How to Configure SAML with Auth0

Upgrade to Latest Version

Introduction

OpenVPN Access Server 2.11 and newer supports authentication using SAML with Auth0 as the identity provider. You can configure this in Auth0 with Access Server as your service provider.

The following steps walk you through how to enable SAML authentication for users and groups from Auth0 to Access Server.

Before you begin

You need the following to get started:

Note: We recommend using all lowercase usernames when logging in with SAML.

Step 1: Create the Auth0 SAML application

With Auth0, you must create a custom SAML application.

First, gather information about your Access Server as the service provider (SP).

  1. Sign in to your Access Server Admin Web UI.
  2. Click Authentication > SAML.
  3. You’ll need the following information:
    1. SP Identity.
    2. SP ACS.

Now that you have your SP information, you can create a new Auth0 SAML app and enter that information during app creation:

  1. Sign in to your Auth0 portal.
  2. Under Applications, click Applications.
  3. Click Create Application.
  4. Enter a name for your SAML custom app.
  5. Under Choose an application type, click Native, and click Create.
  6. Under Settings tab, scroll down until Application URIs, and use the SP information from Access Server to enter the following into the Auth0 app:
    1. Application Login URI: Enter the Access Server SAML SP Identity.
    2. Allow Callback URLs: Enter the Access Server SP ACS. (Ensure you enter https:// with the SAML Hostname.)
  7. Scroll down and click Save Changes.

To download the Auth0 metadata file for automatic configuration (option 1):

  1. Under Applications, click Applications.
  2. Click on your SAML app.
  3. Under Addons, click on SAML2 Web App.
  4. Under the Usage tab and Identity Provider Metadata, click Download.

To copy the Auth0 SAML data for manual configuration (option 2):

  1. Under Applications, click Applications.
  2. Click on your SAML app.
  3. Under Addons, click on SAML2 Web App.
  4. Under the Usage tab, copy the content of Issuer, and Identity Provider Login URL.
  5. Click Identity Provider Certificate to download the certificate in PEM format.

Step 2: Configure Auth0 SAML data with Access Server

The simplest way to set up Auth0 SAML for Access Server is by providing the metadata XML file (option 1), but you can also manually configure (option 2).

To upload the Auth0 metadata file in the Admin Web UI (option 1):

Provide the downloaded metadata XML file to your Access Server through the Admin Web UI to automatically configure SAML:

  1. Sign in to your Access Server Admin Web UI.
  2. Click Authentication > SAML.
  3. Click Configure Identity Provider (IdP) Automatically via Metadata to expand the section.
  4. Click Choose File for Select IdP Metadata File.
  5. Select your Auth0 metadata XML file and click Upload, then Update Running Server.
  6. The IdP fields are now populated under Configure Identity Provider (IdP) Manually.

To manually configure Auth0 SAML (option 2):

  1. Sign in to your Access Server Admin Web UI.
  2. Click Authentication > SAML.
  3. Click Configure Identity Provider (IdP) Manually to expand the section.
  4. Paste the following from Auth0 to the Access Server fields:
    1. Paste the Auth0 Identity Provider Login URL into Access Server’s Sign On Endpoint.
    2. Paste the Auth0 Issuer into Access Server’s IdP EntityId.
    3. Paste the Auth0 Identity Provider Certificate into Access Server’s Certificate (PEM format).
  5. Click Save, then Update Running Server.
  6. The IdP fields save.

Step 3: Assign SAML as user authentication

Once you’ve provided the SAML configuration for Auth0, you can enable it for users.

  1. Sign in to the Admin Web UI.
  2. Click Authentication > SAML.
  3. Click the toggle to turn on Enable SAML authentication, then click Save Settings and Update Running Server.
  4. You can now enable SAML as the global default authentication or for specific groups and users.