SAML Integration with Azure AD - Aviatrix Controller Login
For Aviatrix Controller login, we can use SAML authentication methods to various available IdPs, in addition to using a simple username & password. IdP is basically any provider that supports SAML end point (AWS SSO, Azure AD, PingOne, Okta, OneLogin , Google, etc). By leveraging these integrations we can use a single sign-on by one or many IdPs. Your Aviatrix Controller acts as the Identity service provider that redirects application traffic from the client to IdP (for example Azure AD) for authentication.
In this blog, we will focus on Azure AD IdP integration for the Aviatrix Controller.
- Already deployed Aviatrix Controller Controller Startup Guide
- Azure AD Premium subscription account with administrator access
Login to your Aviatrix Controller and Create a temporary Aviatrix SP Endpoint.
Check the below screenshot from the controller endpoint and SP UCS URL for reference. Retrieve your SP UCS URL on a notepad.
NOTE:- For this example, we used Controller Login SAML Config integration with Azure AD.
Note:- Copy SP UCS URL on a notepad to be used while registering with IDPs SP UCS URL for this example - https://126.96.36.199/flask/saml/sso/azure_saml_controller
Now enable Azure AD SAML Application via Azure console.
Please note that you need admin access and cannot use a consolidated Azure account.
- Azure Active Directory -> Enterprise Applications -> Select New application
- Create your own application
- Add users to this new application
- Now go to Single sign-on and select SAML
- Now under SAML based sign-on, edit the configuration and fill Identity (Entity ID), Reply URL, and Sign-on URL as shown in the screenshot example below
Identity URL is your controller IP and Reply URL as well as Sign on URL is your SP ACS URL which we copied to notepad in step 1.
- Edit User Attributes & Claims and add 3 new claims as below
Retrieve Azure AD IdP metadata.
Below is screenshot from Azure console as a reference. The metadata URL shown by an arrow will be used to recognize Azure AD as IdP.
Under SAML Signing Certificate copy and download Federation Metadata XML
Upgrade the temporary Aviatrix SP Endpoint created in Step 1 with Azure SAML metadata details.
Screenshot from the controller as reference.
Click Custom SAML Request Template and delete all of the XML data there.
Enter the following XML information
<?xml version="1.0" encoding="UTF-8"?> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="$ID" Version="2.0" IssueInstant="$Time" Destination="$Dest" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="$ACS"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">$Issuer</saml:Issuer> </samlp:AuthnRequest>
Test the integration from controller SAML endpoint test button.
It should redirect you to Azure sign in page and subsequently login to the controller automatically.
Finally you should now get 2 options to login to controller (Sign in OR SAML login) as shown below.
If you now click on SAML login you will automatically login to controller as a Azure AD user