Configure SAML with Workspace One for
Avi Load Balancer

SAML enables integration into VMware Workspace ONE (WS1) and takes advantage of the App Catalog, network access restrictions, and step-up authentication when administrators sign in. In this section, you will understand how to configure SAML for
Avi Load Balancer
control plane authentication with WS1 access being the IDP.
You can configure granular role-based access control by adding application parameters into the Workspace One Access catalog item and then mapping those parameters to different roles in
Avi Load Balancer
. For more information, see Tenant and Role Mapping Examples.

Prerequisites

Before initiating the configuration, complete the following prerequisites:
  • Configure a DNS record for the
    Avi Load Balancer Controller
    . This will be used for the fully qualified domain name (FQDN) that is used when signing into the system.
  • Get the Workspace ONE Access IDP metadata.
Follow the steps below to download the
idp.xml
file:
  1. Log in to the Workspace ONE Access administrator console.
  2. Navigate to the
    Catalog
    Settings
    .
  3. Click
    SAML Metadata
    under
    SaaS Apps
    .
  4. In the
    Download SAML Metadata
    tab, click
    Copy URL
    next to
    Identity Provider (IdP) metadata
    .

SAML Configuration in
Avi Load Balancer

To configure an authentication profile to support SAML on the
Avi Load Balancer Controller
, follow the below:
  1. Log in to the
    Avi Load Balancer Controller
    with admin credentials.
  2. Navigate to the
    Templates
    Security
    Auth Profile
    and click
    CREATE
    .
  3. Enter the
    Name
    of the auth profile.
  4. Select
    SAML
    as the
    Type
    of auth profile.
  5. Select
    Use IDP Metadata URL
    option and paste the URL in the
    Enter IDP Metadata URL
    field.
  6. Under
    Service Provider
    , select
    Use DNS FQDN
    .
  7. Enter the service provider organization details, as required.
  8. Enter the
    FQDN
    to be used for the SAML configuration.
  9. Click
    Save
    .

Collecting Service Provider Metadata

Avi Load Balancer
does not generate an xml file that can be imported into Workspace ONE Access. So, the metadata must be entered manually. Collect the following details:
  • Entity ID
  • SSO URL
  • Signing Certificate
Get the entity ID and the SSO URL from the
VERIFY SERVICE PROVIDER SETTINGS
screen as shown below.
  1. Navigate to
    Templates
    Security
    Auth Profile
    .
  2. Identify the authentication profile created and click
    verify
    icon.
  3. The
    VERIFY SERVICE PROVIDER SETTINGS
    screen displays the
    Entity ID
    and the
    Single Sign on URL
    . Copy this information and paste in a text editor.
Get the signing certificate from SSL/TLS Certificates as shown below.
  1. From the
    Avi Load Balancer
    UI, navigate to
    Templates
    Security
    SSL/TLS Certificates
    .
  2. Identify the
    System-Default-Portal-Cert
    and click
    Export
    icon.
  3. From the
    Export Certificate
    screen, click
    Copy to clipboard
    to copy the
    Key
    and the
    Certificate
    .
  4. Paste the details into a text editor.
  5. Click
    DONE
    .

Configuring Auth Mapping Profile

  1. From the
    Avi Load Balancer
    UI, navigate to
    Templates
    Security
    Auth Mapping Profile
    .
  2. Click
    CREATE
    or edit an existing auth mapping rule.
  3. Enter
    Name
    and
    Description
    .
  4. Select
    SAML
    as the
    Type
    .
    Depending on the type selected, the auth profile settings are displayed.
  5. Under
    Rules
    , Click
    ADD
    . A new
    Mapping Rule
    screen appears.
  6. Under
    Match
    , select the filter for the
    Attribute Match
    .
    1. Any
      : Users match regardless of attributes or their values.
    2. Contains
      : The user must have the specified attribute, and the attribute must have one of the specified values.
    3. Does Not Contain
      : The user must not have the specified attribute and value(s).
    4. Regex
      :
  7. Under
    Action
    , select
    Custom Mapping
    .
  8. Select and configure
    User Tenant
    ,
    User Role
    , or
    User Account Profile
    from the
    ADD
    drop-down menu as required. For more information, see User Tenant, User Roles, and User Account Profile.
  9. Click
    Save
    .

Configuring Remote Authentication

By default, a Controller will have only local authentication established (Authentication/Authorization: Local).
To configure remote authentication using the
Avi Load Balancer
UI, follow the steps below:
  1. Navigate to
    Administration
    System Settings
    EDIT
    Authentication
    .
  2. In the
    Edit System Settings
    screen, select
    Remote
    as the Authentication method.
  3. Select
    Enable Local User Login
    to allow users from the local user database to log in with their user credentials.
  4. Under
    Auth Profiles & Mapping Profiles
    , click
    Add
    .
  5. From the
    Select Auth Profile
    drop-down menu, select the previously created remote Auth Profile.
  6. From the
    Select AUTH Mapping Profile
    drop-down menu, select an existing
    Mapping Profile
    or click the vertical menu icon (three dots) to create a new
    Mapping Profile
    . For more information, see Configuring Auth Mapping Profile.
  7. Click
    Save
    .
    Tenant and role mapping are available only with remote authentication.

Configuring the
Avi Load Balancer
Catalog Item in Workspace ONE Access

Once the SAML profile is created in the
Avi Load Balancer Controller
, the Workspace ONE catalog entry can be created.
To create the Workspace ONE catalog entry, do the following:
  1. Log in to your Workspace ONE Access administrator console.
  2. Navigate to the
    Catalog
    tab.
  3. Click
    New
    .
  4. In the
    New SaaS Application
    screen, enter a
    Name
    for the new
    Avi Load Balancer
    entry in the App Catalog.
  5. Under the
    Definition
    tab, if you have an icon to use, click
    Select File
    , upload the icon for the application, and click
    Next
    to view the
    Configuration
    tab.
  6. In the
    Configuration
    tab, enter the details as shown below:
    Field
    Description
    Single Sign-On URL
    Use the
    Single Sign on URL
    copied from the
    VERIFY SERVICE PROVIDER SETTINGS
    screen in
    Avi Load Balancer
    .
    The trailing slash (/) after acs is mandatory.
    Recipient URL
    Use the
    Single Sign-On URL
    .
    Application ID
    Use the
    Entity ID
    copied from the
    VERIFY SERVICE PROVIDER SETTINGS
    screen in
    Avi Load Balancer
    .
    Username Format
    Unspecified.
    Username Value
    ${user.email}.
    Relay State URL
    The FQDN or IP address of your appliance.
    The
    Configuration
    tab in the
    New SaaS Application
    screen is as shown below.
  7. Click
    Advanced Properties
    and configure the properties as shown below:
  8. Copy the value of the
    System-Default-Portal-Cert
    certificate and paste it into the
    Request Signature
    field.
  9. Enter the FQDN or IP address of the appliance as the
    Application Login
    URL. This enables SP-initiated login workflows.
  10. Click Next to select
    Access Policies
    to use for this application. This determines the rules used for authentication and access to the application.
  11. Click
    Next
    to review the
    Summary
    of the configuration.
  12. Click
    Save & Assign
    and select the users or groups that will have access to this application and the deployment type.
  13. Click
    Save
    .