How does client authentication work on AWS Client VPN?

AWS Client VPN is a managed client-based VPN service. It enables you to securely access your AWS resources from anywhere in the world. To access the Client VPN endpoint, you need to authenticate yourself based on the mechanism configured by the admin. Client authentication is the first security layer before you can connect to the AWS Cloud. It is used to determine whether you are allowed to connect to the Client VPN endpoint or not. If you are allowed to connect, a VPN session gets established and you will be able to use the private resources.

Types of Client Authentication

AWS Client VPN offers the following types of client authentication:

  • Mutual authentication (certificate-based)
  • Active Directory authentication (user-based)
  • Single sign-on (SAML-based federated authentication) (user-based)

As mentioned above, the Active Directory authentication and Single sign-on authentication are user-based auth and can be used if you want to control the access based on a third-party identity provider.

You can either use one of the methods mentioned above alone, or a combination of mutual authentication with a user-based method such as the following:

  • Mutual authentication and federated authentication
  • Mutual authentication and Active Directory authentication

Let\’s try to understand the methods a bit more

Mutual authentication

Mutual authentication in an AWS Client VPN is based on certificates. The server uses client certificates to identify and authenticate a client before they can connect to a Client VPN endpoint. To configure this auth in AWS Client VPN, you must create a server certificate and a key and at least one client certificate and key.

The server certificate is uploaded to the ACM (AWS Certificate manager) and it gets attached to the Client VPN endpoint when the endpoint is provisioned. You have to provide a Certificate Authority(CA) when a server certificate is uploaded to the ACM. To keep things simple, use the same CA to generate the client certificates. If you have generated the client certificate from a different CA than the one used to generate the server certificate, you must import the certificate in ACM for it to work.

Always generate a separate client certificate and key for every client who wishes to connect to the Client VPN Endpoint. If a user leaves the organisation, it will be easy to revoke their access.

Active Directory authentication (user-based)

The other type of authentication you can use is Active Directory authentication. This support is available by integrating with the AWS Directory service. AWS Client VPN can now connect to existing Active Directories and on-premise directories and use them as an authentication framework. This allows you to use your existing auth mechanism and groups to grant users access to the AWS Client VPN. It also supports MFA (multi-factor authentication) if the authentication provider has MFA enabled.

If you are not using Managed Active Directory by AWS, you need to connect your on-premise directory using AD Connector.

Single sign-on (SAML 2.0-based federated authentication)(user-based)

Another form of user-based authentication supported by AWS Client VPN is Single sign-on (SSO) using SAML 2.0 (Security Assertion Markup Language) identity federation. You can use your central identities and configure AWS Client VPN to use SAML-based federated authentication and associate with the IdP. The users can then use their central identities to connect to the Client VPN endpoint.

How to enable SAML-based IdP to work with AWS Client VPN endpoint?

To enable your SAML-based IdP to work with a Client VPN endpoint, you will need the following steps:

  1. You can either use your existing SAML application or create a new one in your central identity provider.
  2. You have to generate and download a federation metadata document to establish the trust relationship between AWS and your identity provider.
  3. Create an IAM SAML identity provider in the same AWS account as the Client VPN and use the metadata file from step 2 to create a trust relationship.
  4. When you are creating your AWS Client VPN endpoint choose the appropriate authentication method i.e. federated authentication and use the IAM SAML identity provider in the previous step to complete the setup.
  5. Enable the self-service portal so your users can download the client configuration file and client to start using the VPN.

How does user-based authentication work?

Following are the steps performed during the user-based authentication.

  1. The user initiates a connection to the Client VPN endpoint using the client provided by AWS.
  2. The AWS VPN client opens a  browser and requests s a request to begin the authentication process via a login page.
  3. Once the login is successful, the AWS VPN Client receives a SAML assertion file with the details. The file is then sent to the AWS Client VPN endpoint for validation.
  4. The Client VPN endpoint validates the assertion and either allows or denies access to the user.

Conclusion

This article explains the client authentication methods available in AWS Client VPN. using either a federated author or an active directory auth to protect your VPN settings makes it easy to manage your users if you have to revoke their access. In upcoming articles, we will see how to set up a few of the mentioned authentication methods and use them.

Articles in this series