Can a single AWS Client VPN Endpoint support federated and certificate-based authentication simultaneously?

edward · December 31, 2023, 8:51am

Hi friends, is it possible to have a single AWS Client VPN Endpoint that supports both federated and certificate based authentication? https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_client_vpn_endpoint

We have a aws client vpn endpoint setup with federated-authentication , this works well with saml idp. We dont modify the .opvn at all.

We added support for certificate/mutual-authentication to this same client vpn endpoint.

On the surface it seems possible but we are finding that it just ends up using federated-authentication ( but now you have to update the opvn config with the client cert/pk block otherwise it does not work).

I expected us to be able to authenticate with either our idp OR by specifying client cert/pk in the opvn on a single client vpn endpoint. is that assumption wrong?

kPate · December 31, 2023, 9:45am

I am no expert in here, but as far as I understand it requires both/combination.

edward · December 31, 2023, 10:12am

Hi, sorry i dont understand, what do you mean?

edward · December 31, 2023, 10:13am

You can specify federated-authenticaiton only, which is what we currently do

edward · December 31, 2023, 10:42am

https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html

edward · December 31, 2023, 11:17am

You can use one of methods listed above alone, or a combination of mutual authentication with a user-based method such as the following:

Mutual authentication and federated authentication

kPate · December 31, 2023, 12:00pm

If I understand the aws docs correctly, when using a combination of Mutual authentication and federated authentication, both of the methods must be used by client. It is not an OR but rather AND condition.

edward · December 31, 2023, 12:22pm

hmm ok, where are you reading that?

kPate · December 31, 2023, 1:08pm

That’s what the word combination suggests…imo

kPate · December 31, 2023, 1:54pm

https://www.reddit.com/r/aws/comments/o8lcup/both_client_vpn_auths/

edward · December 31, 2023, 2:28pm

Ok ye that sucks, thanks!

kPate · December 31, 2023, 3:24pm

Sorry unfortunate

edward · December 31, 2023, 3:29pm

So now if we wanted to use mutual-authentication only we would be spinning up a seperate vpn endpoint, dedicated to mutual authentication

edward · December 31, 2023, 4:05pm

Ye no worries, im actually just looking into alternatives incase our current idp goes down and i need a backup solution

edward · December 31, 2023, 4:39pm

Was hoping i could reuse the single vpn endpoint, but guess not

kPate · December 31, 2023, 5:05pm

which would be expensive

edward · December 31, 2023, 5:07pm

Ye, the cost is why it sucks, it would be too much to have it running all the time only for backup use

kPate · December 31, 2023, 5:54pm

I think there was relative newer services called Verified something

kPate · December 31, 2023, 6:44pm

Not sure what you are trying to achieve but https://aws.amazon.com/verified-access/?did=ap_card&trk=ap_card

edward · December 31, 2023, 7:39pm

We have some services running on an internal alb, that we would like to access, e.g some dashboard with sensitive data we dont want it to be publically accessible