Client authentication in AWS Client VPN
Client authentication is implemented at the first point of entry into the AWS Cloud. It is used to determine whether clients are allowed to connect to the Client VPN endpoint. If authentication succeeds, clients connect to the Client VPN endpoint and establish a VPN session. If authentication fails, the connection is denied and the client is prevented from establishing a VPN session.
Client VPN offers the following types of client authentication:
-
Active Directory authentication (user-based)
-
Mutual authentication (certificate-based)
-
Single sign-on (SAML-based federated authentication) (user-based)
You can use one of the preceding methods alone, or you can use a combination of mutual authentication with a user-based method such as the following:
-
Mutual authentication and federated authentication
-
Mutual authentication and Active Directory authentication
Important
To create a Client VPN endpoint, you must provision a server certificate in AWS Certificate Manager, regardless of the type of authentication that you use. For more information about creating and provisioning a server certificate, see the steps in Mutual authentication in AWS Client VPN.