DevOps Engineer
Pritam possesses strong expertise in AWS, CI/CD, and Infrastructure as Code. He focuses on designing scalable, automated cloud environments and enhancing overall system performance.
6
6
Setting up SSO with AWS VPN Client enables secure, user-based authentication using IAM Identity Center (SSO) and SAML 2.0. This ensures centralized access control and group-based authorization.
To configure this, follow the guidelines below:
Step-1: Generate Server Certificate and Associate Client Keys
To configure SSO with user-based authentication for AWS Client VPN, a server certificate and the associated client certificates/keys must be generated.
git clone https://github.com/OpenVPN/easy-rsa.git
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa --san=DNS:server build-server-full server nopass
./easyrsa build-client-full client1.domain.tld nopass
Above, you can see that I have successfully generated server and client certificates and keys.
Step 2: Import Certificates into AWS Certificate Manager
Step 1: Log in to the AWS Management Console and go to AWS Certificate Manager (ACM).
Step 2: In the left-hand menu, click on Certificates.
Step 3: Click the Import a certificate button.
Step 4: On the Import Certificate page, upload the certificate files:
Certificate body → Upload your server.crt file.
Certificate private key → Upload your server.key file.
Certificate chain → Upload your ca.crt (CA root or intermediate chain certificate).
Step 5: (For client certificates, repeat the same steps with the client.crt, client.key, and ca.crt).
Step 6: Click Next, review the details, and then click Import.
Step 7: Once imported, you should see a message confirming that the certificate has been successfully issued/imported into ACM.
Step 3: Application (SAML 2.0) Configuration
Step 1: In IAM Identity Center, go to the Applications section.
Step 2: Click Add Application → Add custom SAML 2.0 application.
Step 3: Create two applications:
- Application 1: AWS-VPN-Client
- Application 2: VPN-Self-Service
Step 4: For each application, configure the SAML settings:
ACS URL / Reply URL → Will be the Client VPN endpoint SAML URL (to be configured later).
Audience URI (SP Entity ID) → Use the Client VPN Entity ID.
Step 5: Save both applications and download the metadata files (one for each application).
For Application 1 (AWS-VPN-Client):
Attribute mapping in IAM Identity Center passes user details (email, name, groups, etc.) to the SAML app, allowing the VPN to identify users and apply group-based access rules.
Step 4: Configure Attributes
Step 1: Go to IAM Identity Center → Applications.
Step 2: Select your application (AWS-VPN-Client or VPN-Self-Service).
Step 3: Open the Attribute mappings tab.
Step 4: Add mappings between IAM Identity Center attributes and SAML attributes. Common mappings include:
- Subject → ${user:email} (used as the user’s unique identifier)
- Name → ${user:username}
- FirstName → ${user:givenName}
- LastName → ${user:familyName}
- Groups → ${user:groups} (used to enforce access rules with SAML authorization)
Step 5: Click 'Save changes'.
For Application 2 (VPN-Self-Service):
Step 5: Create IAM Identity Providers (SAML 2.0)
Creating an IAM Identity Provider (SAML 2.0) links your AWS account with the IAM Identity Center applications. This allows AWS services like Client VPN to trust the SAML metadata and authenticate users via SSO.
Step 1: Log in to the AWS Management Console and open the IAM service.
Step 2: In the left navigation pane, click on Identity providers.
Step 3: Click the Add provider button.
Step 4: On the Add an identity provider page:
- For Provider type, select SAML.
- For Provider name, enter a name (e.g., VPN-SAML-Provider-1).
- For Metadata document, upload the first SAML 2.0 metadata file (downloaded when creating the AWS-VPN-Client application in IAM Identity Center).
- Click Add provider.
Step 5: Repeat the same process to create a second Identity Provider:
- Provider name: e.g., VPN-SAML-Provider-2.
- Metadata document: upload the second SAML 2.0 metadata file (downloaded when creating the VPN-Self-Service application).
Step 6: Create a Client VPN Endpoint
Creating a Client VPN Endpoint establishes the secure entry point for users to connect to your AWS VPC. It defines the client CIDR, authentication method, certificates, and acts as the gateway for remote access.
Step 1: Log in to the AWS Management Console and open the VPC service.
Step 2: In the left navigation pane, click on Client VPN Endpoints.
Step 3: Click the Create Client VPN Endpoint button.
Step 4: Fill in the required details:
- Name/Description: Provide a name for your VPN endpoint (e.g., My-Client-VPN).
- Client IPv4 CIDR Range: Enter a CIDR range for clients (must be different from your VPC CIDR, because the source and destination networks should not overlap).
