By using AWS re:Post, you agree to the AWS re:Post Terms of Use

AWS VPN Client Endpoint and Azure Entra ID auth failed issues

0

Hello,

I've followed a couple of guides and set up my Enterprise App on Azure side and my IdP and Client VPN Endpoint on AWS side.

On Azure side, I've set these claims:

givenname: user.givenname
surname: user.surname
emailaddress: user.mail
name: user.userprincipalname
FirstName: user.givenname
LastName: user.surname
memberOf: user.groups
NameID: user.mail
nameidentifier: user.userprincipalname
Subject: user.mail
Unique User Identifier: user.userprincipalname

I've exported the Client ovpn config and when I try to connect I have an error:

in client logs:

2024-11-27 19:28:15.273 +01:00 [DBG] [TI=3] [PID: 3622313] 2024-11-27 19:28:15 us=273555 AUTH: Received control message: AUTH_FAILED,CRV1:R:instance-1/7442027681157705563/f447a389-67a1-4975-a1b4-1e3b6166426d:b'Ti9B':https://login.microsoftonline.com/59c31156-d9a1-4920-9ef6-1c4d6429903a/saml2?SAMLRequest=fZJLb9swEITv%2FhWC7rJEypIlwjagxihqIG2N2O2hl4Ii1wkBPlQulbT99RHlvnJoqNtqvuHMghvkRg%2BsG8ODvYNvI2BYJMl3oy2y%2Bdc2Hb1ljqNCZrkBZEGwU%2Ff%2BltFlwQbvghNOpy%2Bg1xmOCD4oZyN02G%2FTr6LsJV%2FXFVxIU7UESCNKWtZ908geaCurBnjdrGUEPoPHid2mk9VsgDjCwWLgNkzDgq4yQjK6PpOG0YaR6ktU7adeyvIwkw8hDMjyXLt7ZZdGCe%2FQXYKzWllYCmfyqhUlIVWdyZaTbNXSImvhUmdErGS9om1blDyPTWk0P%2F5awhtlpbL3r7fvryJk787nY3b8eDpHi%2B73Tm6cxdGAP4F%2FVAI%2B3d1e805xCV0vi%2BkjrKyKgqS7iUuSTYzB5i34XbyYG%2F7TWfYEPV49kAmtwIbHwW7yf9V%2F%2BYF9mIIe9kenlfgxz%2BN567zh4f99yJQlTpTMLrOUgeFKd1J6QEz%2F%2BHRau6cbDzzANg1%2BhDTJd4vFNc3Lx7d7Bg%3D%3D
2024-11-27 19:28:15.274 +01:00 [DBG] [TI=3] [PID: 3622313] 2024-11-27 19:28:15 us=274441 TCP/UDP: Closing socket
2024-11-27 19:28:15.274 +01:00 [DBG] [TI=3] [PID: 3622313] 2024-11-27 19:28:15 us=274531 SIGUSR1[soft,auth-failure] received, process restarting
2024-11-27 19:28:15.274 +01:00 [DBG] [TI=3] [PID: 3622313] 2024-11-27 19:28:15 us=274580 MANAGEMENT: >STATE:1732732095,RECONNECTING,auth-failure,,,,,
2024-11-27 19:28:15.274 +01:00 [DBG] [TI=3] [PID: 3622313] 2024-11-27 19:28:15 us=274658 Restart pause, 5 second(s)
2024-11-27 19:28:16.102 +01:00 [DBG] [TI=11] /bin/ps exit code: 0
2024-11-27 19:28:17.128 +01:00 [DBG] [TI=11] /bin/ps exit code: 0
2024-11-27 19:28:18.153 +01:00 [DBG] [TI=11] /bin/ps exit code: 0
2024-11-27 19:28:19.171 +01:00 [DBG] [TI=11] /bin/ps exit code: 0
2024-11-27 19:28:20.185 +01:00 [DBG] [TI=12] /bin/ps exit code: 0
2024-11-27 19:28:20.279 +01:00 [DBG] [TI=3] [PID: 3622313] 2024-11-27 19:28:20 us=279467 MANAGEMENT: CMD 'username "Auth" N/A'
2024-11-27 19:28:20.279 +01:00 [DBG] [TI=3] [PID: 3622313] 2024-11-27 19:28:20 us=279496 MANAGEMENT: CMD ''
2024-11-27 19:28:20.323 +01:00 [DBG] [TI=3] [PID: 3622313] 2024-11-27 19:28:20 us=323584 MANAGEMENT: CMD 'password [...]'
2024-11-27 19:28:20.323 +01:00 [DBG] [TI=3] [PID: 3622313] 2024-11-27 19:28:20 us=323672 MANAGEMENT: CMD ''

