Configuration Guides

Configuring SAML SSO with AWS Client VPN and PingOne

Learn to configure SAML single sign-on (SSO) using AWS Client VPN and PingOne.

Before you begin

Make sure you have:

Create the AWS Client VPN application in PingOne

  1. In the PingOne admin portal, go to Connections → Add Application.

    Screen capture of PingOne Applications page with the plus icon outlined in red.
  2. Click Advanced Configuration.

  3. In the Choose Connection Type menu, next to SAML, click Configure.

    Screen capture of PingOne Advanced Application Configuration section.
  4. On the Create App Profile page, enter an Application Name, Description, and Icon for your application. Click Next.

    Screen capture of PingOne Create App Profile page with fields filled out pertaining to the AWS Client VPN.
  5. For Configure SAML Connection, select Manually Enter and configure the following:

    • For ACS URLs, enter http://127.0.0.1:35001.

    • Select Sign Assertion & Response.

    • Select RSA_SHA256 as the algorithm for Signing the response.

    • For Entity ID, enter urn:amazon:webservices:clientvpn.

    • For Subject nameID format, enter urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.

    • For Assertion Validity Duraction (in seconds), enter 300.

    • For SLO options, leave the default settings.

  6. After configuring the above values, leave the default settings and click Save and Continue.

    Screen capture of PingOne Configure SAML Connection page.
  7. Configure Attribute Mapping by adding the following PingOne Attributes:

    PingOne User Attribute Application Attribute

    Username

    saml_subject

    Given Name

    FirstName

    Family Name

    LastName

    Group Names

    memberOf

    Result:

    The new application is shown in the Applications list.

  8. Expand the application details and on the Policies tab, click the Pencil icon to edit the Authentication Policy.

  9. Expand the application details and on the Configuration tab, download the metadata file.

    ewt1647976318504

    You’ll upload this metadata file in the next step.

Add PingOne as your IdP in the AWS Management Console

AWS Client VPN is a separate app and requires a unique IdP definition in AWS. You cannot reuse an IdP already defined for another app, even if it’s from the same vendor.

  1. In the AWS Management Console, open the IAM console and in the Access management section, click Identity providers.

  2. Click Add Provider.

  3. For Provider type, select SAML.

  4. For Provider name, enter a unique name.

  5. For Metadata document, click Choose file and upload the metadata file that you downloaded from PingOne.

    Screen capture of AWS IAM console SAML configuration settings.

Create an AWS Client VPN endpoint

  1. In the Amazon VPC console, in the Virtual Private Network (VPN) section, click Client VPN Endpoints.

  2. Click Create Client VPN Endpoint.

  3. Enter your desired Name Tag and Description.

  4. For Client IPv4 CIDR, enter your-IP-range/22.

    This is the IP range that will be allocated to your remote users.

  5. For Server certificate ARN, select the certificate you created as a prerequisite.

  6. For Authentication Options, select Use user-based authentication and Federated authentication.

  7. In the SAML provider ARN list, select the PingOne IdP you configured earlier.

    Screen capture of Amazon VPC Create Client VPN Endpoint section.
  8. In the Other optional parameters section, select Enable split-tunnel and leave the rest of the default values.

    Enabling split-tunnel makes sure that only traffic to the VPC IP range is forwarded via the VPN.

  9. Configure the other options according to your environment requirements.

  10. Click Create Client VPN Endpoint to complete the setup.

Configure the AWS Client VPN Endpoint association

  1. In the Amazon VPC console, in the Virtual Private Network (VPN) section, click Client VPN Endpoints.

  2. Select the VPN you created in the last step.

    It should be in the Pending state.

  3. Go to Options → Associations and click Associate.

  4. In the Associations list, select the target VPC and subnet with which you want to associate your endpoint.

  5. Optional: Repeat the previous steps to associate your Client VPN endpoint to another subnet for high availability.

Set up SAML group-specific authorization

  1. In the Amazon VPC console, in the Virtual Private Network (VPN) section, click Authorization.

  2. Click Authorize Ingress.

  3. For Destination network to enable, specify the IP address of your EC2 instance that you created as a prerequisite.

  4. In the Grant access to section, select Allow access to users in a specific access group.

  5. In the Access group ID field, enter the name of the group that you want to allow access to the EC2 instance.

  6. Provide an optional description and click Add authorization rule.

Connect to the Client VPN

  1. In the Amazon VPC console, in the Virtual Private Network (VPN) section, click Client VPN Endpoints.

  2. Select the VPN that you created.

    It should be in the Available state.

  3. To download the configuration profile to your desktop, click Download Client Configuration.

  4. Open the AWS Client VPN desktop application.

  5. Go to File → Manage Profiles.

  6. Click Add Profile, choose the configuration profile that you downloaded, and give it a Display Name of your choice.

    Your profile appears in the AWS Client VPN profile list.

  7. Select your profile and click Connect.

    You’re redirected to PingOne for authentication.

  8. Sign on to PingOne as a user with access to your EC2 instance.

    After successful authentication, you should be able to reach the EC2 instance in the target VPC.

Test your connection

  1. To test your connection, send an ICMP ping to the IP of the instance from your command line terminal.

  2. In your browser, use a plugin, such as SAML-tracer, to confirm that the IdP is sending the correct details in the SAML assertion.