Configuring SAML SSO with AWS Client VPN and PingOne

Page created: 1 Mar 2022 |

Page updated: 12 Apr 2022

| 5 min read

Learn to configure SAML single sign-on (SSO) using AWS Client VPN and PingOne.

Make sure you have:

An Amazon Web Services (AWS) account
An Amazon VPC with an EC2 instance
Important:
In the instance Security Group, allow ICMP traffic from the VPC CIDR range. You need this for testing.
A private certificate imported into AWS Certificate Manager (ACM)
PingOne user and group information
A desktop (Windows or macOS) running the latest AWS Client VPN software
Note:
You can download the software here.

Create the AWS Client VPN application in PingOne:

In the PingOne admin portal, go to Connections > Add Application.
Click Advanced Configuration.
In the Choose Connection Type menu, next to SAML, click Configure.
On the Create App Profile page, enter an Application Name, Description, and Icon for your application. Click Next.
For Configure SAML Connection, select Manually Enter and configure the following:
- For ACS URLs, enterhttp://127.0.0.1:35001.
- Select Sign Assertion & Response.
- Select RSA_SHA256 as the algorithm for Signing the response.
- For Entity ID, enter urn:amazon:webservices:clientvpn.
- For Subject nameID format, enter urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
- For Assertion Validity Duraction (in seconds), enter 300.
- For SLO options, leave the default settings.
After configuring the above values, leave the default settings and click Save and Continue.

Configure Attribute Mapping by adding the followingPingOne Attributes.

PingOne User Attribute	Application Attribute
Username	`saml_subject`
Given Name	`FirstName`
Family Name	`LastName`
Group Names	`memberOf`

The new application is shown in the Applications list.

Expand the application details and on the Policies tab, click the Pencil icon to edit the Authentication Policy.
Expand the application details and on the Configuration tab, download the metadata file.

Note:
You'll upload this metadata file in the next step.

Add PingOne as your IdP in the AWS Management Console.

Important:
AWS Client VPN is a separate app and requires a unique IdP definition in AWS. You cannot reuse an IdP already defined for another app, even if it's from the same vendor.
1. In the AWS Management Console, open the IAM console and in the Access management section, click Identity providers.
2. Click Add Provider.
3. For Provider type, select SAML.
4. For Provider name, enter a unique name.
5. For Metadata document, click Choose file and upload the metadata file that you downloaded from PingOne.
Create an AWS Client VPN endpoint:
1. In the Amazon VPC console, in the Virtual Private Network (VPN) section, click Client VPN Endpoints.
2. Click Create Client VPN Endpoint.
3. Enter your desired Name Tag and Description.
4. For Client IPv4 CIDR, enter <your IP range>/22.
  
  Note:
  This is the IP range that will be allocated to your remote users.
5. For Server certificate ARN, select the certificate you created as a prerequisite.
6. For Authentication Options, select Use user-based authentication and Federated authentication.
7. In the SAML provider ARN list, select the PingOne IdP you configured earlier.
8. In the Other optional parameters section, select Enable split-tunnel and leave the rest of the default values.
  
  Note:
  Enabling split-tunnel makes sure that only traffic to the VPC IP range is forwarded via the VPN.
9. Configure the other options according to your environment requirements.
10. Click Create Client VPN Endpoint to complete the setup.
Configure the AWS Client VPN Endpoint association:
1. In the Amazon VPC console, in the Virtual Private Network (VPN) section, click Client VPN Endpoints.
2. Select the VPN you created in the last step.
  
  It should be in the Pending state.
3. Go to Options > Associations and click Associate.
4. In the Associations list, select the target VPC and subnet that you want to associate your endpoint with.
5. Optional: Repeat the previous steps to associate your Client VPN endpoint to another subnet for high availability.
Set up SAML group-specific authorization:
1. In the Amazon VPC console, in the Virtual Private Network (VPN) section, click Authorization.
2. Click Authorize Ingress.
3. For Destination network to enable, specify the IP address of your EC2 instance that you created as a prerequisite.
4. In the Grant access to section, select Allow access to users in a specific access group.
5. In the Access group ID field, enter the name of the group that you want to allow access to the EC2 instance.
6. Provide an optional description and click Add authorization rule.
Connect to the Client VPN:
1. In the Amazon VPC console, in the Virtual Private Network (VPN) section, click Client VPN Endpoints.
2. Select the VPN that you created.
  
  It should be in the Available state.
3. To download the configuration profile to your desktop, click Download Client Configuration.
4. Open the AWS Client VPN desktop application.
5. Go to File > Manage Profiles.
6. Click Add Profile, choose the configuration profile that you downloaded, and give it a Display Name of your choice.
  
  Your profile appears in the AWS Client VPN profile list.
7. Select your profile and click Connect.
  
  You're redirected to PingOne for authentication.
8. Sign on to PingOne as a user with access to your EC2 instance.
  
  After successful authentication, you should be able to reach the EC2 instance in the target VPC.
Test your connection by sending an ICMP ping to the IP of the instance from your command line terminal.
In your browser, use a plugin, such as SAML-tracer, to confirm that the IdP is sending the correct details in the SAML assertion.