Enable SAML for AWS Client VPN
You can enable SAML for single sign-on for Client VPN by completing the following steps. Alternatively, if you enabled the self-service portal for your Client VPN endpoint, instruct your users to go to the self-service portal to get the configuration file and AWS provided client. For more information, see AWS Client VPN access to the self-service portal.
To enable your SAML-based IdP to work with a Client VPN endpoint, you must do the following.
-
Create a SAML-based app in your chosen IdP to use with AWS Client VPN, or use an existing app.
-
Configure your IdP to establish a trust relationship with AWS. For resources, see SAML-based IdP configuration resources.
-
In your IdP, generate and download a federation metadata document that describes your organization as an IdP.
This signed XML document is used to establish the trust relationship between AWS and the IdP.
-
Create an IAM SAML identity provider in the same AWS account as the Client VPN endpoint.
The IAM SAML identity provider defines your organization's IdP to AWS trust relationship using the metadata document generated by the IdP. For more information, see Creating IAM SAML Identity Providers in the IAM User Guide. If you later update the app configuration in the IdP, generate a new metadata document and update your IAM SAML identity provider.
Note
You do not need to create an IAM role to use the IAM SAML identity provider.
-
Create a Client VPN endpoint.
Specify federated authentication as the authentication type, and specify the IAM SAML identity provider that you created. For more information, see Create an AWS Client VPN endpoint.
-
Export the client configuration file and distribute it to your users. Instruct your users to download the latest version of the AWS provided client, and to use it to load the configuration file and connect to the Client VPN endpoint.
