AWS SSO with GSuite external identify with AWS VPN Client Endpoint

Question

Hi,  
  
I use AWS SSO with GSuite as an external identity provider to provide access to our AWS accounts. I was trying to setup AWS VPN Client Endpoint to allow access via the same method.   
  
So far I'm able to get to the authentication, however, after entering the details, I get a "Oops, something went wrong; Provide your administrator with the following info: No access. 403".   
  
I've configured VPN for mutual authentication and federated login, and chose our AWS SSO as the source for login. AWS SSO is working fine for AWS accounts access, but no luck for the VPN yet.   
  
Any pointers?

Answer

There is such a workaround for this problem.  
Use at your own risk.  
https://benincosa.com/?p=3787

Answer

Hello and thanks for writing in.  
While I'm confident we can get past the current "oops something went wrong" error, the last update i have when using AWS Client VPN _ Google Idp is the fact that Google does not support the use of a non secure ACS URL (http) while the AWS client VPN does not support HTTPS. While the support for use of secure ACS URL's is in the works, the only supported and tested Idps as far as Client VPNs go are Okta and Azure AD. This of course, does not mean other Idps will not work but is not guaranteed. Please refer to the link below for all the relevant information for client VPN _ SAML integration including the requirements and considerations.  
  
https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html#saml-config-resources

AWS SSO with GSuite external identify with AWS VPN Client Endpoint

Contenido relevante