SAML Support for Avi SDK
Starting with Avi Vantage 18.2.2, support has been added to our SDK to use IdP credentials for it as well as a REST API login. It requires that a SAML authentication profile be set up on the Avi Controller to be used by the Python SDK to establish a connection and access resources.
To set up SAML on the Avi Controller, refer to the SAML Authentication for Single Sign-On article.
Notes:
- Logging into the Avi CLI using IdP credentials is not yet supported.
- SAML-based authentication using the Python SDK is supported for Okta and OneLogin.
- The service provider never directly interacts with the identity provider. A browser or the Python SDK acts as the agent to carry out all redirections.
- The service provider needs to know to which identity provider to redirect before it has any idea who the user is.
- The service provider does not know who the user is until the SAML assertion comes back from the identity provider.
- SAML authentication flow is asynchronous. The SP does not know if the IdP will ever complete the entire flow. Because of this, the SP does not maintain any state of any authentication requests generated. When the SP receives a response from an IdP, the response must contain all necessary information.
SAML Python SDK
Under the SDK, a file named saml_avi_api.py
contains the IdP class definition for each supported IdP. IdP-specific classes are inherited from the ApiSession
base class. An IdP-specific class definition has its own authentication method to be called to authenticate a given user. URL redirection and SAML assertion are handled in this class. This class returns the Controller session after successful authentication from the given IdP.
Okta Example
In this collection of code snippets, the OktaSAMLApiSession
class is used to authenticate a user for Okta IdP, get the Controller session, and create the VS.
From avi.sdk.saml_avi_api
import OktaSAMLApiSession
:
Create Avi API Session
api = OktaSAMLApiSession("10.10.10.42", "okta_username", "okta_password")
OR
api = ApiSession.get_session("controller_ip", username="foo", password="foo", idp=OktaSAMLApiSession)
Create VS Using Pool sample_pool
pool_obj = api.get_object_by_name('pool', 'sample_pool')
pool_ref = api.get_obj_ref(pool_obj)
services_obj = [{'port': 80, 'enable_ssl': False}]
vs_obj = {'name': 'sample_vs', 'ip_address': {'addr': '11.11.11.42', 'type': 'V4'},
'services': services_obj, 'pool_ref': pool_ref}
resp = api.post('virtualservice', data=vs_obj)
Print List of all Virtual Services
resp = api.get('virtualservice')
for vs in resp.json()['results']:
print vs['name']
Delete a Virtual Service
resp = api.delete_by_name('virtualservice', 'sample_vs')
OneLogin Example
In this collection of code snippets, the OneloginSAMLApiSession
class is used to authenticate a user for OneLogin IdP, get the Controller session, and create the VS.
From avi.sdk.saml_avi_api
import OneloginSAMLApiSession
Create Avi API Session
api = OneloginSAMLApiSession("10.10.10.42", "onelogin_username", "onelogin_password")
OR
api = ApiSession.get_session("controller_ip", username="foo", password="foo", idp=OneloginSAMLApiSession)
Create VS Using Pool sample_pool
pool_obj = api.get_object_by_name('pool', 'sample_pool')
pool_ref = api.get_obj_ref(pool_obj)
services_obj = [{'port': 80, 'enable_ssl': False}]
vs_obj = {'name': 'sample_vs', 'ip_address': {'addr': '11.11.11.42', 'type': 'V4'},
'services': services_obj, 'pool_ref': pool_ref}
resp = api.post('virtualservice', data=vs_obj)
Print List of all Virtual Services
resp = api.get('virtualservice')
for vs in resp.json()['results']:
print vs['name']
Delete a Virtual Service
resp = api.delete_by_name('virtualservice', 'sample_vs')