How to configure SAML with OneLogin

Upgrade to Latest Version

Introduction

OpenVPN Access Server 2.11 and newer supports authentication using SAML with OneLogin as the identity provider. You can configure this in OneLogin with Access Server as your service provider.

The following steps walk you through how to enable SAML authentication for users and groups from OneLogin to Access Server.

Before you begin

You need the following to get started:

Note: We recommend using all lowercase usernames when logging in with SAML.

Step 1: Create the OneLogin App integration

With OneLogin, you need to create an application for the SAML integration.

First, gather information about your Access Server as the service provider (SP).

  1. Sign in to your Access Server Admin Web UI.
  2. Click Authentication > SAML.
  3. You’ll need the following information:
    • SP Identity.
    • SP ACS.

Now that you have your SP information, you can create a new OneLogin app and enter that information during app creation:

  1. Sign in to your OneLogin domain as an admin.
  2. Click Menu > Applications > Applications.
  3. Click Add App.
  4. In the search, enter ‘SAML custom connector’ and click on SAML Customer Connector (Advanced) in the results.
  5. Enter the Display Name and ensure you enable Visible in portal. Add icons and a description, then click Save.
  6. Click Configuration from the menu on the left.
  7. Enter your SP information as follows:
    • RelayState: Enter ‘cws’ if you want your users to sign in to the Client Web UI, and enter ‘profile’ if you want users to download a profile for their VPN client after they authenticate. For more information about RelayState, refer to the section below, “Set up IdP-initiated sign-on in OneLogin.”
    • Audience (Entity ID): Enter the SP Identity from Access Server.
    • ACS (Consumer) URL Validator: Enter the SP ACS from Access Server.
    • ACS (Consumer) URL: Enter the SP ACS again from Access Server.
    • Under SAML signature element, select Assertion from the drop-down.
    • Click Save.

You’ve added the SAML client for your OneLogin domain.

Step 2: Copy or download the OneLogin metadata

The simplest way to set up OneLogin SAML for Access Server is by providing metadata to Access Server. You can copy a metadata URL or download a metadata XML file.

To copy the OneLogin metadata URL (option 1):

  1. From your SAML app integration created in step 1, click SSO from the left menu.
  2. Copy the Issuer URL.

To download the OneLogin metadata file (option 2):

  1. From your SAML app integration created in step 1, click the More Actions drop-down.
  2. Click SAML metadata to download the XML file.

Step 3: Provide OneLogin metadata to Access Server

Now that you have the metadata, you can provide that to your Access Server through the Admin Web UI to automatically configure SAML.

If you copied the URL, follow the steps below to paste it into the SAML page for Access Server. If you downloaded the XML file, follow the steps below to upload it to the SAML page for Access Server.

To paste the OneLogin metadata URL in the Admin Web UI (option 1):

  1. Sign in to your Access Server Admin Web UI.
  2. Click Authentication > SAML.
  3. Click Configure Identity Provider (IdP) Automatically via Metadata to expand the section.
  4. Paste the Issuer URL from OneLogin into the IdP Metadata URL field and click Get and Update Running Server.
  5. The IdP fields are now populated under Configure Identity Provider (IdP) Manually.

To upload the OneLogin metadata file in the Admin Web UI (option 2):

  1. Sign in to the Admin Web UI.
  2. Click Authentication > SAML.
  3. Click Configure Identity Provider (IdP) Automatically via Metadata to expand the section.
  4. In the field Select IdP Metadata, click Choose File to upload the XML file you downloaded from OneLogin, then click Upload and Update Running Server.
  5. The IdP fields are now populated under Configure Identity Provider (IdP) Manually.

After saving, you should see the following data populated automatically by either the URL or the XML file:

  • IdP EntityId.
  • Sign On Endpoint.
  • Certificate (PEM format).

Step 4: Assign SAML as user authentication

Once you’ve provided the SAML configuration for OneLogin, you can enable it for users.

  1. Sign in to the Admin Web UI.
  2. Click Authentication > SAML.
  3. Click the toggle to turn on Enable SAML authentication, then click Save Settings and Update Running Server.
  4. You can now enable SAML as the global default authentication or for specific groups and users.

Step 5: Assign the SAML app to OneLogin users

With SAML enabled for Access Server, you need to add the app integration to your OneLogin users that require access.

  1. Sign in to your OneLogin domain as an admin.
  2. From the menu, click Users > Users and select a user.
  3. Click Applications.
  4. Click the Add icon.
  5. Select your SAML integration application from the Select application drop-down and click Continue.
  6. Review the information for the user on the next screen, then click Save.

You can now test that the user can sign in to Access Server using SAML.

How to set up IdP-initiated flow (optional)

You can configure an IdP-initiated flow for signing into Access Server from OneLogin with the following steps:

  1. Sign in to your OneLogin domain as an administrator.
  2. Click Applications > Applications.
  3. Click on your SAML app integration.
  4. Ensure that Visible in portal is enabled.
  5. Click Configuration from the left menu.
  6. Enter one of the following into the RelayState field:
    • cws: This directs your users to the Client Web UI after sign-in.
    • profile: This directs your users to a profile download after sign-in.
  7. Save changes.

Test that the option displays for your users:

  1. Sign in to your OneLogin portal as a SAML user.
  2. Find the SAML app linked with Access Server and click on it.
  3. The user should be directed to the Import profile in App page without additional authentication requirements.