Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
Client VPN Group Authorization Rules
I have created several authorization rules for client vpn and they work great. I have a few CIDR blocks that i want to restrict to certain SAML groups (im using federated authentication) i have used the group name, and the objectID from Azure Entra, both times switching the SAML Claim to also use either SAMAccountName for groups, or GroupIDs. I see the groupid and groupname in the SAML Inspector, so i know the claim is being passed, however the rule still doesnt allow me access. Any ideas would be very helpful..
- Newest
- Most votes
- Most comments
Hi There, your issue is your using the wrong claim attribute. You are using the default http://schemas.microsoft.com/ws/2008/06/identity/claims/groups attribute
Delete this and create a new group Claim, however in the Advanced Options when creating the Group claim, Tick Customize the name of the group claim and set the Name to memberOf
You can also see Step 3: Change User Attributes and Claims of the following link https://repost.aws/questions/QUzGFUYKhATCa7oYbvy6ieJw/client-vpn-group-authorization-rules
Relevant content
- asked 3 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 4 years ago
Thank you so much! I edited the existing group claim and changed the name in the advanced options to memberOf and it works. I thought i was going absolutely crazy trying to fix it.