---
title: Configuring SAML SSO with AWS Client VPN and PingOne
description: Learn to configure SAML single sign-on (SSO) using AWS Client VPN and PingOne.
component: configuration_guides
page_id: configuration_guides:amazon:config_saml_awsclientvpn_p1
canonical_url: https://docs.pingidentity.com/configuration_guides/amazon/config_saml_awsclientvpn_p1.html
revdate: May 6, 2024
section_ids:
  before-you-begin: Before you begin
  create-the-aws-client-vpn-application-in-pingone: Create the AWS Client VPN application in PingOne
  result: Result:
  add-pingone-as-your-idp-in-the-aws-management-console: Add PingOne as your IdP in the AWS Management Console
  create-an-aws-client-vpn-endpoint: Create an AWS Client VPN endpoint
  configure-the-aws-client-vpn-endpoint-association: Configure the AWS Client VPN Endpoint association
  set-up-saml-group-specific-authorization: Set up SAML group-specific authorization
  connect-to-the-client-vpn: Connect to the Client VPN
  test-your-connection: Test your connection
---

# Configuring SAML SSO with AWS Client VPN and PingOne

Learn to configure SAML single sign-on (SSO) using AWS Client VPN and PingOne.

## Before you begin

Make sure you have:

* An [Amazon Web Services (AWS) account](https://aws.amazon.com/account/)

* An [Amazon VPC](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-getting-started.html) with an [EC2 instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EC2_GetStarted.html)

  |   |                                                                                                            |
  | - | ---------------------------------------------------------------------------------------------------------- |
  |   | In the instance **Security Group**, allow ICMP traffic from the VPC CIDR range. You need this for testing. |

* A private certificate imported into [AWS Certificate Manager (ACM)](https://aws.amazon.com/certificate-manager/)

* PingOne user and group information

* A desktop (Windows or macOS) running the latest AWS Client VPN software

  |   |                                                                                        |
  | - | -------------------------------------------------------------------------------------- |
  |   | You can download the software [here](https://aws.amazon.com/vpn/client-vpn-download/). |

## Create the AWS Client VPN application in PingOne

1. In the PingOne admin portal, go to **Connections → Add Application**.

   ![Screen capture of PingOne Applications page with the plus icon outlined in red.](../_images/wos1637005186329.jpg)

2. Click **Advanced Configuration**.

3. In the **Choose Connection Type** menu, next to **SAML**, click **Configure**.

   ![Screen capture of PingOne Advanced Application Configuration section.](_images/edl1647966006621.png)

4. On the **Create App Profile** page, enter an **Application Name**, **Description**, and **Icon** for your application. Click **Next**.

   ![Screen capture of PingOne Create App Profile page with fields filled out pertaining to the AWS Client VPN.](_images/vmv1647966116023.png)

5. For **Configure SAML Connection**, select **Manually Enter** and configure the following:

   * For **ACS URLs**, enter `http://127.0.0.1:35001`.

   * Select **Sign Assertion & Response**.

   * Select **RSA\_SHA256** as the algorithm for **Signing the response**.

   * For **Entity ID**, enter `urn:amazon:webservices:clientvpn`.

   * For **Subject nameID format**, enter `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`.

   * For **Assertion Validity Duraction (in seconds)**, enter `300`.

   * For **SLO** options, leave the default settings.

6. After configuring the above values, leave the default settings and click **Save and Continue**.

   ![Screen capture of PingOne Configure SAML Connection page.](_images/xtx1647969677760.png)

7. Configure **Attribute Mapping** by adding the following **PingOne Attributes**:

   | PingOne User Attribute | Application Attribute |
   | ---------------------- | --------------------- |
   | **Username**           | `saml_subject`        |
   | **Given Name**         | `FirstName`           |
   | **Family Name**        | `LastName`            |
   | **Group Names**        | `memberOf`            |

   ### Result:

   The new application is shown in the **Applications** list.

8. Expand the application details and on the **Policies** tab, click the **Pencil** icon to edit the **Authentication Policy**.

