By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS Client VPN Self Service Portal for Google Federated idp

0

Is it possible to connect my cvpn endpoint to a Self-service SAML provider in Google? I've basically followed the steps described in the link below, but have found that Google will not allow an app to have an entity id ( urn:amazon:webservices:clientvpn ) that is in use by another app. In this case, the first app is handling the Vpn auth, which works as expected. I'm just wondering if maybe there's an alternate URN/approach available that we could use as the audience to pair with the self service ACS url?

Steps for creating the vpn/self-serve apps: https://geeks.wego.com/setting-up-aws-sso-and-aws-client-vpn/

Stack Overflow article indicating this is not possible. https://stackoverflow.com/questions/67914215/how-to-configure-saml-app-in-google-for-aws-client-vpn-and-self-service-portal

Topics
Security, Identity, & ComplianceNetworking & Content Delivery
Tags
Security, Identity, & ComplianceNetworking & Content DeliveryAWS Client VPN
Language
English
rePost-User-3674092
asked a year ago666 views
2 Answers
1

Please be informed that VPN auth uses a different ACS URL to connect

Assertion Consumer Service (ACS) URL: http://127.0.0.1:35001

Audience URI: urn:amazon:webservices:clientvpn

And Self Service portal uses a different ACS URL

Application ACS URL: https://self-service.clientvpn.amazonaws.com/api/auth/sso/saml

Application SAML audience: urn:amazon:webservices:clientvpn

But both these two Service Functions use same SAML audience URL

Application like OKTA let you define Two ACS URL in same App which would let you define Authentication and Self Service Portal in same App. Some IDPs do not give that option to create Second ACS URL in same App. But then they allow you to create a Second App for that purpose.

Unfortunately, it seems like Google has a limitation where they do not even let you define a Second App where SAML Audience URL is same. Its expected to have SAML Audience URL same on AWS auth and Self Service portal and there is no way on AWS to change that and hence there is no workaround from AWS side as well as its a google limitation.

However, alternatively you can use AWS SSO with AWS IDP where you can create One App for VPN auth and one App for Self Service portal.

https://aws.amazon.com/blogs/security/authenticate-aws-client-vpn-users-with-aws-single-sign-on/

AWS
Biswajit_M
answered a year ago
0

I cant find the definiate answer, but if google supports more than 1 ACS URL then yes you can use the same IDP application.

I have done the same in AzureAD

profile picture
EXPERT
Gary Mclean
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content