- Server Certificate ARN: Select an SSL/TLS certificate from ACM for secure communication.
- Authentication Options: Choose SAML-based authentication and attach the IAM Identity Provider you created earlier.
Step 5: Configure Connection Logging (optional, for auditing).
Step 6: Under VPC Settings:
- Select the VPC where you want to deploy the Client VPN endpoint.
- Attach the Security Group (SG) that allows VPN traffic (e.g., inbound/outbound rules for necessary ports).
Step 7: Review the settings and click on the Create Client VPN Endpoint button.
Step 7: Associate Target Network with Client VPN Endpoint
Associating a target network connects the Client VPN endpoint to a specific VPC subnet. This allows VPN users to access resources inside the VPC through either a public or private subnet, depending on requirements.
Step 1: In the AWS Management Console, go to the VPC service.
Step 2: From the left-hand menu, click on Client VPN Endpoints.
Step 3: Select the Client VPN Endpoint you created earlier.
Step 4: Go to the Target network associations tab.
Step 5: Click on Associate target network.
Step 6: Choose the following:
- VPC: Select the same VPC where you want to enable VPN access.
- Subnet: Choose a Public Subnet (if you want users to access the internet through the VPN).
- Alternatively, you can select a Private Subnet (if you only want users to access internal resources and not the internet).
Step 7: Click on Associate.
Step 8: Create Authorization Rule for SAML Users
Creating an authorization rule defines which users or groups from IAM Identity Center can access specific networks. This ensures only authorized SAML users are allowed to connect to your VPC resources via the VPN.
Step 1: In the AWS Management Console, go to the VPC service.
Step 2: From the left-hand menu, click on Client VPN Endpoints.
Step 3: Select your Client VPN Endpoint.
Step 4: Go to the Authorization rules tab.
Step 5: Click on Add authorization rule.
Step 6: Provide the following details:
- Destination network: Enter the VPC CIDR block or the specific subnet you want users to access (e.g., 10.0.0.0/16).
- Grant access to: Select Allow access to users in a specific access group.
- Access group ID: Choose the SAML Group you created in IAM Identity Center (e.g., VPN-Users).
Step 7: Click Add authorization rule.
- For accessing the internet, you have to allow one route also with 0.0.0.0/0
- Now you can see our client VPN endpoint is in an available state.
Step 9: Download and Install AWS VPN Client
The AWS VPN Client is required on end-user machines to establish a secure connection with the Client VPN endpoint. It uses the configuration file, certificates, and SAML authentication to enable seamless and secure access.
Step 1: Open a terminal on your Ubuntu/Debian system.
Step 2: Import the AWS VPN Client public key:
wget -qO- https://d20adtppz83p9s.cloudfront.net/GTK/latest/debian-repo/awsvpnclient_public_key.asc | sudo tee /etc/apt/trusted.gpg.d/awsvpnclient_public_key.asc
Step 3: Add the AWS VPN Client repository to your system sources:
echo "deb [arch=amd64] https://d20adtppz83p9s.cloudfront.net/GTK/latest/debian-repo ubuntu main" | sudo tee /etc/apt/sources.list.d/aws-vpn-client.list
Step 4: Update the package lists:
- sudo apt-get update
Step 5: Install the AWS VPN Client:
- sudo apt-get install awsvpnclient
Step 10: Download and Connect with VPN Configuration
Step 1: In the AWS Management Console, go to the VPC service.
Step 2: From the left-hand menu, click Client VPN Endpoints.
Step 3: Select your Client VPN Endpoint and go to the Client configuration tab.
Step 4: Click Download client configuration to get the .ovpn file.
Step 5: Open the AWS VPN Client application on your machine.
Step 6: Import the downloaded .ovpn configuration file into the client.
Step 7: Connect to the VPN. You will be redirected to the IAM Identity Center (SSO) portal for authentication.
Step 8: Sign in using your SAML (IAM Identity Center) credentials.
Step 10: (Optional) If You're Using the Self-Service VPN Application
Step 9: After authentication, go to the Self-Service VPN application (created earlier in IAM Identity Center).
Step 10: Open the application and download the cvpn-endpoint configuration file.
Step 11: Import this new configuration file into the AWS VPN Client (if required).
Step 12: Connect again, and the connection will also be authenticated via the SSO portal.
Conclusion
Integrating AWS Client VPN with IAM Identity Center (SSO) via SAML 2.0 provides secure, scalable, and user-friendly remote access. It eliminates the need for managing individual VPN credentials by centralising authentication and authorisation. Administrators gain stronger security and compliance, while users enjoy seamless access with their existing SSO credentials—a modern, efficient solution for secure AWS VPN access.
