1Kosmos integrates with OpenVPN Access Server as a SAML 2.0 identity provider, replacing password-based VPN login with biometric authentication via the 1Kosmos mobile app.
Integration type
Auth/IDP
Overview
1Kosmos integrates with OpenVPN Access Server (v2.11+) as a SAML 2.0 identity provider for biometric authentication via the 1Kosmos mobile app. Users are redirected to 1Kosmos for verification before their VPN session is established.
What we solve
Organizations using OpenVPN for remote access need to harden VPN authentication against phishing and stolen passwords while keeping the user experience simple for employees and contractors. This integration enables SAML 2.0 SSO from OpenVPN Access Server/CloudConnexa to 1Kosmos so users authenticate biometrically before a VPN session is established, eliminating separate VPN passwords.
SAML on OpenVPN Access Server is configured through the Admin Web UI under Authentication → SAML. The SP Identity and ACS URL for the Access Server instance are displayed in this section. OpenVPN supports uploading a metadata file or entering IdP details directly. SAML authentication in OpenVPN replaces Access Server-specific credentials; users no longer need separate VPN usernames and passwords.
CloudConnexa (OpenVPN's cloud product) supports SAML via Settings → User Authentication in the CloudConnexa admin portal. The configuration path differs slightly from Access Server but uses the same 1Kosmos metadata.
Prerequisites
Active 1Kosmos tenant: Administrator access to the AdminX portal. Contact 1kosmos.com/contact if not yet provisioned.
OpenVPN Access Server 2.11 or later: Admin access to the Access Server Admin Web UI. SAML support requires version 2.11 or later.
1Kosmos mobile app installed: Users must have the app on iOS or Android with biometrics enrolled before testing.
Configuration values
Values to collect from 1Kosmos AdminX (IdP) for OpenVPN:
Field | Where to find it |
|---|---|
SAML Metadata URL | AdminX → Settings → IdP Configuration → Metadata URL |
SSO URL (Sign-on Endpoint) | AdminX → Settings → IdP Configuration → Single SignOn Service URL |
IdP Entity ID | AdminX → Settings → IdP Configuration → Core Configuration |
Certificate (PEM) | AdminX → Settings → IdP Configuration → View Certificate → Public Key |
Values from OpenVPN Access Server (SP) for AdminX:
Field | Where to find it |
|---|---|
SP Identity (Entity ID) | Access Server Admin Web UI → Authentication → SAML → SP Identity field |
ACS URL | Same SAML page → SP ACS field |
Integration steps
Step 1: Collect SP values from OpenVPN Access Server
Log in to the Access Server Admin Web UI at https://[your-server]/admin.
Navigate to Authentication → SAML. Note the SP Identity and SP ACS values shown on this page. You will need these for AdminX.
Step 2: Add OpenVPN as a SAML application in AdminX
Log in to the AdminX portal and navigate to Applications → Add Application.
Select SAML 2.0 Generic and click Add integration. Enter "OpenVPN" as the Application Name and your Access Server Client Web UI URL (https://[your-server]) as the Application Access URL.
Set NameID Format to
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddressand NameID Value to email. Add a claim for email. Enable Assertion signing.Enter the OpenVPN SP Identity as the SP Entity ID and the SP ACS as the ACS URL. Click Save.
Step 3: Configure the IdP in OpenVPN Access Server
In the Access Server Admin Web UI, navigate to Authentication → SAML.
Under Configure Identity Provider (IdP) Automatically via Metadata, paste the 1Kosmos Metadata URL and click Get and Update Running Server. The IdP Entity ID, Sign-on Endpoint, and Certificate are populated automatically.
Alternatively, expand Configure Identity Provider (IdP) Manually and enter the SSO URL, Entity ID, and certificate individually.
Click Save Settings and Update Running Server.
Step 4: Enable SAML authentication
In Authentication → SAML, click the Enable SAML authentication toggle to turn on SAML for all users, or configure SAML for specific users and groups using the user management settings.
Click Save Settings and Update Running Server.
Step 5: Test the integration
Open the Client Web UI at your Access Server URL. Click Sign in via SAML.
You are redirected to 1Kosmos. Authenticate biometrically using the 1Kosmos mobile app.
After authentication, you are returned to the Client Web UI where you can download your connection profile and connect to the VPN.
Attribute mappings
Source (1Kosmos) | Target (OpenVPN) | Description |
|---|---|---|
user.email | NameID (emailAddress) | Primary user identifier for VPN access |
Integration notes
OpenVPN does not support Single Logout (SLO). If you need to configure MFA in addition to SAML, configure MFA at the identity provider (1Kosmos) level rather than enabling TOTP MFA separately in OpenVPN.
The SAML authentication flow opens a browser window for the 1Kosmos login. OpenVPN Connect 3.4.4 and later on Windows prompt users to open the URL in their default browser to complete authentication.
After a successful SAML authentication, the message "SAML authentication assertion received" confirms the flow completed and the VPN connection proceeds.
