SAML Auth works for Client log in, but not Admin Panel

[ss_firehawk]

I know this is like post number 3 in 24 hours. I'm still waiting on licensing approvals before I can sue official support...

I've been working with my IDAM team to integrate SAML authentication to our OKTA.

1. I've separated management functions to a separate interface to TCP 443
2. We've successfully integrated SAML for client access. I click the tile and it auths my creds to the OpenVPN client download page.
3. When I click on the Admin Panel button, it requests another login request.
4. It does not attempt to re-auth using the same creds, it just used to access the client page.
5. The login page to access the Admin Panel does not present the SAML button to click.

The issue is we lose non-repudiation if I have to use a local admin account to administer via the web-ui
I haven't found anything in documentation or google to get around the problem.
Has anyone else experienced this issue and/or been able to find a solution?

[ss_firehawk]

Found a forum page here with the same issue.
Not supported yet...

viewtopic.php?t=35686

[openvpn_inc]

Hello,

That is correct. Login to the admin panel of OpenVPN Access Server via SAML is not supported at this time. This is however in the making. No, I cannot give you an estimate on this, sorry.

For now however, we recommend to use a local user for administrative purposes, meaning a user created on the Access Server and authenticated using local authentication. When SAML login to Admin UI becomes available, then you can switch to that.

Kind regards,
Johan

[trobinson]

This is fine and good but once SAML is enabled, local no longer works for me. I don't have any options to set authentication methods per user/group. The default openvpn user or any locally created users no longer work.

[openvpn_inc]

Hello trobinson,

That sounds like a small configuration issue. OpenVPN Access Server is perfectly capable of allowing a local user to login while SAML authentication is enabled at the same time. The usual configuration is that SAML is configured and set as the default. But the local authentication will also still work just fine too. And by default OpenVPN Access Server is set up with a user account that is configured to always authenticate via the local authentication system. Meaning you can just go to the Admin UI and enter the username and password there (ignoring the 'sign-in via SAML' option) and login.

The usual situation is that you install Access Server and have an account called 'openvpn' with some password. You use that to login to the admin UI. When you set up SAML and enable it and set it as default, that 'openvpn' account will remain authenticated via local authentication. Unless that was changed.

If you've somehow got a misconfiguration (maybe the account was configured to use SAML authentication, which won't work for the Admin UI) or a missing account or such it may be helpful to use the command line to set up a new administrative account that is a authenticated using local authentication system. The instructions to reset password for a local authenticated administrative user found on this page will do the trick:

https://openvpn.net/vpn-server-resource ... ive-access

If you continue to have problems with logging in to the admin UI with a local administrative account after following those instructions, I would recommend that you contact our support ticket system to get assistance on this.

Kind regards,
Johan