Hello,
I've followed a couple of guides and set up my Enterprise App on Azure side and my IdP and Client VPN Endpoint on AWS side.
On Azure side, I've set these claims:
givenname: user.givenname
surname: user.surname
emailaddress: user.mail
name: user.userprincipalname
FirstName: user.givenname
LastName: user.surname
memberOf: user.groups
NameID: user.mail
nameidentifier: user.userprincipalname
Subject: user.mail
Unique User Identifier: user.userprincipalname
I've exported the Client ovpn config and when I try to connect I have an error:
in client logs:
2024-11-27 19:28:15.273 +01:00 [DBG] [TI=3] [PID: 3622313] 2024-11-27 19:28:15 us=273555 AUTH: Received control message: AUTH_FAILED,CRV1:R:instance-1/7442027681157705563/f447a389-67a1-4975-a1b4-1e3b6166426d:b'Ti9B':https://login.microsoftonline.com/59c31156-d9a1-4920-9ef6-1c4d6429903a/saml2?SAMLRequest=fZJLb9swEITv%2FhWC7rJEypIlwjagxihqIG2N2O2hl4Ii1wkBPlQulbT99RHlvnJoqNtqvuHMghvkRg%2BsG8ODvYNvI2BYJMl3oy2y%2Bdc2Hb1ljqNCZrkBZEGwU%2Ff%2BltFlwQbvghNOpy%2Bg1xmOCD4oZyN02G%2FTr6LsJV%2FXFVxIU7UESCNKWtZ908geaCurBnjdrGUEPoPHid2mk9VsgDjCwWLgNkzDgq4yQjK6PpOG0YaR6ktU7adeyvIwkw8hDMjyXLt7ZZdGCe%2FQXYKzWllYCmfyqhUlIVWdyZaTbNXSImvhUmdErGS9om1blDyPTWk0P%2F5awhtlpbL3r7fvryJk787nY3b8eDpHi%2B73Tm6cxdGAP4F%2FVAI%2B3d1e805xCV0vi%2BkjrKyKgqS7iUuSTYzB5i34XbyYG%2F7TWfYEPV49kAmtwIbHwW7yf9V%2F%2BYF9mIIe9kenlfgxz%2BN567zh4f99yJQlTpTMLrOUgeFKd1J6QEz%2F%2BHRau6cbDzzANg1%2BhDTJd4vFNc3Lx7d7Bg%3D%3D
2024-11-27 19:28:15.274 +01:00 [DBG] [TI=3] [PID: 3622313] 2024-11-27 19:28:15 us=274441 TCP/UDP: Closing socket
2024-11-27 19:28:15.274 +01:00 [DBG] [TI=3] [PID: 3622313] 2024-11-27 19:28:15 us=274531 SIGUSR1[soft,auth-failure] received, process restarting
2024-11-27 19:28:15.274 +01:00 [DBG] [TI=3] [PID: 3622313] 2024-11-27 19:28:15 us=274580 MANAGEMENT: >STATE:1732732095,RECONNECTING,auth-failure,,,,,
2024-11-27 19:28:15.274 +01:00 [DBG] [TI=3] [PID: 3622313] 2024-11-27 19:28:15 us=274658 Restart pause, 5 second(s)
2024-11-27 19:28:16.102 +01:00 [DBG] [TI=11] /bin/ps exit code: 0
2024-11-27 19:28:17.128 +01:00 [DBG] [TI=11] /bin/ps exit code: 0
2024-11-27 19:28:18.153 +01:00 [DBG] [TI=11] /bin/ps exit code: 0
2024-11-27 19:28:19.171 +01:00 [DBG] [TI=11] /bin/ps exit code: 0
2024-11-27 19:28:20.185 +01:00 [DBG] [TI=12] /bin/ps exit code: 0
2024-11-27 19:28:20.279 +01:00 [DBG] [TI=3] [PID: 3622313] 2024-11-27 19:28:20 us=279467 MANAGEMENT: CMD 'username "Auth" N/A'
2024-11-27 19:28:20.279 +01:00 [DBG] [TI=3] [PID: 3622313] 2024-11-27 19:28:20 us=279496 MANAGEMENT: CMD ''
2024-11-27 19:28:20.323 +01:00 [DBG] [TI=3] [PID: 3622313] 2024-11-27 19:28:20 us=323584 MANAGEMENT: CMD 'password [...]'
