Avi Vantage as Service Provider for SAML authentication
Overview
Starting with the 18.2.2 release, Avi Vantage supports SAML 2.0 authentication for clients. Avi Vantage serves as a Service Provider (SP) to protect your load-balanced back-end HTTP/HTTPS applications.
Note: Starting with Avi Vantage version 18.2.3, SAML authentication and WAF are supported.
Security Assertion Markup Language (SAML) is an XML-based framework used for authentication between a service provider (resource provider) and an identity provider (authentication proxy). SAML provides the single sign-on (SSO) capability.
Avi Vantage supports SP-initiated SSO with third party identity providers (IDP). As service provider, the Avi virtual service is responsible for ensuring secure access to the back-end applications load balanced by Avi Vantage.
As illustrated in the screen, the following is the workflow for SAML client authentication:
- In the role of service provider, the Avi Vantage virtual service sends an authentication request to the IDP before allowing users to access the back-end applications.
- Once the IDP successfully authenticates the user, it shares the authentication with Avi Vantage.
- Avi Vantage validates the response received from IDP and provides the session cookie to the user.
- The user then sends the request for the target resource with the same cookie.
- Avi Vantage validates the cookie and allows access to the user.
The following table provides a comprehensive list of links to the documentation for SAML support on Avi Vantage:
Solution References | |
---|---|
Introduction | Introduction to SAML |
Configuration References | |
Configuration Guides | SAML Configuration on Avi Vantage |
SAML Authentication Policies | |
Configuring SAML Authorization Policies | |
Integration Guides | Avi Vantage Integration with Okta |
Avi Vantage Integration with PingFederate | |
Avi Vantage Integration with OneLogin | |
Avi Vantage Integration with Google | |
Avi Vantage Integration with Microsft ADFS | |
DataScript Functions | avi.http.saml_session_decrypt( ) |