AWS Client VPN unable to set Authorization Route with Group ID using Okta

Question

AWS SSO using Okta. 
Working on implementing a AWS Client VPN that also uses the Okta authentication. I've enabled the AWS Client VPN app through Okta and have used the meta-data to create an Identity provider for the Client VPN. I've been able to successfully use the AWS Client VPN, it does the Auth through Okta, so I know that it works. But the Second I change my Authorization Routes in the AWS Client VPN to use a Group ID, I loose access to my resources. I've attempted to use the Okta Group ID, as well as the AWS SSO Group Id provided through Amazon. But neither Group ID seems to take. I've also attempted to put the Group Name in the 'Group ID' field with no success.

Accepted Answer

I was able to figure this out. I have a screenshot of this on my Okta Community post, but I needed to specify in the Okta AWS Client VPN Settings that memberOf was equal to .* (Notice the period there). Apparently you need specify which Okta Groups get sent over to the AWS Client VPN. So this wild card sends all groups over and then you can set up your authorization routes using the Group Name for the Group ID.

https://support.okta.com/help/s/question/0D54z00007QD9yTCAT/aws-client-vpn-unable-to-set-authorization-route-with-group-id-using-okta?language=en_US

AWS Client VPN unable to set Authorization Route with Group ID using Okta

関連するコンテンツ