How to configure SAML with Azure AD

Introduction

OpenVPN Access Server 2.11 and newer supports authentication using SAML with Azure AD as the identity provider. You can configure this in Azure AD with Access Server as your service provider.

The following steps walk you through how to enable SAML authentication for users and groups from Azure AD to Access Server.

Before you begin

You need the following to get started:

Note: We recommend using all lowercase usernames when logging in with SAML.

Step 1: Copy or download Azure AD metadata

The simplest way to set up Azure AD SAML for Access Server is by providing metadata to Access Server. You can copy a metadata URL or download a metadata XML file.

To copy the Azure AD metadata URL (option 1):

  1. Sign in to the Azure portal as a global administrator.
  2. From the main, left-hand navigation menu, click All services.
  3. Enter “Azure Active Directory” in the search box and select it from the results.
  4. In the left-hand navigation menu, click Enterprise Applications and All Applications.
  5. Select the application you need to download metadata.
  6. Once the application loads, click Single sign-on on the left.
  7. Under SAML Signing Certificate, copy the App Federation Metadata Url.

To download the Azure AD metadata file (option 2):

  1. Sign in to the Azure portal as a global administrator.
  2. From the main, left-hand navigation menu, click All services.
  3. Enter “Azure Active Directory” in the search box and select it from the results.
  4. In the left-hand navigation menu, click Enterprise Applications and All Applications.
  5. Select the application you need to download metadata.
  6. Once the application loads, click Single sign-on on the left.
  7. Under SAML Signing Certificate, locate the Federation Metadata XML and click Download.

Step 2: Provide Azure AD metadata to Access Server

Now that you have the Azure AD metadata, you can provide it to Access Server, which can automatically populate information for the identity provider.

If you copied the URL, follow the steps below to paste it into the SAML page for Access Server. If you downloaded the XML file, follow the steps below to upload it to the SAML page for Access Server.

To paste the Azure AD metadata URL in the Admin Web UI (option 1):

  1. Sign in to the Admin Web UI.
  2. Click Authentication > SAML.
  3. Click Configure Identity Provider (IdP) Automatically via Metadata to expand the section.
  4. In the field, IdP Metadata URL, paste the URL you copied from Azure AD and click Get and Update Running Server.
  5. The IdP fields are now populated under Configure Identity Provider (IdP) Manually.

To upload the Azure AD metadata file in the Admin Web UI (option 2):

  1. Sign in to the Admin Web UI.
  2. Click Authentication > SAML.
  3. Click Configure Identity Provider (IdP) Automatically via Metadata to expand the section.
  4. In the field, Select IdP Metadata, click Choose File to upload the XML file you downloaded from Azure AD, then click Upload and Update Running Server.
  5. The IdP fields are now populated under Configure Identity Provider (IdP) Manually.

After saving, you should see the following data populated automatically by either the URL or the XML file:

  • IdP EntityId.
  • Sign On Endpoint.
  • Certificate (PEM format).

Step 3: Assign SAML as user authentication

Once you’ve provided the SAML configuration for Azure AD, you can enable it for users.

  1. Sign in to the Admin Web UI.
  2. Click Authentication > SAML.
  3. Click the toggle to turn on Enable SAML authentication, then click Save Settings and Update Running Server.
  4. You can now enable SAML as the global default authentication or for specific groups and users.

How to set up IdP-initiated flow (optional)

You can configure an IdP-initiated flow for signing into Access Server from their Azure My Apps portal with the following steps:

  1. Sign in to the Azure portal as a global administrator.
  2. From the top of the main left-hand menu, select All services and open the Azure Active Directory Extension.
  3. In the filter search box, type “Azure Active Directory” and select Azure Active Directory from the results.
  4. From the left-hand navigation menu, click Enterprise Applications.
  5. Select All Applications to see all of your applications.
  6. Select your SAML application.
  7. Once the application loads, select Single sign-on from the left-hand menu.
  8. Edit the Basic SAML Configuration.
  9. Enter one of the following under Relay State (Optional):
    • cws: This directs your users to the Client Web UI after sign-in.
    • profile: This directs your users to a profile download after sign-in.
  10. Save changes.

Test that the option displays for your user:

  1. Sign in to your Azure My Apps as a SAML user.
  2. Find the SAML application linked with Access Server and click on it.
  3. The user should be directed to the Access Server Client Web UI without additional authentication requirements.