SAML Configuration on Avi Vantage

Overview

This guide explains the process to configure an application for SAML-based authentication, the application needs to be registered at an IDP, such as Okta or PingFederate, with details including the redirect URLs etc. This will yield an IDP metadata XML file that needs to be configured on the SP, in our case, an Avi virtual service.

Notes:

Configuring using Avi UI

Configuring Authentication Profile

Navigate to Templates > Security > SSO policy > Create and provide the following information.

  • Name — As desired
  • Type — SAML
  • SAML Identity Provider Setting — Provide the desired metadata using the field IDP Metadata.
  • Select Use user provided entity ID for the Entity Type option available under SAML Service Provider Settings

saml-auth

  • IDP Metadata is the mandatory field from the identity provider

Note: By default, Avi Vantage does not sign the SAML authentication request. However, this behavior can be altered by adding an SSL certificate to the auth profile. Bind a certificate to the auth profile, and the Avi VS will start signing authentication requests using that information.

Creating SSO Policy

Navigate to Templates > Security > SSO policy > Create.

  • Name — As desired
  • Type — SAML
  • Auth profile — Use the auth profile created in the step above

sso

Binding SSO Policy to Virtual Service

Navigate to Application > Virtual Service > Policies > Access and select the SAML option and follow the remaining steps as mentioned below:

  • SSO Policy - use the one created above

    vs

  • Entity ID: A unique value that should be same on both the IDP and the SP.
  • SSO URL: https://SPresource/sso/acs/. This same URL needs to be programmed into the IDP as well.
    Examplehttps://sales.avi.com/sso/acs/
    Note: The trailing slash after acs is mandatory.

  • Session Cookie Name: Avi Vantage validates the assertion and sets a cookie for the client. The client sends a GET request to access the resource with the cookie that the SP provided. The cookie name is configurable and be specified via this field. If no name is specified, the Avi VS uses a randomly generated name for the cookie, such as XRWDFG.

  • Session Cookie Timeout: The cookie expiry time can be customized here. The default value is 60 minutes.

Configuring using Avi CLI

Configuring the Auth Profile

[admin:saml-ctrlr-1]: > configure authprofile Saml-auth-profile

[admin:saml-ctrlr-1]: authprofile> type auth_profile_saml
[admin:saml-ctrlr-1]: authprofile> saml
[admin:saml-ctrlr-1]: authprofile:saml> sp
[admin:saml-ctrlr-1]: authprofile:saml:sp> saml_entity_type auth_saml_app_vs
[admin:saml-ctrlr-1]: authprofile:saml:sp> save
[admin:saml-ctrlr-1]: authprofile:saml> save
[admin:saml-ctrlr-1]: authprofile> saml
[admin:saml-ctrlr-1]: authprofile:saml> new idp
metadata : ‘metadata_string’

