Hi!
So, AWS has released support for linux on its VPN client for federated authentication not so long ago.
We’re trying to tie up SSO with the VPN, so we can manage users on the IdP (Google Workspace).
I’ve followed a few blog posts and tutorial to do so [1] [2] [3], but couldn’t get it to work.
Basically, we start with an account that uses AWS Organizations and uses Google as IdP for loggin into AWS, and this works beatifully. The organization creates several “sub-accounts” per environment, namely dev, beta and production.
Now, I’m trying to create a VPN Client endpoint in any of this “sub-accounts” and have done the following
-
on the IdP created an SAML App, downloaded the metadata.xml file, using the documentation from AWS
- as per [1] the configuration is ACS URL: http://127.0.0.1:35001
and Identity URI: urn:amazon:webservices:clientvpn
- as per [1] the configuration is ACS URL: http://127.0.0.1:35001
-
on AWS > IAM, created an Identity provider with the metadata.xml
-
created the VPN Endpoint with the proper settings
- Client IPv4 CIDR any that doesn’t conflicts with the VPC (e.g. 192.68.0.0/16
for the account’s VPC) - Server certificate, a wildcard one for the domain, not sure what domain it should match
- Use user-based authentication > Federated authentication > select the previously created Identity provider
- Use the same provider for Serl-service SAML provider (tested with and witout this one)
- Enabled split-tunnel
- no logs or DNS server for now
- selected main vpn, default port and protocol (443, UDP)
- Client IPv4 CIDR any that doesn’t conflicts with the VPC (e.g. 192.68.0.0/16
I get the AWS client for Linux (and Windows), the client opens the Google logging flow, select the account, Google calls the localhost and the VPN client tries to authenticate with AWS, but fails with `The credentials received were incorrect. Contact your IT administrator.` message.
On the AWS VPN I see not useful logs, but I did notice the Username comes as `N/A`, but according with some random post online, it should be like that. [source]