How to configure SAML with Azure AD

Upgrade to Latest Version

Introduction

OpenVPN Access Server 2.11 and newer supports authentication using SAML with Azure AD as the identity provider. You can configure this in Azure AD with Access Server as your service provider.

The following steps walk you through how to enable SAML authentication for users and groups from Azure AD to Access Server.

Before you begin

You need the following to get started:

Note: We recommend using all lowercase usernames when logging in with SAML.

Step 1: Create the Azure AD SSO application

With Azure AD, you must create a custom SAML application for SSO.

First, gather information about your Access Server as the service provider (SP):

  1. Sign in to your Access Server Admin Web UI.
  2. Click Authentication > SAML.
  3. You’ll need the following information:
    • SP Identity.
    • SP ACS.

Now that you have your SP information, you can create a new Azure AD SAML app and enter that information during app creation:

  1. Sign in to your Azure portal as a global administrator.
  2. From the main, left-hand navigation menu, click All services.
  3. Enter “Azure Active Directory” in the search box and select it from the results.
  4. In the left-hand navigation menu, click Enterprise Applications.
  5. Click New application.
  6. Click Create your own application.
  7. Enter a name for your app and click Integrate any other application you don’t find in the gallery (Non-gallery).
  8. Click Create.
  9. Once the app is created, click Set up single sign on.
  10. Click SAML as the SSO method.
  11. Edit the basic SAML configuration and use the SP information from Access Server to enter the following into Azure:
    • Identifier (Entity ID): Enter the Access Server SP Identity.
    • Reply URL (Assertion Consumer Service URL): Enter the Access Server SP ACS.
    • Relay State (Optional): Enter ‘cws’ for the Client Web UI or ‘profile’ to provide users with a downloadable profile. (For more details, refer to “How to set IdP-initiated flow” below.)
  12. Click Save.

Next, you provide the Azure SAML app data to Access Server. The simplest way is to provide metadata through a URL (first option) or downloaded file (second option).

To copy the Azure metadata URL (option 1):

  1. Ensure you’re still in the Single sign-on section of your SAML app.
  2. Under SAML Certificates, copy the App Federation Metadata Url.

To download the Azure metadata file for automatic configuration (option 2):

  1. Ensure you’re still in the Single sign-on section of your SAML app.
  2. Under SAML Certificates, locate the Federation Metadata XML and click Download.

Step 2: Provide Azure AD metadata to Access Server

Now that you have the Azure AD metadata, you can provide it to Access Server, which can automatically populate information for the identity provider.

If you copied the URL, follow the steps below to paste it into the SAML page for Access Server. If you downloaded the XML file, follow the steps below to upload it to the SAML page for Access Server.

To paste the Azure AD metadata URL in the Admin Web UI (option 1):

  1. Sign in to the Admin Web UI.
  2. Click Authentication > SAML.
  3. Click Configure Identity Provider (IdP) Automatically via Metadata to expand the section.
  4. In the field, IdP Metadata URL, paste the URL you copied from Azure AD and click Get and Update Running Server.
  5. The IdP fields are now populated under Configure Identity Provider (IdP) Manually.

To upload the Azure AD metadata file in the Admin Web UI (option 2):

  1. Sign in to the Admin Web UI.
  2. Click Authentication > SAML.
  3. Click Configure Identity Provider (IdP) Automatically via Metadata to expand the section.
  4. In the field, Select IdP Metadata, click Choose File to upload the XML file you downloaded from Azure AD, then click Upload and Update Running Server.
  5. The IdP fields are now populated under Configure Identity Provider (IdP) Manually.

After saving, you should see the following data populated automatically by either the URL or the XML file:

  • IdP EntityId.
  • Sign On Endpoint.
  • Certificate (PEM format).

Step 3: Assign SAML as user authentication

Once you’ve provided the SAML configuration for Azure AD, you can enable it for users.

  1. Sign in to the Admin Web UI.
  2. Click Authentication > SAML.
  3. Click the toggle to turn on Enable SAML authentication, then click Save Settings and Update Running Server.
  4. You can now enable SAML as the global default authentication or for specific groups and users.

How to set up IdP-initiated flow (optional)

You can configure an IdP-initiated flow for signing into Access Server from their Azure My Apps portal with the following steps:

  1. Sign in to the Azure portal as a global administrator.
  2. From the top of the main left-hand menu, select All services and open the Azure Active Directory Extension.
  3. In the filter search box, type “Azure Active Directory” and select Azure Active Directory from the results.
  4. From the left-hand navigation menu, click Enterprise Applications.
  5. Select All Applications to see all of your applications.
  6. Select your SAML application.
  7. Once the application loads, select Single sign-on from the left-hand menu.
  8. Edit the Basic SAML Configuration.
  9. Enter one of the following under Relay State (Optional):
    • cws: This directs your users to the Client Web UI after sign-in.
    • profile: This directs your users to a profile download after sign-in.
  10. Save changes.

Test that the option displays for your user:

  1. Sign in to your Azure My Apps as a SAML user.
  2. Find the SAML application linked with Access Server and click on it.
  3. The user should be directed to the Access Server Client Web UI without additional authentication requirements.