In CloudWatch:

{
    "connection-log-type": "connection-attempt",
    "connection-attempt-status": "failed",
    "connection-attempt-failure-reason": "authentication-failed",
    "connection-id": "cvpn-connection-0985d1405ba1476de",
    "client-vpn-endpoint-id": "cvpn-endpoint-0b88232f90d343efa",
    "transport-protocol": "udp",
    "connection-start-time": "NA",
    "connection-last-update-time": "2024-11-27 18:11:15",
    "client-ip": "NA",
    "username": "N/A",
    "device-type": "linux",
    "device-ip": "82.65.197.139",
    "port": "22548",
    "ingress-bytes": "0",
    "egress-bytes": "0",
    "ingress-packets": "0",
    "egress-packets": "0",
    "connection-end-time": "NA",
    "connection-duration-seconds": "NA"
}

In Azure signin logs:

Status: Success

And to finish, I've traced the SAML exchange with SAML-tracer and I get that:

SAML2.0 Response
Destination	http://127.0.0.1:35001
ID	<value>
Version	2.0
IssueInstant	2024-11-27T18:28:15.614Z
Issuer	https://sts.windows.net/<value>/
SAML 2.0 Assertion
ID	<value>
Version	2.0
IssueInstant	2024-11-27T18:28:15.611Z
Subject	<email>
SAML 2.0 AttributeStatement
http://schemas.microsoft.com/identity/claims/tenantid	<value>
http://schemas.microsoft.com/identity/claims/objectidentifier	<value>
http://schemas.microsoft.com/identity/claims/displayname	Firstname LASTNAME
http://schemas.microsoft.com/identity/claims/identityprovider	https://sts.windows.net/<value>/
http://schemas.microsoft.com/claims/authnmethodsreferences	http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password
http://schemas.microsoft.com/claims/authnmethodsreferences	http://schemas.microsoft.com/claims/multipleauthn
http://schemas.microsoft.com/ws/2008/06/identity/claims/wids	<value>
http://schemas.microsoft.com/ws/2008/06/identity/claims/wids	<value>
http://schemas.microsoft.com/ws/2008/06/identity/claims/wids	<value>
http://schemas.microsoft.com/ws/2008/06/identity/claims/wids	<value>
http://schemas.microsoft.com/ws/2008/06/identity/claims/wids	<value>
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname	Firstname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname	LASTNAME
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress	<email>
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	<email>
FirstName	Firstname
LastName	LASTNAME
memberOf	<value>
memberOf	<value>
memberOf	<value>
memberOf	<value>
memberOf	<value>
memberOf	<value>
memberOf	<value>
memberOf	<value>
memberOf	<value>
memberOf	<value>
memberOf	<value>
memberOf	<value>
memberOf	<value>
memberOf	<value>
memberOf	<value>
memberOf	<value>
memberOf	<value>
memberOf	<value>
memberOf	<value>
memberOf	<value>
memberOf	<value>
memberOf	<value>
memberOf	<value>
memberOf	<value>
memberOf	<value>
memberOf	<value>
memberOf	<value>
memberOf	<value>
memberOf	<value>
memberOf	<value>
memberOf	<value>
memberOf	<value>
memberOf	<value>
memberOf	<value>
memberOf	<value>
memberOf	<value>
memberOf	<value>
memberOf	<value>
memberOf	<value>
memberOf	<value>
memberOf	<value>
memberOf	<value>
memberOf	<value>
memberOf	<value>
memberOf	<value>
memberOf	<value>
memberOf	<value>
memberOf	<value>
NameID	<email>
nameidentifier	<email>
Subject	<email>

I supposed I'm missing the proper mapping to get username, but I can't find any informatin anywhere.

Thanks in advance!!

1 Answer
0

This is how it should look at least for 1. Basic SAML Configuration Enter image description here

This is how it should look at least for 2. Attributes and Claims Enter image description here

This is how it should look at least for 3. SAML Certificates Enter image description here

profile picture
EXPERT
answered 11 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions