Page 1 of 1

SAML support in the authentication protocol now?

Posted: Sun Oct 04, 2020 11:26 am
by maxlan
I've seen AWS VPN (OpenVPN standard) and OpenVPN Cloud both support SAML for VPN connect authentication now. Is there a published standard way to do that or are they using competing/incompatible methods?

Is a standard SAML implementation going to be backported to OpenVPN community server any time soon?

I was considering jiggering something together :
give each user a "key" attribute, which contains their own CA key
a pre-connect script in the client (tunnelblick) that handles the SAML login
create a fresh keypair and plonk that in the connection
But if there is a proper standard way to do it, then I'd rather do that!
(Obviously the CA is then the authoritative source of "user" ID not the cname in the cert, because any user could hack the script and create their own cname)

I might stand up a test client with SAML and then edit config files and connect the client to a non-SAML server and see what it sends over the wire! Depends how busy/bored I am...

Re: SAML support in the authentication protocol now?

Posted: Mon Oct 05, 2020 9:31 am
by maxlan
I did some digging and discovered the IV_SSO variable. (in server 2.5) And the delayed authentication config via the management interface.

I set up a quick VPN server, got it working, then added the delayed auth stuff. Got it working. Manually approved my connection.

Now I just need to understand how the client or IdP can communicate with the management interface. I see the AWS client has a redirect URL of localhost:35001, so I'm guessing after login, the client gets the callback from the IdP with a signed assertion that it passes to something on the openvpn server. The process connected to the management interface validates the signed assertion against the IdP cert and if correct, sends a client_auth.

But how do we get the assertion back to the server?? Can it use a cr-response at that stage of the auth? It kind of looks like when auth goes "pending" there is no comms with the client.

Re: SAML support in the authentication protocol now?

Posted: Sun Feb 21, 2021 4:41 pm
by ogeisser

I don't know about the community server. But AWS is using a modified source with enlarged buffer size. This allows to use a very large password. Indeed they are putting the complete SAML Response into the password field.

For details you can read this blog post: ... internals/