AWS Client VPN with Google SSO

VPN
1

Hi all,

Has anyone managed to get the AWS Client VPN working with Google SSO recently? I looked at a few “hacks” for changing the ACS url from https to http but they don’t seem to work anymore.

2

The instructions here do work (although they do require some level of technical understanding and use of ‘curl’): https://www.innablr.com.au/blog/aws-client-vpn-setup-with-google-workspace-formerly-g-suite-authentication

3

I have this configured right now, but I intend to convert to using AWS SSO backed by Google instead.

4

Ran into the same problem, can confirm that the workarounds used to work, but now Google returns 400 Bad Request if you try to POST new url directly via curl

5

Yeah, I gave up on AWS VPN a long time ago. It’s insanely expensive for what it is and there are much better solutions on the market now. Thanks for the reply though.

6

I don’t quite follow what you’re saying?

7

AWS SSO, now called IAM Identity Center, can be configured to use Google Workspace as the Identity Provider. So in that configuration you can use AWS SSO as the Client VPN authenticator, but it goes all the way back to Google to authorize the user.

8

That is how I have it configured now but I worked with amazon support last night and the answer basically came down to it won’t work because google authorizes identity center but that never makes it back to the vpn client.

If you manage to make this work please let me know how.

9

==== Finding

  1. When AWS client vpn endpoint generates SAML get request via IAM identity center it gets forwared to Gsuite.

  2. When Gsuite generate assertion the receipent is IAM identity center. However the expected receipent is 'http://127.0.0.1:35001 ', this is due to the fact that Gsuite is sending assertion for IAM identity center not AWS CVPN.

  3. The doc [1] explains the process of using IAM identity center when it itself acting as IDP. However in your case Gsuite is acting as IDP.

When third party is used as IDP,

  1. Create the AWS client VPN app directly on IDP.

  2. Skip the IAM Identity center part and directly go to IAM and create identity provider.

  3. Since you are using Guite you are required to change the ACS from https to http.

That’s the summary from AWS in the ticket.

10

Wanted to follow up on this. Were you able to successfully implement VPN with GSuite SSO?