Open in app

Sign in

Write

Sign in

Setup SSO for OpenVPN Access Server with Google Cloud Identity using SAML

Vikas Kumawat
Google Cloud - Community
Published in
5 min readDec 24, 2022

--

With OpenVPN Access Server 2.11 or above, you can set up SSO using SAML. In this blog post, we will be setting up SSO with Google Cloud Identity or Google Workspace.

The advantage of SAML is that it can provide a single sign-on (SSO) experience. Meaning you can use the same SAML IdP credentials to access various applications and services that support SAML authentication. This removes the need to add new credentials for each application or service.

Pre-requisites

  1. OpenVPN Access Server with version 2.11 or above (You can follow this blog post to create OpenVPN Access Server in GCP)
  2. Google Workspace or, Cloud Identity

Setup

Step 1

First you need to login into OpenVPN Access Server to collect information about the access server as a Service Provider.

  1. Login into OpenVPN Access Server Admin UI
  2. Click on Authentication > SAML
  3. You will need following information:

a. SP Identity

b. SP ACS

Step 2

After capturing the information now login to Google Admin console.

  1. From the menu click on Apps > Web and mobile apps
  2. Click on Add app > Add custom SAML app
  3. Enter the app name, description and an icon, after entering the information click CONTINUE

4. Click on DOWNLOAD METADATA under Option 1: Download IdP metadata

5. Save the XML file to use in Step 3 and click CONTINUE

6. Use the SP information we captured from OpenVPN Access Server to enter the following into the Google app:

a. ACS URL — Enter the OpenVPN Access Server SP ACS

b. Entity ID — Enter the Access Server SP Identity

c. Start URL — Enter ‘cws’ for the Client Web UI (This directs your users to the Client Web UI after sign-in)

d. Click on CONTINUE

7. Configure attribute mapping and click on FINISH. You can use “Primary email” = “email”).

8. Optionally, you can assign this custom SAML app to a Group as well instead of assigning to everyone within the organization. In this demo, we will leave to the default setting which is Organization level.

Step 3

Now let’s upload the metadata XML file to Access Server we download in Step 2.

  1. Sign in into OpenVPN Access Server Admin UI
  2. Click AUTHENTICATION > SAML
  3. Click on Configure Identity Provider (IdP) Automatically via Metadata
  4. Click on Choose File to select IdP Metadata file.
  5. Select the IdP Metadata file, click on Upload

6. Once the file is uploaded, click on Update Running Server. After updating the server, all the details should be visible under Configure Identity Provider (IdP) Manually:

Step 4

Now we have configured the SAML, we need to turn on the service for users.

  1. Login to Google Admin console.
  2. Click on Apps > Web and mobile apps
  3. Click on your SAML app. (I have given OpenVPN Access Server name to the app)
  4. Click on User access
  5. Select ON for everyone and hit Save

6. Now login to OpenVPN Access Server Admin UI.

7. Click on AUTHENTICATION > SAML

8. Click the toggle to turn on Enable SAML authentication, then click Save Settings and Update Running Server.

9. Now you can enable SAML per user, per group profile or at Global level.

10. In this demo, we will enable at per user level and group level, but we will also look at how we can enable at global level.

Step 5

Now, we have configured SSO using SAML for OpenVPN, we can add users to OpenVPN Access Server to enable access.

  1. Login to OpenVPN Access Server Admin UI.
  2. Assign to users

a. Click on USER MANAGEMENT > User Permissions

b. Click on More Settings, and select SAML under Auth Method

c. Click on Save Settings and Update Running Server

3. Assign to a group

a. Click on User Management > Group Permissions

b. Click on More Settings and select SAML under Auth Method

c. Click on Save Settings and Update Running Server

4. Now we have changed the Auth Method to SAML for the test users, we can login into OpenVPN by using Cloud Identity.

5. To test this, Open the OpenVPN Access Server user login.

6. If SAML is enabled, you will find Sign In via SAML button in the login page.

7. Click on Sign In via SAML button and login with the user which we added in the OpenVPN Access Server for SAML Auth Method.

8. Once logged in, you can download the OpenVPN Client or Profile. Also, you can login directly from the OpenVPN Client and complete the Sign In process.

9. Optionally, you can enable SAML as default Auth Method for every user for Cloud Identity User.

a. Login to OpenVPN Access Server Admin UI

b. Click on AUTHENTICATION > Settings

c. Under Default Authentication System, select SAML

d. Set Deny Access to unlisted accounts by default to No

e. Click on Save Settings and Update Running Server.

Now you have OpenVPN Access Server configured with SAML for SSO using Google Cloud Identity. You can enforce MFA from Cloud Identity for additional security.

Google Cloud Platform
Infrastructure
Networking
Openvpn
Cloud Identity

--

--

Vikas Kumawat
Google Cloud - Community

Written by Vikas Kumawat

15 Followers

Cloud Migration Consultant @ Google

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams