AWS Client VPN authentication with Gsuite

Following up on the previous post “How to run AWS Client VPN with Multi Factor Authentication “, this post is for another variation to authenticate clients with another ID provider, and this time it is Gsuite. Most of the setup is the same as in the previous post, so this would be quite quick!

TLDR;

At this moment, it seems not possible for AWS Client VPN to use GSuite as an ID provider directly. For this to workaround, I used AWS SSO as an intermedium to glue GSuite and AWS Client VPN. Similar to Okta, it offloads the authentication to GSuite, and you can use MFA for authentication.

Connect AWS SSO and GSuite

The first half of this post is based on this AWS guide “How to use G Suite as an external identity provider for AWS SSO“, and walkthrough the integration between GSuite and AWS SSO. If you already have this, please skip to the next section.

1. Initial setup of AWS SSO and GSuite SAML APP

Follow the guide until “Manage Users and Permissions” and set up AWS SSO and SAML Application.

  1. Set up External Identity Provider in AWS SSO
  2. Set up SAML Application on GSuite

2. User registration on AWS SSO

At this moment, this integration doesn’t support SCIM, and hence the administrator needs to add users manually onto AWS SSO. This can be automated using ssosync, but for simplicity, we follow manual registration in this post.

The registration itself is quite simple though. Click “Add User” in AWS SSO, and fill in the required fields with your users’ information to match with the information in GSuite account.

Click “Next:”, and “Add User”. Since this user information is only required for AWS Client VPN authentication, we don’t need to grant any other permission for now.

Connect AWS SSO and AWS Client VPN

1. Create an application on AWS SSO

Next, we configure AWS SSO to provide ID information for AWS Client VPN.

In AWS SSO dashboard, click “Application”, and “Add a new Application”, then select “Add a custom SAML 2.0 application”.

In the next page, select any name you prefer, and:

  • Download AWS SSO metadata
  • In Application metadata, use below values:
    • Application ACS URL: http://127.0.0.1:35001
    • Application SAML audience: urn:amazon:webservices:clientvpn

Click “Save Changes”

Go to “Attribute mappings”, and create mappings as below:

  • Subject
    • string: ${user:subject}
    • format: emailAddress
  • NameID
    • string: ${user:email}
    • format: basic

Click “Save”.

Next, go to “Assigned users”, and select users who you want to grant access to.

2. Add AWS SSO as an ID provider

In IAM, click “Identity Providers” and “Create Provider”.

In Provider Type, select “SAML”. Name the provider, and select the metadata file you downloaded during the previous step.

Click “Next”, and “Create” to register AWS SSO as an ID provider.

3. Add AWS Client VPN Endpoint

The last step is exactly the same as in the previous post, and we need to specify AWS-SSO IdP instead of Okta. The provider cannot be changed once created, you still need to create another even if you already have one created with Okta.

In VPC, go to “AWS Client VPN Endpoint”, and “Create Client VPN Endpoint”. Use whatever parameter you prefer, only the difference is “SAML provider ARN”, and you need to use AWS-SSO, which you created in the previous step.

Once created, associate this endpoint to the subnet of your choice:

And authorize which network to be accessible, we use “allow all” for the entire segment in VPC(10.0.0.0/16) here for demo purpose, but in production, you should carefully manage this access list.

Connection Test

Now, everything is set up and ready to test. Download the client configuration from AWS management console, and load it to the AWS client VPN software on your local machine.

Once connected, your default browser opens and direct you to the google authentication.

Once you provide all the credentials correctly, you are now connected to AWS.

And you can access your internal server using an internal IP address, or any other resources.


AWS is adding features constantly, and there should be an easy integration possible in the future. Please do let me know if you know such a feature exists 🙂

4 Replies to “AWS Client VPN authentication with Gsuite”

  1. Awesome it works like a charm.
    When I tried to enforce TLS version 1.2 with option. “tls-version-min 1.2”, it didn’t work.
    Is there any workaround for this?

  2. Thanks for doing this blog its great. I have been having a couple of issues though and the one I am stuff on is google error when I try to log in when testing the connection, I get Error: app_not_configured_for_user
    I have double-checked and the small app is enabled for every user within google. Not sure what else it could be.

    1. Hi Phil, thanks for your message. Most often it happens when you have another google account logged in on the browser. Be sure to use the incognito window or you can clear the cache and please try it again.

Leave a Reply

Your email address will not be published. Required fields are marked *