amazon-web-serviceskeycloaksamlidpaws-vpn

How to set up AWS Client VPN with Keycloak as IdP


I am struggeling to setup AWS Client VPN in combination with Keycloak as IdP via SAML. There is hardly any documentation on this setup and I am not sure if I messed up the client and user configuration on Keycloak side. I was able to get to that point where my AWS Client VPN directs me to the Keycloak athentication page, I add my user and password which is accepted, than a blank page with the https://127.0.0.1:35001 opens up and the connection is canceled with message authentication issue I need to contact my administrator. On AWS CloudWatch I see following messages

"connection-log-type": "connection-reset", "connection-attempt-status": "NA", "connection-attempt-failure-reason": "NA", "client-ip": "NA", "username": "N/A",

"connection-log-type": "connection-attempt", "connection-attempt-status": "waiting-for-assertion", "connection-attempt-failure-reason": "NA", "client-ip": "NA", "username": "N/A",

"connection-log-type": "connection-attempt", "connection-attempt-status": "failed", "connection-attempt-failure-reason": "authentication-failed", "client-ip": "NA", "username": "N/A",

Let me summarize what I did on a highlevel

On Keycloak

On AWS

On my client

Anyone out there with similiar setup that can help me here?


Solution

  • We had a very similar setup as yours and followed very similar steps when setting up our configuration.

    Our issue was that the assertion in the SAML Response contained attributes that were not compatible with AWS Client VPN. Keycloak by default includes the user roles in the SAML assertion as "Role"-attributes, which had to be removed in our case for connection to be successful.

    To remove the default roles from the SAML assertion, we removed the "role_list" client scope under the SAML client settings through the Keycloak Admin UI. The only mappers that were configured for the client were for the attributes listed in here: https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/federated-authentication.html#saml-config-service-provider-info