NSX Advanced Load Balancer with vIDM Integration - Part 1

Initial Integration

Integrating vIDM with NSX ALB (formally known as Avi) is documented officially here: https://avinetworks.com/docs/21.1/configuring-saml-with-workspace-one-for-avi.

I was easily confused by it, due to some of the configuration being masked out. These are the same steps with my own notes & screenshots.

Prerequisites

Before initiating the configuration, ensure the following prerequisites are done:

  • A DNS record is in place for the Avi Controller. This will be used for the fully qualified domain name (FQDN) that is used when signing into the system.

  • Get the Workspace One Access IDP metadata. Follow the steps below to download the file idp.xml file.

  1. Log in to your Workspace ONE Access administrator console.

  2. Navigate to Catalog > Settings as shown below:

vIDM Settings

  1. In the left pane, under SaaS Apps, click on SAML Metadata.

  2. In the Download SAML Metadata tab, click on Identity Provider (IdP) metadata, so it opens idp.xml in a new window. We’ll come back to this in the next section.

SAML Metadata

SAML Configuration in Avi

To configure an authentication profile to support SAML on the Avi Controller,

  1. Log in to the Avi Controller with admin credentials.

  2. Navigate to Templates > Security > Auth Profile.

  3. Enter the Name of the auth profile.

  4. Select SAML as the Type of auth profile.

  5. Copy the contents of the idp.xml window from the previous step and paste in the IDP Metadata field. (If you downloaded the idp.xml file, don’t include <?xml version="1.0" encoding="UTF-8"?>. It should start with <md:EntityDescriptor.

SAML Metadata

  1. Select Use DNS FQDN as the Entity Type.

  2. Enter the service provider organisation details, as required.

  3. Enter the FQDN of your vIDM server used for the SAML configuration.

  4. Click on Save.

Collecting Service Provider Metadata

Avi Vantage does not generate an xml file that can be imported into Workspace ONE Access. So, the metadata must be entered manually.

The following details must be collected:

  • Entity ID

  • SSO URL

  • Signing Certificate

The entity ID and the SSO URL can be obtained from the Service Provider Settings screen.

To get the service provider settings,

  1. In the Avi Vantage UI, navigate to Templates > Security > Auth Profile.

  2. Identify the authentication profile created and click on the verify icon as shown below:

Auth Profile

  1. From the Service Provider Settings screen, copy the Entity ID and the SSO URL and paste them in a text editor.

Entity ID

  1. Close the Service Provider Settings screen.

To get the signing certificate,

  1. From the Avi UI, navigate to Templates > Security > SSL/ TLS Certificates.

  2. Find the System-Default-Portal-Cert and click on the Export icon as shown below:

System-Default-Portal-Cert

You may need to adjust column widths to view the full name.

  1. From the Export Certificate screen, below the Certificate section, click on Copy to clipboard to copy the details. There’s no feedback when you click the button.

Export Certificate

  1. Paste the details into a text editor.

  2. Click on Done.

Configuring the NSX ALB Catalog Item in Workspace One Access

Now that the SAML profile is created in the Avi Controller, the Workspace ONE catalog entry must be created.

To create the Workspace ONE catalog entry,

  1. Log in to your Workspace ONE Access administrator console.

  2. Navigate to the Catalog tab.

  3. Click on New.

New Catalog

  1. In the New SAAS Application screen, enter a Name for the new NSX ALB entry in the App Catalog.

  2. If you have an icon to use, click on Select File and upload the icon for the application. You can grab the Avi/NSX ALB favicon at https://<nsxalb>/src/img/favicon.ico and save it as a png, but vIDM will complain it’s too small. You may need to double the size, or locate one from the internet.

New Catalog

  1. Click on Next.

  2. Enter the following details:

  • Authentication Type: SAML 2.0
  • Configuration Type: Manual
  • Single Sign-on URL: Use the single sign-on URL copied from the Service Provider Settings screen in Avi.
  • Recipient URL: Same as the Single Sign-On URL
  • Application ID: Use the Entity ID copied from the Service Provider Settings screen in Avi.

The New SAAS Application screen is as shown below:

New SaaS Application part 1

Keep scrolling down the New SaaS Application window to complete more fields:

  • Username Format: Unspecified
  • Username Value: ${user.email}
  • Relay State URL: The FQDN or IP address of your appliance
  1. Click on Advanced Properties to expand it.

New SaaS Application part 2

  1. Enable the properties as shown below:

New SaaS Application part 3

  1. Copy the value of the System-Default-Portal-Cert certificate and paste it into the Request Signature field.

  2. Enter the FQDN or IP address of the NSX ALB appliance as the Application Login URL. This enables SP-initiated login workflows.

New SaaS Application part 4

  1. Click on Next.

  2. Select the Access Policies to use for this application. This determines the rules used for authentication and access to the application.

New SaaS Application part 4

  1. Click on Next.

  2. Review the summary of the configuration.

  3. Click on Save & Assign.

New SaaS Application part 5

  1. Select the users or groups that will have access to this application and the deployment type.

New SaaS Application part 6

  1. Click on Save.

New SaaS Application part 7

Enabling SAML Authentication in Avi

After creating a SAML profile in NSX ALB / Avi, and a SAML catalog item in Workspace One Access, we can enable SAML and grant superuser rights to SAML users.

Note: It is possible to configure more granular role-based access control by adding application parameters into the Workspace One Access catalog item and then mapping those parameters to different roles in Avi Vantage. For more information, refer to Authorization: Tenant and Role Mapping Examples

To enable SAML and map user roles,

  1. Log in to the Avi Controller with admin credentials.

  2. Navigate to Administration > Settings > Authentication/Authorization. Click the pencil icon.

Enable SAML Auth part 1

  1. Under Authentication, select Remote.

  2. Under Auth Profile, select the SAML profile that was created earlier.

Enable SAML Auth part 2

  1. Ensure that the Allow Local User Login option is checked. If this option is not selected, and there is a configuration issue, you will not be able to log back into the Controller.

  2. Click on Save.

  3. On saving the authorization details, the New Mapping option appears as shown below:

Enable SAML Auth part 3

  1. Click on New Mapping and in the New Tenant and Role Mapping screen enter the details as shown below:

Enable SAML Auth part 3

  1. Click on Save.

SAML authentication is now configured on the Avi Controller. You may find weird issues of it not working initially. Try closing all web browsers and try again.

Roles

Keep in mind this assigns all users the admin role. You should become familiar in assigning users/groups selected roles in the Tenant and Role Mapping. See part 2 for more granular access.

https://avinetworks.com/docs/21.1/user-account-roles/

Troubleshooting vIDM issues

If you need to login to Avi / NSX ALB locally, you can use https://<nsxalb-controller>/#!/login?local=1

Close and restart your browser. Yes really.

You are not subscribed to this application

After logging in, you see: “You are not subscribed to this application”. “Unable to process your request. Close this screen and try again”.

Troubleshooting part 1

Within vIDM, you need to assign users or Groups to the SaaS app.

Troubleshooting part 1

Andrew Dauncey
Andrew Dauncey
Senior Consultant at VMware PSO

Every day I’m shuffling

Next
Previous