NSX Advanced Load Balancer with vIDM Integration - Part 1

Featured image - Avi logo

Integrating vIDM with NSX ALB (formally known as Avi) is documented officially here: https://avinetworks.com/docs/21.1/configuring-saml-with-workspace-one-for-avi.

I was easily confused by it, due to some of the configuration being masked out. These are the same steps with my own notes & screenshots.

Prerequisites

Before initiating the configuration, ensure the following prerequisites are done:

  • A DNS record is in place for the Avi Controller. This will be used for the fully qualified domain name (FQDN) that is used when signing into the system.

  • Get the Workspace One Access IDP metadata. Follow the steps below to download the file idp.xml file.

  1. Log in to your Workspace ONE Access administrator console.

  2. Navigate to Catalog > Settings as shown below:

vIDM Settings

  1. In the left pane, under SaaS Apps, click on SAML Metadata.

  2. In the Download SAML Metadata tab, click on Identity Provider (IdP) metadata, so it opens idp.xml in a new window. We'll come back to this in the next section.

SAML Metadata

SAML Configuration in Avi

To configure an authentication profile to support SAML on the Avi Controller,

  1. Log in to the Avi Controller with admin credentials.

  2. Navigate to Templates > Security > Auth Profile.

  3. Enter the Name of the auth profile.

  4. Select SAML as the Type of auth profile.

  5. Copy the contents of the idp.xml window from the previous step and paste in the IDP Metadata field. (If you downloaded the idp.xml file, don't include <?xml version="1.0" encoding="UTF-8"?>. It should start with <md:EntityDescriptor.

SAML Metadata

  1. Select Use DNS FQDN as the Entity Type.

  2. Enter the service provider organisation details, as required.

  3. Enter the FQDN of your NSX ALB/Avi server used for the SAML configuration.

  4. Click on Save.

Collecting Service Provider Metadata

Avi Vantage does not generate an xml file that can be imported into Workspace ONE Access. So, the metadata must be entered manually.

The following details must be collected:

  • Entity ID

  • SSO URL

  • Signing Certificate

The entity ID and the SSO URL can be obtained from the Service Provider Settings screen.

To get the service provider settings,

  1. In the Avi Vantage UI, navigate to Templates > Security > Auth Profile.

  2. Identify the authentication profile created and click on the verify icon as shown below:

Auth Profile

  1. From the Service Provider Settings screen, copy the Entity ID and the SSO URL and paste them in a text editor.

Entity ID

  1. Close the Service Provider Settings screen.

To get the signing certificate,

  1. From the Avi UI, navigate to Templates > Security > SSL/ TLS Certificates.

  2. Find the System-Default-Portal-Cert and click on the Export icon as shown below: (Even if you have changed to a custom certificate for the controller)

System-Default-Portal-Cert

You may need to adjust column widths to view the full name.

  1. From the Export Certificate screen, below the Certificate section, click on Copy to clipboard to copy the details. There's no feedback when you click the button.

Export Certificate

  1. Paste the details into a text editor.

  2. Click on Done.

Configuring the NSX ALB Catalog Item in Workspace One Access

Now that the SAML profile is created in the Avi Controller, the Workspace ONE catalog entry must be created.

To create the Workspace ONE catalog entry,

  1. Log in to your Workspace ONE Access administrator console.

  2. Navigate to the Catalog tab.

  3. Click on New.

New Catalog

  1. In the New SAAS Application screen, enter a Name for the new NSX ALB entry in the App Catalog.

  2. If you have an icon to use, click on Select File and upload the icon for the application. You can grab the Avi/NSX ALB favicon at https://<nsxalb>/src/img/favicon.ico and save it as a png, but vIDM will complain it's too small. You may need to double the size, or locate one from the internet.

New Catalog

  1. Click on Next.

  2. Enter the following details:

  • Authentication Type: SAML 2.0
  • Configuration Type: Manual
  • Single Sign-on URL: Use the single sign-on URL copied from the Service Provider Settings screen in Avi.
  • Recipient URL: Same as the Single Sign-On URL
  • Application ID: Use the Entity ID copied from the Service Provider Settings screen in Avi.

The New SAAS Application screen is as shown below:

New SaaS Application part 1

Keep scrolling down the New SaaS Application window to complete more fields:

  • Username Format: Unspecified
  • Username Value: ${user.email}. You can use ${user.UserName} or some other unique value.
  • Relay State URL: The FQDN or IP address of your appliance
  1. Click on Advanced Properties to expand it.

New SaaS Application part 2

  1. Enable the properties as shown below, and change the signature and digest algorithms to SHA256:

New SaaS Application part 3

  1. Copy the value of the System-Default-Portal-Cert certificate and paste it into the Request Signature field.

  2. Enter the FQDN or IP address of the NSX ALB appliance as the Application Login URL. This enables SP-initiated login workflows.