Example

metadata:  ‘<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://www.okta.com/exk2c02xxTcM9pIr0355"><md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDtjCCAp6gAwIBAgIGAWPuJWSOMA0GCSqGSIb3DQEBCwUAMIGbMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
MBIGA1UECwwLU1NPUHJvdmlkZXIxHDAaBgNVBAMME2F2aW5ldHdvcmtzLWF1dGhsYWIxHDAaBgkq
hkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMTgwNjExMDkxOTE4WhcNMjgwNjExMDkyMDE3WjCB
mzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lz
Y28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRwwGgYDVQQDDBNhdmluZXR3
b3Jrcy1hdXRobGFiMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAiFKBy70aa5G2I5JH+uUqXef9jrhUtx6CX1nmrg26FXtsKYdjRm5v
otxbjfNdcXeXRXHu5scMwAgMy9EZM+AXehlm/qnahNWvEZ+YgPZS55UzkcSXJ30dl62kbUAyXxo3
CQQs+Hj5k7W0rcZAj405qxOZVgtkrs6cB3uS/pn02eV4EHA6ECReQLrEPFcy6zLZpIChbkzyz372
ZLbwMCSjF5DLh52MSGgWixwvs5Mq20WofBWMOnS0ofnZq6+TM6XK7P8VEQxJe37sWi0W+RrR6685
T+bnlM6GMg24wRHt/1fouUbZQuBgoc0/HNKywlO9BXLoJ9j02/VYn3Uex9bumQIDAQABMA0GCSqG
SIb3DQEBCwUAA4IBAQAmAh0fXL7gU1ivV3hWdl0AlLPENREAzKbHwuthtTySBr6rmreo6j8SvOMW
pKQzNznmzU3zyeLd96j6lfA7PIDGyBGmNB6z0Va0bPvOQe+a2f3/cmumVdrKFv7I5ZiR0UNbeBmG
BIeWkJ+Rx+FcaIzP2IiFddmvpdh1nLae7FS9F1jvnioSIwq2PlFZuMMFb2TrMXrqqEMp9CeGfEag
bjxQcWEW1ifNxeKrI/LcS5g5mTf4gx41bgo/w9x6MRsK+bIbYv680mdtb6LhWiT1lZU+ZAYJTKMr
HHoIxYFPW8Zcs7DGirOOYMbSU97G0rljQzbv9gcS+FhwPffBaHi3spk9</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://avinetworks-authlab.okta.com/app/avinetworksorg108212_apmssotest_1/exk2c02xxTcM9pIr0355/sso/saml"/><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://avinetworks-authlab.okta.com/app/avinetworksorg108212_apmssotest_1/exk2c02xxTcM9pIr0355/sso/saml"/></md:IDPSSODescriptor></md:EntityDescriptor>’

Complete the CLI sequence with two save commands.


[admin:saml-ctrlr-1]: authprofile:saml> save
[admin:saml-ctrlr-1]: authprofile> save
+----------------------+----------------------------------------------------------------------------------+
| Field                | Value                                                                            |
+----------------------+----------------------------------------------------------------------------------+
| uuid                 | authprofile-789ce4af-6b9d-4a73-bd26-d00f670a19c0                                 |
| name                 | Saml-auth-profile                                                                |
| type                 | AUTH_PROFILE_SAML                                                                |
| saml                 |                                                                                  |
|   idp                |                                                                                  |
|     metadata         | <?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:n |
|                      | ames:tc:SAML:2.0:metadata" entityID="http://www.okta.com/exk2c02xxTcM9pIr0355">< |
|                      | md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration=" |
|                      | urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInf |
|                      | o xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate |
|                      | >MIIDtjCCAp6gAwIBAgIGAWPuJWSOMA0GCSqGSIb3DQEBCwUAMIGbMQswCQYDVQQGEwJVUzETMBEG A1 |
|                      | UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU MBIGA |
|                      | 1UECwwLU1NPUHJvdmlkZXIxHDAaBgNVBAMME2F2aW5ldHdvcmtzLWF1dGhsYWIxHDAaBgkq hkiG9w0B |
|                      | CQEWDWluZm9Ab2t0YS5jb20wHhcNMTgwNjExMDkxOTE4WhcNMjgwNjExMDkyMDE3WjCB mzELMAkGA1U |
|                      | EBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lz Y28xDTALBgNVBA |
|                      | oMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRwwGgYDVQQDDBNhdmluZXR3 b3Jrcy1hdXRobGFiM |
|                      | RwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0B AQEFAAOCAQ8AMIIBCgKC |
|                      | AQEAiFKBy70aa5G2I5JH+uUqXef9jrhUtx6CX1nmrg26FXtsKYdjRm5v otxbjfNdcXeXRXHu5scMwAg |
|                      | My9EZM+AXehlm/qnahNWvEZ+YgPZS55UzkcSXJ30dl62kbUAyXxo3 CQQs+Hj5k7W0rcZAj405qxOZVg |
|                      | tkrs6cB3uS/pn02eV4EHA6ECReQLrEPFcy6zLZpIChbkzyz372 ZLbwMCSjF5DLh52MSGgWixwvs5Mq2 |
|                      | 0WofBWMOnS0ofnZq6+TM6XK7P8VEQxJe37sWi0W+RrR6685 T+bnlM6GMg24wRHt/1fouUbZQuBgoc0/ |
|                      | HNKywlO9BXLoJ9j02/VYn3Uex9bumQIDAQABMA0GCSqG SIb3DQEBCwUAA4IBAQAmAh0fXL7gU1ivV3h |
|                      | Wdl0AlLPENREAzKbHwuthtTySBr6rmreo6j8SvOMW pKQzNznmzU3zyeLd96j6lfA7PIDGyBGmNB6z0V |
|                      | a0bPvOQe+a2f3/cmumVdrKFv7I5ZiR0UNbeBmG BIeWkJ+Rx+FcaIzP2IiFddmvpdh1nLae7FS9F1jvn |
|                      | ioSIwq2PlFZuMMFb2TrMXrqqEMp9CeGfEag bjxQcWEW1ifNxeKrI/LcS5g5mTf4gx41bgo/w9x6MRsK |
|                      | +bIbYv680mdtb6LhWiT1lZU+ZAYJTKMr HHoIxYFPW8Zcs7DGirOOYMbSU97G0rljQzbv9gcS+FhwPff |
|                      | BaHi3spk9</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md: |
|                      | NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFor |
|                      | mat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md: |
|                      | NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindin |
|                      | gs:HTTP-POST" Location="https://avinetworks-authlab.okta.com/app/avinetworksorg1 |
|                      | 08212_apmssotest_1/exk2c02xxTcM9pIr0355/sso/saml"/><md:SingleSignOnService Bindi |
|                      | ng="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://avinet |
|                      | works-authlab.okta.com/app/avinetworksorg108212_apmssotest_1/exk2c02xxTcM9pIr035 |
|                      | 5/sso/saml"/></md:IDPSSODescriptor></md:EntityDescriptor>                        |
|   sp                 |                                                                                  |
|     saml_entity_type | AUTH_SAML_APP_VS                                                                 |
| tenant_ref           | admin                                                                            |
+----------------------+----------------------------------------------------------------------------------+
[admin:saml-ctrlr-1]: >