9. Expand the application details and on the **Configuration** tab, download the metadata file.

   ![ewt1647976318504](_images/ewt1647976318504.png)

   |   |                                                    |
   | - | -------------------------------------------------- |
   |   | You'll upload this metadata file in the next step. |

## Add PingOne as your IdP in the AWS Management Console

|   |                                                                                                                                                                           |
| - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | AWS Client VPN is a separate app and requires a unique IdP definition in AWS. You cannot reuse an IdP already defined for another app, even if it's from the same vendor. |

1. In the AWS Management Console, open the **IAM** console and in the **Access management** section, click **Identity providers**.

2. Click **Add Provider**.

3. For **Provider type**, select **SAML**.

4. For **Provider name**, enter a unique name.

5. For **Metadata document**, click **Choose file** and upload the metadata file that you downloaded from PingOne.

   ![Screen capture of AWS IAM console SAML configuration settings.](_images/wip1647980007823.png)

## Create an AWS Client VPN endpoint

1. In the **Amazon VPC** console, in the **Virtual Private Network (VPN)** section, click **Client VPN Endpoints**.

2. Click **Create Client VPN Endpoint**.

3. Enter your desired **Name Tag** and **Description**.

4. For **Client IPv4 CIDR**, enter `your-IP-range/22`.

   |   |                                                                   |
   | - | ----------------------------------------------------------------- |
   |   | This is the IP range that will be allocated to your remote users. |

5. For **Server certificate ARN**, select the certificate you created as a prerequisite.

6. For **Authentication Options**, select **Use user-based authentication** and **Federated authentication**.

7. In the **SAML provider ARN** list, select the PingOne IdP you configured earlier.

   ![Screen capture of Amazon VPC Create Client VPN Endpoint section.](_images/qws1647983631458.png)

8. In the **Other optional parameters** section, select **Enable split-tunnel** and leave the rest of the default values.

   |   |                                                                                                  |
   | - | ------------------------------------------------------------------------------------------------ |
   |   | Enabling split-tunnel makes sure that only traffic to the VPC IP range is forwarded via the VPN. |

9. Configure the other options according to your environment requirements.

10. Click **Create Client VPN Endpoint** to complete the setup.

## Configure the **AWS Client VPN Endpoint** association

1. In the **Amazon VPC** console, in the **Virtual Private Network (VPN)** section, click **Client VPN Endpoints**.

2. Select the VPN you created in the last step.

   It should be in the **Pending** state.

3. Go to **Options → Associations** and click **Associate**.

4. In the **Associations** list, select the target VPC and subnet with which you want to associate your endpoint.

5. **Optional:** Repeat the previous steps to associate your Client VPN endpoint to another subnet for high availability.

## Set up SAML group-specific authorization

1. In the **Amazon VPC** console, in the **Virtual Private Network (VPN)** section, click **Authorization**.

2. Click **Authorize Ingress**.

3. For **Destination network to enable**, specify the IP address of your EC2 instance that you created as a prerequisite.

4. In the **Grant access to** section, select **Allow access to users in a specific access group**.

5. In the **Access group ID** field, enter the name of the group that you want to allow access to the EC2 instance.

6. Provide an optional description and click **Add authorization rule**.

## Connect to the Client VPN

1. In the **Amazon VPC** console, in the **Virtual Private Network (VPN)** section, click **Client VPN Endpoints**.

2. Select the VPN that you created.

   It should be in the **Available** state.

3. To download the configuration profile to your desktop, click **Download Client Configuration**.

4. Open the **AWS Client VPN** desktop application.

5. Go to **File → Manage Profiles**.

6. Click **Add Profile**, choose the configuration profile that you downloaded, and give it a **Display Name** of your choice.

   Your profile appears in the AWS Client VPN profile list.

7. Select your profile and click **Connect**.

   You're redirected to PingOne for authentication.

8. Sign on to PingOne as a user with access to your EC2 instance.

   After successful authentication, you should be able to reach the EC2 instance in the target VPC.

## Test your connection

1. To test your connection, send an ICMP ping to the IP of the instance from your command line terminal.

2. In your browser, use a plugin, such as SAML-tracer, to confirm that the IdP is sending the correct details in the SAML assertion.