Configure SAML with Workspace One for Avi Load Balancer
Avi Load Balancer
SAML enables integration into VMware Workspace ONE (WS1) and takes advantage of the App Catalog, network access restrictions, and step-up authentication when administrators sign in. In this section, you will understand how to configure SAML for
Avi Load Balancer
control plane authentication with WS1 access being the IDP.You can configure granular role-based access control by adding application parameters into the Workspace One Access catalog item and then mapping those parameters to different roles in
Avi Load Balancer
. For more information, see Tenant and Role Mapping Examples.Prerequisites
Before initiating the configuration, complete the following prerequisites:
- Configure a DNS record for theAvi Load Balancer Controller. This will be used for the fully qualified domain name (FQDN) that is used when signing into the system.
- Get the Workspace ONE Access IDP metadata.
Follow the steps below to download the
idp.xml
file:- Log in to the Workspace ONE Access administrator console.
- Navigate to the .
- ClickSAML MetadataunderSaaS Apps.
- In theDownload SAML Metadatatab, clickCopy URLnext toIdentity Provider (IdP) metadata.

SAML Configuration in Avi Load Balancer
Avi Load Balancer
To configure an authentication profile to support SAML on the
Avi Load Balancer Controller
, follow the below:- Log in to theAvi Load Balancer Controllerwith admin credentials.
- Navigate to the and clickCREATE.
- Enter theNameof the auth profile.
- SelectSAMLas theTypeof auth profile.
- SelectUse IDP Metadata URLoption and paste the URL in theEnter IDP Metadata URLfield.
- UnderService Provider, selectUse DNS FQDN.
- Enter the service provider organization details, as required.
- Enter theFQDNto be used for the SAML configuration.

- ClickSave.
Collecting Service Provider Metadata
Avi Load Balancer
does not generate an xml file that can be imported into Workspace ONE Access. So, the metadata must be entered manually. Collect the following details:- Entity ID
- SSO URL
- Signing Certificate
Get the entity ID and the SSO URL from the
VERIFY SERVICE PROVIDER SETTINGS
screen as shown below.- Navigate to .
- Identify the authentication profile created and clickverifyicon.

- TheVERIFY SERVICE PROVIDER SETTINGSscreen displays theEntity IDand theSingle Sign on URL. Copy this information and paste in a text editor.

Get the signing certificate from SSL/TLS Certificates as shown below.
- From theAvi Load BalancerUI, navigate to .
- Identify theSystem-Default-Portal-Certand clickExporticon.

- From theExport Certificatescreen, clickCopy to clipboardto copy theKeyand theCertificate.

- Paste the details into a text editor.
- ClickDONE.
Configuring Auth Mapping Profile
- From theAvi Load BalancerUI, navigate to .
- ClickCREATEor edit an existing auth mapping rule.
- EnterNameandDescription.
- SelectSAMLas theType.
Depending on the type selected, the auth profile settings are displayed. - UnderRules, ClickADD. A newMapping Rulescreen appears.

- UnderMatch, select the filter for theAttribute Match.
- Any: Users match regardless of attributes or their values.
- Contains: The user must have the specified attribute, and the attribute must have one of the specified values.
- Does Not Contain: The user must not have the specified attribute and value(s).
- Regex:
- UnderAction, selectCustom Mapping.
- Select and configureUser Tenant,User Role, orUser Account Profilefrom theADDdrop-down menu as required. For more information, see User Tenant, User Roles, and User Account Profile.
- ClickSave.
Configuring Remote Authentication
By default, a Controller will have only local authentication established (Authentication/Authorization: Local).
To configure remote authentication using the
Avi Load Balancer
UI, follow the steps below:- Navigate to .
- In theEdit System Settingsscreen, selectRemoteas the Authentication method.
- SelectEnable Local User Loginto allow users from the local user database to log in with their user credentials.
- UnderAuth Profiles & Mapping Profiles, clickAdd.
- From theSelect Auth Profiledrop-down menu, select the previously created remote Auth Profile.
- From theSelect AUTH Mapping Profiledrop-down menu, select an existingMapping Profileor click the vertical menu icon (three dots) to create a newMapping Profile. For more information, see Configuring Auth Mapping Profile.

- ClickSave.Tenant and role mapping are available only with remote authentication.
Configuring the Avi Load Balancer Catalog Item in Workspace ONE Access
Avi Load Balancer
Catalog Item in Workspace ONE AccessOnce the SAML profile is created in the
Avi Load Balancer Controller
, the Workspace ONE catalog entry can be created.To create the Workspace ONE catalog entry, do the following:
- Log in to your Workspace ONE Access administrator console.
- Navigate to theCatalogtab.
- ClickNew.
- In theNew SaaS Applicationscreen, enter aNamefor the newAvi Load Balancerentry in the App Catalog.
- Under theDefinitiontab, if you have an icon to use, clickSelect File, upload the icon for the application, and clickNextto view theConfigurationtab.

- In theConfigurationtab, enter the details as shown below:
TheFieldDescriptionSingle Sign-On URLUse theSingle Sign on URLcopied from theVERIFY SERVICE PROVIDER SETTINGSscreen inAvi Load Balancer.The trailing slash (/) after acs is mandatory.Recipient URLUse theSingle Sign-On URL.Application IDUse theEntity IDcopied from theVERIFY SERVICE PROVIDER SETTINGSscreen inAvi Load Balancer.Username FormatUnspecified.Username Value${user.email}.Relay State URLThe FQDN or IP address of your appliance.Configurationtab in theNew SaaS Applicationscreen is as shown below.
- ClickAdvanced Propertiesand configure the properties as shown below:

- Copy the value of theSystem-Default-Portal-Certcertificate and paste it into theRequest Signaturefield.

- Enter the FQDN or IP address of the appliance as theApplication LoginURL. This enables SP-initiated login workflows.
- Click Next to selectAccess Policiesto use for this application. This determines the rules used for authentication and access to the application.

- ClickNextto review theSummaryof the configuration.
- ClickSave & Assignand select the users or groups that will have access to this application and the deployment type.

- ClickSave.