New SaaS Application part 4

  1. Click on Next.

  2. Select the Access Policies to use for this application. This determines the rules used for authentication and access to the application.

New SaaS Application part 4

  1. Click on Next.

  2. Review the summary of the configuration.

  3. Click on Save & Assign.

New SaaS Application part 5

  1. Select the users or groups that will have access to this application and the deployment type.

New SaaS Application part 6

  1. Click on Save.

New SaaS Application part 7

Enabling SAML Authentication in Avi

After creating a SAML profile in NSX ALB / Avi, and a SAML catalog item in Workspace One Access, we can enable SAML and grant superuser rights to SAML users.

Note: It is possible to configure more granular role-based access control by adding application parameters into the Workspace One Access catalog item and then mapping those parameters to different roles in Avi Vantage. For more information, refer to Authorization: Tenant and Role Mapping Examples

To enable SAML and map user roles,

  1. Log in to the Avi Controller with admin credentials.

  2. Navigate to Administration > Settings > Authentication/Authorization. Click the pencil icon.

Enable SAML Auth part 1

  1. Under Authentication, select Remote.

  2. Under Auth Profile, select the SAML profile that was created earlier.

Enable SAML Auth part 2

  1. Ensure that the Allow Local User Login option is checked. If this option is not selected, and there is a configuration issue, you will not be able to log back into the Controller.

  2. Click on Save.

  3. On saving the authorization details, the New Mapping option appears as shown below:

Enable SAML Auth part 3

  1. Click on New Mapping and in the New Tenant and Role Mapping screen enter the details as shown below:

Enable SAML Auth part 3

  1. Click on Save.

SAML authentication is now configured on the Avi Controller. You may find weird issues of it not working initially. Try closing all web browsers and try again.

Roles

Keep in mind this assigns all users the admin role. You should become familiar in assigning users/groups selected roles in the Tenant and Role Mapping. See part 2 for more granular access.

https://avinetworks.com/docs/21.1/user-account-roles/

Troubleshooting vIDM issues

If you need to login to Avi / NSX ALB locally, you can use https://<nsxalb-controller>/#!/login?local=1

Close and restart your browser. Yes really.

You are not subscribed to this application

After logging in, you see: "You are not subscribed to this application". "Unable to process your request. Close this screen and try again".

You are not subscribed to this application

Within vIDM, you need to assign users or Groups to the SaaS app.

Assign users or groups

Access Denied - Access Policy not found

Access Denied - Policy not found

In a complicated environment, there may be access policies based on client IP, AD group device type etc.

Check details of Access Policies by logging into vIDM management console, Identity & Access Management > Manage > Policies > Edit Default Policy.

You may need to adjust the default policy or create a new one.

Edit vIDM policy

Failed to parse metadata file: /var/lib/avi/etc/authprofile-xxxxxx/idp_metadata.xml

Failed to parse metadata

I've seen this a few times and still not sure on the exact issue. If you find more details, please let me know. Try out the following:

SSH to the leader node, and check the idp_metadata.xml file matches what you see in the Avi UI and from vIDM. I've seen it once where it was missing the double quotes around the entity id field. From the SSH session, copy the file and paste it into an online xml validation page. Be wary of any sensitive information you may be putting in there.

If the metadata.xml file is valid, SSH to the other nodes, and you'll notice there is no metadata.xml file. Take the leader node offline. This will create the metadata.xml on the next leader node.

Too many redirects

As NSX ALB redirects to vIDM for authentication, you may get:

"This page isn't working. <vIDM hostname> redirected you too many times. ERR_TOO_MANY_REDIRECTS"

ERR _TOO _MANY _REDIRECTS

I've seen this when the NSX ALB controller custom certificate is exported and used in the vIDM configuration, instead of the System-Default-Portal-Cert.

Check the steps above for:

Find the System-Default-Portal-Cert and click on the Export icon as shown below: (Even if you have changed to a custom certificate for the controller)

To check which certificate is being reference, check the log on the controller: /Opt/VMware/horizon/workspace/logs/horizon.log

12022-07-22T10:45:44,642 WARN (Thread-14) [XXXVIDM01;-;x.x.x.x;] org.apache.xml.security.signature.XMLSignature - Signature verification failed.

Still not working

Have you tried turning it off and on again? No, really.. ;-)

Check out the troubleshooting section in part 2.

Log a support call with VMware support. Make sure you say it's an integration issue with NSX ALB & vIDM and include their versions, and upload log bundles from both vIDM & NSX ALB. Chances are you'll get a support engineer that specialises in one of the products, so expect it to take a few calls to resolve.