NSX Advanced Load Balancer supports SDKs to use IdP credentials for it and a REST API login. SAML authentication profile be set up on the NSX Advanced Load Balancer Controller to be used by the Python SDK to establish a connection and access resources.
Logging into the NSX Advanced Load Balancer CLI using IdP credentials is not yet supported.
SAML-based authentication using the Python SDK is supported for Okta and OneLogin.
The service provider (SP) never directly interacts with the identity provider. A browser or the Python SDK acts as the agent to carry out all redirections.
The service provider needs to know to which identity provider to redirect before it has any idea who the user is.
The service provider does not know who the user is until the SAML assertion comes back from the identity provider.
SAML authentication flow is asynchronous. The SP does not know if the IdP will ever complete the entire flow. Owing to this, the SP does not maintain any state of any authentication requests generated. When the SP receives a response from an IdP, the response must contain all necessary information.
For more information, see SAML Authentication for Single Sign-On topic in the VMware NSX Advanced Load BalancerConfiguration Guide.
SAML Python SDK
Under the SDK, a file named saml_avi_api.py contains the IdP class definition for each supported IdP. IdP-specific classes are inherited from the ApiSession base class. An IdP-specific class definition has its own authentication method to be called to authenticate a given user. URL redirection and SAML assertion are handled in this class. This class returns the Controller session after successful authentication from the given IdP.
Example of Okta:
In this collection of code snippets, the OktaSAMLApiSession class is used to authenticate a user for Okta IdP, get the Controller session, and create the VS. From avi.sdk.saml_avi_api import OktaSAMLApiSession:
Create NSX Advanced Load Balancer API Session
api = OktaSAMLApiSession("10.10.10.42", "okta_username", "okta_password")
OR
api = ApiSession.get_session("controller_ip", username="foo", password="foo", idp=OktaSAMLApiSession)
Create VS Using Pool sample_pool
pool_obj = api.get_object_by_name('pool', 'sample_pool')
pool_ref = api.get_obj_ref(pool_obj)
services_obj = [{'port': 80, 'enable_ssl': False}]
vs_obj = {'name': 'sample_vs', 'ip_address': {'addr': '11.11.11.42', 'type': 'V4'},
'services': services_obj, 'pool_ref': pool_ref}
resp = api.post('virtualservice', data=vs_obj)
Print List of all Virtual Services
resp = api.get('virtualservice')
for vs in resp.json()['results']:
print vs['name']
Delete a Virtual Service
resp = api.delete_by_name('virtualservice', 'sample_vs')
OneLogin Example
In this collection of code snippets, the OneloginSAMLApiSession class is used to authenticate a user for OneLogin IdP, get the Controller session, and create the virtual service.
From avi.sdk.saml_avi_api import OneloginSAMLApiSession
Create NSX Advanced Load Balancer API Session
api = OneloginSAMLApiSession("10.10.10.42", "onelogin_username", "onelogin_password")
OR
api = ApiSession.get_session("controller_ip", username="foo", password="foo", idp=OneloginSAMLApiSession)
Create VS Using Pool sample_pool
pool_obj = api.get_object_by_name('pool', 'sample_pool')
pool_ref = api.get_obj_ref(pool_obj)
services_obj = [{'port': 80, 'enable_ssl': False}]
vs_obj = {'name': 'sample_vs', 'ip_address': {'addr': '11.11.11.42', 'type': 'V4'},
'services': services_obj, 'pool_ref': pool_ref}
resp = api.post('virtualservice', data=vs_obj)
Print List of all Virtual Services
resp = api.get('virtualservice')
for vs in resp.json()['results']:
print vs['name']
Delete a Virtual Service
resp = api.delete_by_name('virtualservice', 'sample_vs')
