Avi Vantage Integration with OneLogin
An Avi virtual service’s ability to act as a service provider is key to support of Security Assertion Markup Language (SAML), starting with release 18.2.2. To fulfill this role, the Avi virtual service sends authentication requests to an identity provider (IDP), responses from which govern user access to back-end applications running in Avi pools. Multiple third-party integrations have been implemented by Avi Networks to give customers a choice of IDP. This article outlines the steps necessary to enable OneLogin as IDP.
Avi as SP and OneLogin as IDP
-
Login to OneLogin with admin access of developer account and click on Add apps.
-
Search for SAML in the search tab.
-
For this guide, we have selected the SAML Test Connector (IDP w/ attr w/ sign response).
-
Once you select the option as mentioned above, the following screen will appear.
-
Click on Save.
-
Open the app again; click on Configuration and add the details as shown below.
- Audience should be same as Entity ID on Avi.
- ACS (Consumer) URL* should be same as the SSO URL on Avi.
-
Click on Save. On next screen you can continue with default parameters or add new ones.
-
Click on Next on the Rules screen.
-
On the SSO tab you can change the certificate from SHA1 to SHA2, if required. Click on Save.
-
The next three tabs — Access, Users, and Policies — are for assigning the apps to the users and providing the required permissions. Click on Save.
This completes the configuration on the IDP.
To download metadata, click on More Actions and select SAML Metadata to download the IDP metadata.
This completes the process of creating an application on OneLogin.
Once configuration is complete on OneLogin, configure an Avi virtual service to act as service provider by following the instructions given in the SAML Configuration on Avi Vantage article.
Suggested Reading
Configuring SAML Authentication with Workspace One for Avi Controller