We have a aws client vpn endpoint setup with federated-authentication , this works well with saml idp. We dont modify the .opvn at all.
We added support for certificate/mutual-authentication to this same client vpn endpoint.
On the surface it seems possible but we are finding that it just ends up using federated-authentication ( but now you have to update the opvn config with the client cert/pk block otherwise it does not work).
I expected us to be able to authenticate with either our idp OR by specifying client cert/pk in the opvn on a single client vpn endpoint. is that assumption wrong?
If I understand the aws docs correctly, when using a combination of Mutual authentication and federated authentication, both of the methods must be used by client. It is not an OR but rather AND condition.
We have some services running on an internal alb, that we would like to access, e.g some dashboard with sensitive data we dont want it to be publically accessible