Configuring SSO Policy

[admin:saml-ctrlr-1]: configure ssopolicy saml_ssopolicy
[admin:saml-ctrlr-1]: ssopolicy> authentication_policy default_auth_profile_ref Saml-auth-profile
[admin:saml-ctrlr-1]: ssopolicy:authentication_policy> save
[admin:saml-ctrlr-1]: ssopolicy> save
+----------------------------+------------------------------------------------+
| Field                      | Value                                          |
+----------------------------+------------------------------------------------+
| uuid                       | ssopolicy-23bf7f51-d95a-4f1d-9dbb-648dd7ad11e6 |
| name                       | saml_ssopolicy                                 |
| authentication_policy      |                                                |
|   default_auth_profile_ref | Saml-auth-profile                              |
| tenant_ref                 | admin                                          |
+----------------------------+------------------------------------------------+

Configuring Virtual Service

The two below steps must be taken before the configuration is saved.

Step One: Binding SSO Policy

[admin:saml-ctrlr-1]: > configure virtualservice VS-SAML
  Updating an existing object. Currently, the object is:
       < Object specifics would appear here. Left out of article for brevity's sake. >
[admin:10-30-2-30]: virtualservice> sso_policy_ref saml_ssopolicy

Step Two: SP Config


  [admin:saml-ctrlr-1]: virtualservice> saml_sp_config
  [admin:saml-ctrlr-1]: virtualservice:saml_sp_config> single_signon_url https://sales.avi.com/sso/acs/
  [admin:saml-ctrlr-1]: virtualservice:saml_sp_config> entity_id SAML_app
  [admin:saml-ctrlr-1]: virtualservice:saml_sp_config> cookie_name MyCookie
  [admin:saml-ctrlr-1]: virtualservice:saml_sp_config> cookie_timeout 60
  [admin:saml-ctrlr-1]: virtualservice:saml_sp_config> save
  [admin:saml-ctrlr-1]: virtualservice> save