SAML support in the authentication protocol now?
Posted: Sun Oct 04, 2020 11:26 am
Hi,
I've seen AWS VPN (OpenVPN standard) and OpenVPN Cloud both support SAML for VPN connect authentication now. Is there a published standard way to do that or are they using competing/incompatible methods?
Is a standard SAML implementation going to be backported to OpenVPN community server any time soon?
I was considering jiggering something together :
give each user a "key" attribute, which contains their own CA key
a pre-connect script in the client (tunnelblick) that handles the SAML login
create a fresh keypair and plonk that in the connection
But if there is a proper standard way to do it, then I'd rather do that!
(Obviously the CA is then the authoritative source of "user" ID not the cname in the cert, because any user could hack the script and create their own cname)
I might stand up a test client with SAML and then edit config files and connect the client to a non-SAML server and see what it sends over the wire! Depends how busy/bored I am...
I've seen AWS VPN (OpenVPN standard) and OpenVPN Cloud both support SAML for VPN connect authentication now. Is there a published standard way to do that or are they using competing/incompatible methods?
Is a standard SAML implementation going to be backported to OpenVPN community server any time soon?
I was considering jiggering something together :
give each user a "key" attribute, which contains their own CA key
a pre-connect script in the client (tunnelblick) that handles the SAML login
create a fresh keypair and plonk that in the connection
But if there is a proper standard way to do it, then I'd rather do that!
(Obviously the CA is then the authoritative source of "user" ID not the cname in the cert, because any user could hack the script and create their own cname)
I might stand up a test client with SAML and then edit config files and connect the client to a non-SAML server and see what it sends over the wire! Depends how busy/bored I am...