AWS client vpn selfservice

Question

Hi,

I'm trying to create a VPN endpoint using AWS SSO as IdP but I'm always getting an error when doing the assertion exchange after logging.

I've created the endpoint, selected federated authentication and then selected the ARN of the SAML provider of my SSO configuration. The endpoint is created and available and associated to a VPC.
Then I downloaded the AWS VPN client, created a profile using the configuration from my VPN endpoint and then I clicked on 'Connect'. That takes me to the SSO login page but after login I get an error:
Oops, something went wrong
Provide your administrator with the following info:
Issuer of request does not match our record
Request ID: <>
HTTP status: 403
Any idea on what fails?
Thanks.

Answer

AWS Client VPN is not one of the pre-integrated applications in AWS SSO. As a workaround, create a custom SAML application in AWS SSO. This requires re-creation of AWS VPN Client Endpoint.

1. Create a custom application in AWS SSO to be used with AWS Client VPN
2. Create a new Identity Provider (IdP) in IAM Provider console, and use the AWS SSO as an identity provider with the custom application that was created in Step 1
3. Finally, use the newly created IdP with AWS Client VPN

* Custom SAML 2.0 applications https://docs.aws.amazon.com/singlesignon/latest/userguide/samlapps.html
* Authentication - SAML-based IdP configuration resources -https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html#saml-config-resources
* Authenticate AWS Client VPN users with AWS Single Sign-On https://aws.amazon.com/blogs/security/authenticate-aws-client-vpn-users-with-aws-single-sign-on/

AWS client vpn selfservice

관련 콘텐츠