Can a single AWS Client VPN Endpoint support federated and certificate-based authentication simultaneously?

Hi friends, is it possible to have a single AWS Client VPN Endpoint that supports both federated and certificate based authentication? https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_client_vpn_endpoint

We have a aws client vpn endpoint setup with federated-authentication , this works well with saml idp. We dont modify the .opvn at all.

We added support for certificate/mutual-authentication to this same client vpn endpoint.

On the surface it seems possible but we are finding that it just ends up using federated-authentication ( but now you have to update the opvn config with the client cert/pk block otherwise it does not work).

I expected us to be able to authenticate with either our idp OR by specifying client cert/pk in the opvn on a single client vpn endpoint. is that assumption wrong?

I am no expert in here, but as far as I understand it requires both/combination.

Hi, sorry i dont understand, what do you mean?

You can specify federated-authenticaiton only, which is what we currently do

https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html

You can use one of methods listed above alone, or a combination of mutual authentication with a user-based method such as the following:

Mutual authentication and federated authentication

If I understand the aws docs correctly, when using a combination of Mutual authentication and federated authentication, both of the methods must be used by client. It is not an OR but rather AND condition.

hmm ok, where are you reading that?

That’s what the word combination suggests…imo

https://www.reddit.com/r/aws/comments/o8lcup/both_client_vpn_auths/

Ok ye that sucks, thanks!

Sorry unfortunate :confused:

So now if we wanted to use mutual-authentication only we would be spinning up a seperate vpn endpoint, dedicated to mutual authentication

Ye no worries, im actually just looking into alternatives incase our current idp goes down and i need a backup solution

Was hoping i could reuse the single vpn endpoint, but guess not

which would be expensive

Ye, the cost is why it sucks, it would be too much to have it running all the time only for backup use

I think there was relative newer services called Verified something

Not sure what you are trying to achieve but https://aws.amazon.com/verified-access/?did=ap_card&trk=ap_card

We have some services running on an internal alb, that we would like to access, e.g some dashboard with sensitive data we dont want it to be publically accessible