===== AWS Client VPN ===== {{tag>AWS SSO}} ==== Description ==== * https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/what-is.html * https://aws.amazon.com/blogs/networking-and-content-delivery/authenticate-aws-client-vpn-users-with-saml/ * https://aws.amazon.com/blogs/apn/how-to-integrate-aws-client-vpn-with-azure-active-directory/ * https://codeburst.io/the-aws-client-vpn-federated-authentication-missing-example-655e0a1ff7f4 * https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html#mutual ==== Diagram ==== ==== Run Down ==== - Add SAML application to SSO Provider - Add SAML IdP to AWS Account - Add mutual authentications server certificate to ACM - Create AWS Client VPN endpoint and associate to VPC subnets ==== SSO Providers ==== === Okta === * Sign on settings memberOf * * Advanced sign on settings set port of 35001 === Azure AD === * urn:amazon:webservices:clientvpn * Add https://127.0.0.1:35001 (edit manifest to change to http) * Edit SAML signing to response and assertion * Edit user attributes and claims * Assign user / group === AWS SSO === * Manually enter info * urn:amazon:webservices:clientvpn * Add http://127.0.0.1:35001 * Edit user attributes and claims * Assign user / group ^ Attribute ^ Map ^ Format ^ | Subject | ${user:email} | emailAddress | | FirstName | ${user:givenName} | unspecified | | LastName | ${user:familyName} | unspecified | | memberOf | ${user:groups} | unspecified | ==== AWS Account ==== === IdP === * Add SAML identity provider * upload meta data from SSO provider === ACM === * Add certificate and paste in cert, key, and ca cert git clone https://github.com/OpenVPN/easy-rsa.git cd easy-rsa/easyrsa3 ./easyrsa init-pki ./easyrsa build-ca nopass ./easyrsa build-server-full SERVERNAME nopass ./easyrsa build-client-full CLIENT.DOMAIN.TLD nopass === VPN Endpoint === * Select server cert * Select user based authentication, federated authentication, SAML IdP