect to the VPN.

Setting up Access Server SAML with your IdP

Setting up SAML with Access Server requires several configuration steps:

  1. Provide the Service Provider information to the Identity Provider.
  2. Provide the Identity Provider information to the Service Provider.
  3. Enable SAML with Access Server.
  4. Assign users access through the IdP.
  5. Users successfully sign in.

We provide detailed guides to help you set up SAML with several IdPs:

If you’re looking for SAML with OpenVPN Cloud, refer to the Cloud product documentation.

How to assign SAML as the default authentication

With external user registration allowed and SAML set as the default authentication system, any user who signs in successfully at the Access Server through SAML will be automatically added to the Access Server’s user database. They can then download the necessary programs and connection profiles to get connected. This means you don’t have to add each and every user to Access Server yourself; they will simply be added automatically when they access the Access Server.

  1. Sign in to your Admin Web UI.
  2. Click Authentication > SAML and ensure you have the information saved for your IdP. (If you haven’t set it up, refer to the guides above for your IdP.)
  3. Enable SAML by clicking the toggle for Enable SAML authentication, click Save Settings and Update Running Server.
  4. Click Authentication > Settings.
  5. Under Default Authentication System, select SAML.
  6. Set Deny access to unlisted accounts by default to No.
  7. Click Save Settings and Update Running Server.

Suppose you don’t want users to be automatically added upon successful login. In that case, you can set Deny access to unlisted accounts by default to Yes, which ensures that only existing accounts in the Access Server user database can sign in.

How to use SAML only for specifics users and groups

If SAML is not the default authentication system, you can still allow specific users and groups to sign in through SAML. Before you can do this, you must first configure SAML. Once you’ve configured and enabled SAML, you will have the option to add users and groups and configure them to use the SAML authentication system.

  1. Sign in to your Admin Web UI.
  2. Click Authentication > SAML and ensure you have the information saved for your IdP. (If you haven’t set it up, refer to the guides above for your IdP.)
  3. Enable SAML by clicking the toggle for Enable SAML authentication, click Save Settings and Update Running Server.
  4. Assign it to users and groups:
    1. For users: Click User Management > User Permissions, click More Settings, and select SAML under Auth method.
    2. For groups: Click User Management > Group Permissions, click More Settings, and select SAML under Auth method.
  5. Click Save Settings and Update Running Server.

Note: When you add SAML users to Access Server, remember to add them in the same format that the IdP uses, which is normally in lower-case format only. This is the format that SAML assertions use.

Authentication Context Processing

When you configure SAML as an authentication method for Access Server, the Access Server becomes your Service Provider (SP) with an Identity Provider (IdP) providing the user directory.

When a user authenticates, the SP requests an assertion from the IdP, which can include authentication context. You can require certain information in this context about the authentication process using AuthNContext.

Requesting and obtaining authentication

When you configure Access Server, as the SP, to request AuthNContext, it includes the requested element(s) in the request to the IdP. The IdP then generates the assertion, with the authentication context added, and sends that to the SP. Upon successful authentication, the user logs in. The process follows this general flow:

  1. The SP sends the authentication request with the AuthNContext element.
  2. The IdP receives the request, authenticates the user, generates a user session, and validates the AuthNContext element.
  3. Upon successful authentication, the IdP includes the AuthNContext element in the assertion sent to the SP; if it isn’t successful, the IdP sends “no authncontext.”
  4. The SP completes the authentication with the assertion, and the user signs in.

Set up SAML AuthNContext

The default SAML assertion sends a username and password, using the PasswordProtectedTransport class. With Access Server 2.11.1 and newer, you can use other authentication types besides username and password through AuthNContext. Examples of different authentication types include client certificates or Kerberos.

Follow these steps to indicate the auth methods allowed:

  1. Ensure you’ve set up SAML with Access Server and your IdP.
  2. Sign in to the Admin Web UI.
  3. Click Authentication > SAML.
  4. Set Send custom AuthnContext to IdP to Yes.
  5. Enter the authentication method(s) as a space-separated list in the AuthnContexts to include in the AuthNRequest text field.
  6. Click Save and Update Running Server.

Examples of methods you can include:

  • Password
  • PasswordProtectedTransport
  • TLSClient
  • X509
  • Kerberos

Setting up forced authentication (forceAuthn) for users

For some customers with high-security requirements, you may want to break the Single Sign-on functionality of SAML authentication and request the re-authentication of users. You can do this with forceAuthn, a content parameter. This parameter requests user interactions to authenticate with the IdP even if the user has an active session. You configure this with a toggle in the Admin Web UI, which sets forceAuthn to true.

  1. Ensure you’ve set up SAML with Access Server and your IdP.
  2. Sign in to the Admin Web UI.
  3. Click Authentication > SAML.
  4. Set Send ForceAuthn flag to IdP to require user interaction to Yes.
  5. Click Save and Update Running Server.

Note: When set to Yes, this means ForceAuthn='true' is included in the AuthNRequest made to the IdP, requesting user interaction during the course of handling the request. Doing this overrides the usual, implicit assumption that previous authentication states can be reused — however, it's up to the SAML IdP if it honors this request.

SAML and TOTP MFA

When you use SAML as your authentication method and set up multi-factor authentication (MFA), ensure that the MFA occurs with the IdP. With Access Server, you can enable TOTP MFA by simply clicking a toggle, or enabling it on a user or group, however, this won’t work with SAML, by design. If you have some users configured with TOTP MFA through Access Server, ensure you differentiate from SAML users with groups or by setting the TOTP MFA at the user level.

SAML troubleshooting

If you encounter errors or issues while setting up SAML with Access Server, send a message to OpenVPN support.