OpenVPN Access Server now supports identity federation with SAML. You can now use a third-party IdP for SSO access to the administration and client portals.
The latest release of OpenVPN Access Server supports identity federation with SAML (Security Assertion Markup Language). You can now use a third-party SAML IdP to 1) establish SSO access to the client portal, and 2) authenticate prior to VPN connection.
The industry standard SAML 2.0 is used to securely exchange SAML assertions passing information about a user between a SAML authority (aka identity provider or IdP), and a SAML consumer (aka service provider or SP). Access Server authentication service uses this information to provide federated single sign-on (SSO) for users authorized to use the VPN.
In other words, SAML ensures that users are real and who they say they are for all external services and apps.
Access Server SAML Supports SSO With Your Preferred IdP
Johan Draaisma, Access Server Product Manager, explains that with this update, “OpenVPN Access Server makes it easy for administrators to set users up to authenticate against an IdP they’re using for SSO, be it Azure AD, Google Workspace, OneLogin, Okta, or Keycloak. Doing this allows users to log in to their Access Server web portal using SSO. Plus, the same credential can be used to authenticate VPN sessions as other corporate web applications providing SSO.”
Additional high-value benefits of this capability:
- Identity and password management, as well as use of 2FA and other authentication tools, are centralized at the IdP.
- IT staff can give VPN application access to required users at the Identity Provider.
- IT staff do not need to configure the Access Server with users.
Getting Started With Access Server 2.11.0 and SAML Single Sign-On Authentication
Using Access Server to delegate user authentication to a SAML identity provider is a straightforward four-step process:
Step 1: Sign in to the Admin Web UI.
Step 2: Click Authentication > SAML and save the SP Identity and SP ACS information for the Access Server.
Step 3: Sign in with the IdP to provide the Access Server information and create a SAML app.
Step 4: Provide the IdP SAML app data to Access Server (with metadata or via manual entry).
Please note that accessing this enhanced SAML functionality requires an up-to-date client, either OpenVPN Connect (v3.3) or a recent open source client.
We encourage you to take advantage of these additional resources on OpenVPN.net:
- SAML page from the Admin Web UI User Manual.
- How to configure SAML with Azure AD.
- How to configure SAML with Google Workspace.
- How to configure SAML with OneLogin.
- How to configure SAML with Keycloak.
- How to configure SAML with Okta.
- How to configure SAML with JumpCloud.
A comprehensive guide to new features, bug fixes, and improvements included in this update is available in the OpenVPN Access Server 2.11.0 Release Notes.