2024-11-27 19:28:20.323 +01:00 [DBG] [TI=3] [PID: 3622313] 2024-11-27 19:28:20 us=323672 MANAGEMENT: CMD ''
In CloudWatch:
{
"connection-log-type": "connection-attempt",
"connection-attempt-status": "failed",
"connection-attempt-failure-reason": "authentication-failed",
"connection-id": "cvpn-connection-0985d1405ba1476de",
"client-vpn-endpoint-id": "cvpn-endpoint-0b88232f90d343efa",
"transport-protocol": "udp",
"connection-start-time": "NA",
"connection-last-update-time": "2024-11-27 18:11:15",
"client-ip": "NA",
"username": "N/A",
"device-type": "linux",
"device-ip": "82.65.197.139",
"port": "22548",
"ingress-bytes": "0",
"egress-bytes": "0",
"ingress-packets": "0",
"egress-packets": "0",
"connection-end-time": "NA",
"connection-duration-seconds": "NA"
}
In Azure signin logs:
Status: Success
And to finish, I've traced the SAML exchange with SAML-tracer and I get that:
SAML2.0 Response
Destination http://127.0.0.1:35001
ID <value>
Version 2.0
IssueInstant 2024-11-27T18:28:15.614Z
Issuer https://sts.windows.net/<value>/
SAML 2.0 Assertion
ID <value>
Version 2.0
IssueInstant 2024-11-27T18:28:15.611Z
Subject <email>
SAML 2.0 AttributeStatement
http://schemas.microsoft.com/identity/claims/tenantid <value>
http://schemas.microsoft.com/identity/claims/objectidentifier <value>
http://schemas.microsoft.com/identity/claims/displayname Firstname LASTNAME
http://schemas.microsoft.com/identity/claims/identityprovider https://sts.windows.net/<value>/
http://schemas.microsoft.com/claims/authnmethodsreferences http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password
http://schemas.microsoft.com/claims/authnmethodsreferences http://schemas.microsoft.com/claims/multipleauthn
http://schemas.microsoft.com/ws/2008/06/identity/claims/wids <value>
http://schemas.microsoft.com/ws/2008/06/identity/claims/wids <value>
http://schemas.microsoft.com/ws/2008/06/identity/claims/wids <value>
http://schemas.microsoft.com/ws/2008/06/identity/claims/wids <value>
http://schemas.microsoft.com/ws/2008/06/identity/claims/wids <value>
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname Firstname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname LASTNAME
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress <email>
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name <email>
FirstName Firstname
LastName LASTNAME
memberOf <value>
memberOf <value>
memberOf <value>
memberOf <value>
memberOf <value>
memberOf <value>
memberOf <value>
memberOf <value>
memberOf <value>
memberOf <value>
memberOf <value>
memberOf <value>
memberOf <value>
memberOf <value>
memberOf <value>
memberOf <value>
memberOf <value>
memberOf <value>
memberOf <value>
memberOf <value>
memberOf <value>
memberOf <value>
memberOf <value>
memberOf <value>
memberOf <value>
memberOf <value>
memberOf <value>
memberOf <value>
memberOf <value>
memberOf <value>
memberOf <value>
memberOf <value>
memberOf <value>
memberOf <value>
memberOf <value>
memberOf <value>
memberOf <value>
memberOf <value>
memberOf <value>
memberOf <value>
memberOf <value>
memberOf <value>
memberOf <value>
memberOf <value>
memberOf <value>
memberOf <value>
memberOf <value>
memberOf <value>
NameID <email>
nameidentifier <email>
Subject <email>
I supposed I'm missing the proper mapping to get username, but I can't find any informatin anywhere.
Thanks in advance!!