How SAML Authentication works with Access Server

Introduction

OpenVPN Access Server 2.11 and newer supports Security Assertion Markup Language (SAML), an XML-based standard for exchanging authentication and authorization data between Access Server as the Service Provider (SP) and a SAML Identity Provider (IdP).

The advantage of SAML is that it can provide a single sign-on (SSO) experience. Meaning you can use the same SAML IdP credentials to access various applications and services that support SAML authentication. This removes the need to add new credentials for each application or service. 

The Access Server SAML Process

When you enable SAML for authentication on your Access Server, a user does not sign in with Access Server-specific credentials. Instead, they use their credentials for the IdP, giving them a single sign-on (SSO) experience. Here’s how the sign-in flows might look (two examples).

Example 1: SP-initiated flow:

  1. The user opens the Access Server Client Web UI.
  2. They click on Sign in via SAML on the sign-on page.
  3. They are automatically sent to the SAML IdP sign-on page.
  4. They authenticate with their SAML IdP credentials.
  5. The user is sent to the Client Web UI to download the required software and/or import a connection profile using a token URL.

Example 2: IdP-initiated flow:

  1. The user opens the SAML IdP sign-on page.
  2. They authenticate with their SAML IdP credentials.
  3. They click on the Access Server SAML application.
  4. The user is sent to the Client Web UI to download the required software and/or import a connection profile using a token URL.

Example 3: OpenVPN Connect process:

  1. The user opens OpenVPN Connect.
  2. They click on their profile to connect to the VPN.
  3. OpenVPN Connect directs them to the IdP sign-on in a browser.
  4. After successful authentication, they connect to the VPN.

Setting up Access Server SAML with your IdP

Setting up SAML with Access Server requires several configuration steps:

  1. Provide the Service Provider information to the Identity Provider.
  2. Provide the Identity Provider information to the Service Provider.
  3. Enable SAML with Access Server.
  4. Assign users access through the IdP.
  5. Users successfully sign in.

We provide detailed guides to help you set up SAML with several IdPs:

If you’re looking for SAML with OpenVPN Cloud, refer to the Cloud product documentation.

How to assign SAML as the default authentication

With external user registration allowed and SAML set as the default authentication system, any user who signs in successfully at the Access Server through SAML will be automatically added to the Access Server’s user database. They can then download the necessary programs and connection profiles to get connected. This means you don’t have to add each and every user to Access Server yourself; they will simply be added automatically when they access the Access Server.

  1. Sign in to your Admin Web UI.
  2. Click Authentication > SAML and ensure you have the information saved for your IdP. (If you haven’t set it up, refer to the guides above for your IdP.)
  3. Enable SAML by clicking the toggle for Enable SAML authentication, click Save Settings and Update Running Server.
  4. Click Authentication > Settings.
  5. Under Default Authentication System, select SAML.
  6. Set Deny access to unlisted accounts by default to No.
  7. Click Save Settings and Update Running Server.

Suppose you don’t want users to be automatically added upon successful login. In that case, you can set Deny access to unlisted accounts by default to Yes, which ensures that only existing accounts in the Access Server user database can sign in.

How to use SAML only for specifics users and groups

If SAML is not the default authentication system, you can still allow specific users and groups to sign in through SAML. Before you can do this, you must first configure SAML. Once you’ve configured and enabled SAML, you will have the option to add users and groups and configure them to use the SAML authentication system.

  1. Sign in to your Admin Web UI.
  2. Click Authentication > SAML and ensure you have the information saved for your IdP. (If you haven’t set it up, refer to the guides above for your IdP.)
  3. Enable SAML by clicking the toggle for Enable SAML authentication, click Save Settings and Update Running Server.
  4. Assign it to users and groups:
    1. For users: Click User Management > User Permissions, click More Settings, and select SAML under Auth method.
    2. For groups: Click User Management > Group Permissions, click More Settings, and select SAML under Auth method.
  5. Click Save Settings and Update Running Server.

Note: When you add SAML users to Access Server, remember to add them in the same format that the IdP uses, which is normally in lower-case format only. This is the format that SAML assertions use.

SAML troubleshooting

If you encounter errors or issues while setting up SAML with Access Server, send a message to OpenVPN support.