AWS VPN Client endpoint

Hi!

So, AWS has released support for linux on its VPN client for federated authentication not so long ago.

We’re trying to tie up SSO with the VPN, so we can manage users on the IdP (Google Workspace).

I’ve followed a few blog posts and tutorial to do so [1] [2] [3], but couldn’t get it to work.

Basically, we start with an account that uses AWS Organizations and uses Google as IdP for loggin into AWS, and this works beatifully. The organization creates several “sub-accounts” per environment, namely dev, beta and production.

Now, I’m trying to create a VPN Client endpoint in any of this “sub-accounts” and have done the following

  1. on the IdP created an SAML App, downloaded the metadata.xml file, using the documentation from AWS

    1. as per [1] the configuration is ACS URL: http://127.0.0.1:35001
      and Identity URI: urn:amazon:webservices:clientvpn
  2. on AWS > IAM, created an Identity provider with the metadata.xml

  3. created the VPN Endpoint with the proper settings

    1. Client IPv4 CIDR any that doesn’t conflicts with the VPC (e.g. 192.68.0.0/16
      for the account’s VPC)
    2. Server certificate, a wildcard one for the domain, not sure what domain it should match
    3. Use user-based authentication > Federated authentication > select the previously created Identity provider
    4. Use the same provider for Serl-service SAML provider (tested with and witout this one)
    5. Enabled split-tunnel
    6. no logs or DNS server for now
    7. selected main vpn, default port and protocol (443, UDP)

I get the AWS client for Linux (and Windows), the client opens the Google logging flow, select the account, Google calls the localhost and the VPN client tries to authenticate with AWS, but fails with `The credentials received were incorrect. Contact your IT administrator.` message.

On the AWS VPN I see not useful logs, but I did notice the Username comes as `N/A`, but according with some random post online, it should be like that. [source]

u/GreyCatNerd This is an old thread, but I was having the same issue and figured out what was wrong, so I wanted to share here in case others face the same.

The problem was in the ClientVPN application configuration in Identity Center. You need to go to the Attribute Mapping and have one attribute added, like FirstName. It doesn’t matter what you put there as value.

After I added it, the connection started working fine.

This is explained under “Service provider information for creating an app” in https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/federated-authentication.html.

Very misleading error and this should be in the Troubleshooting section for the ClientVPN documentation.