Starting with NSX Advanced Load Balancer 18.2.2, support has been added to our SDK to use IdP credentials for it as well as a REST API login. It requires that a SAML authentication profile be set up on the NSX Advanced Load Balancer Controller to be used by the Python SDK to establish a connection and access resources.

Note:
  • Logging into the NSX Advanced Load Balancer CLI using IdP credentials is not yet supported.

  • SAML-based authentication using the Python SDK is supported for Okta and OneLogin.

  • The service provider never directly interacts with the identity provider. A browser or the Python SDK acts as the agent to carry out all redirections.

  • The service provider needs to know to which identity provider to redirect before it has any idea who the user is.

  • The service provider does not know who the user is until the SAML assertion comes back from the identity provider.

  • SAML authentication flow is asynchronous. The SP does not know if the IdP will ever complete the entire flow. Because of this, the SP does not maintain any state of any authentication requests generated. When the SP receives a response from an IdP, the response must contain all necessary information.

For more informtion refer to the SAML Authentication for Single Sign-On.

SAML Python SDK

Under the SDK, a file named saml_avi_api.py contains the IdP class definition for each supported IdP. IdP-specific classes are inherited from the ApiSession base class. An IdP-specific class definition has its own authentication method to be called to authenticate a given user. URL redirection and SAML assertion are handled in this class. This class returns the Controller session after successful authentication from the given IdP.

Okta Example

In this collection of code snippets, the OktaSAMLApiSession class is used to authenticate a user for Okta IdP, get the Controller session, and create the VS. From avi.sdk.saml_avi_api import OktaSAMLApiSession:

Create NSX Advanced Load Balancer API Session

api = OktaSAMLApiSession("10.10.10.42", "okta_username", "okta_password")

OR

api = ApiSession.get_session("controller_ip", username="foo", password="foo", idp=OktaSAMLApiSession)

Create VS Using Pool sample_pool

pool_obj = api.get_object_by_name('pool', 'sample_pool')
pool_ref = api.get_obj_ref(pool_obj)
services_obj = [{'port': 80, 'enable_ssl': False}]
vs_obj = {'name': 'sample_vs', 'ip_address': {'addr': '11.11.11.42', 'type': 'V4'},
         'services': services_obj, 'pool_ref': pool_ref}
resp = api.post('virtualservice', data=vs_obj)

Print List of all Virtual Services

resp = api.get('virtualservice')
for vs in resp.json()['results']:
    print vs['name']

Delete a Virtual Service

resp = api.delete_by_name('virtualservice', 'sample_vs')

OneLogin Example

In this collection of code snippets, the OneloginSAMLApiSession class is used to authenticate a user for OneLogin IdP, get the Controller session, and create the VS.

From avi.sdk.saml_avi_api import OneloginSAMLApiSession

Create NSX Advanced Load Balancer API Session

api = OneloginSAMLApiSession("10.10.10.42", "onelogin_username", "onelogin_password")

OR

api = ApiSession.get_session("controller_ip", username="foo", password="foo", idp=OneloginSAMLApiSession)

Create VS Using Pool sample_pool

pool_obj = api.get_object_by_name('pool', 'sample_pool')
pool_ref = api.get_obj_ref(pool_obj)
services_obj = [{'port': 80, 'enable_ssl': False}]
vs_obj = {'name': 'sample_vs', 'ip_address': {'addr': '11.11.11.42', 'type': 'V4'},
         'services': services_obj, 'pool_ref': pool_ref}
resp = api.post('virtualservice', data=vs_obj)

Print List of all Virtual Services

resp = api.get('virtualservice')
for vs in resp.json()['results']:
    print vs['name']

Delete a Virtual Service

resp = api.delete_by_name('virtualservice', 'sample_vs')