How to set up AWS Client VPN with Keycloak as IdP

Question

I am struggeling to setup AWS Client VPN in combination with Keycloak as IdP via SAML. There is hardly any documentation on this setup and I am not sure if I messed up the client and user configuration on Keycloak side. I was able to get to that point where my AWS Client VPN directs me to the Keycloak athentication page, I add my user and password which is accepted, than a blank page with the https://127.0.0.1:35001 opens up and the connection is canceled with message authentication issue I need to contact my administrator. On AWS CloudWatch I see following messages

"connection-log-type": "connection-reset", "connection-attempt-status": "NA", "connection-attempt-failure-reason": "NA", "client-ip": "NA", "username": "N/A",

"connection-log-type": "connection-attempt", "connection-attempt-status": "waiting-for-assertion", "connection-attempt-failure-reason": "NA", "client-ip": "NA", "username": "N/A",

"connection-log-type": "connection-attempt", "connection-attempt-status": "failed", "connection-attempt-failure-reason": "authentication-failed", "client-ip": "NA", "username": "N/A",

Let me summarize what I did on a highlevel

On Keycloak

• Set up an realm
• Created one SAML client application with client name "urn:amazon:webservices:clientvpn"
• Added the redirect URL "http://127.0.0.1:35001" as well as "https://self-service.clientvpn.amazonaws.com/api/auth/sso/saml"
• Than I created an user with a password

On AWS

• Created a new SAML provided
• Used the SAML metadata document from the previous client on Keycloak
• Created new Client VPN endpoint added Client CIDR, Server certificate ARN, choose user-based authentication and pointed to the SAML provider ARN created earlier
• I than associated a VPN and Subnet with the Endpoint and also added authorization rule with 0.0.0.0/0 as destination

On my client

• Opened an browser to selfservice portal "https://self-service.clientvpn.amazonaws.com/api/auth/sso/saml"
• Downloaded the Windows AWS VPN Client as well as the VPN configuration file
• Setup an profile clicked on connect
• Got redirected to Keycloak put in user and password (accepted) and than got redirected to "http://127.0.0.1:35001" and connection breaks

Anyone out there with similiar setup that can help me here?

Answer 1

We had a very similar setup as yours and followed very similar steps when setting up our configuration.

Our issue was that the assertion in the SAML Response contained attributes that were not compatible with AWS Client VPN. Keycloak by default includes the user roles in the SAML assertion as "Role"-attributes, which had to be removed in our case for connection to be successful.

To remove the default roles from the SAML assertion, we removed the "role_list" client scope under the SAML client settings through the Keycloak Admin UI. The only mappers that were configured for the client were for the attributes listed in here: https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/federated-authentication.html#saml-config-service-provider-info

• For the FirstName and LastName SAML attributes we used a User Property mapper with Property, Friendly Name and SAML Attribute Name set respectively as either "FirstName" or "LastName" and SAML Attribute NameFormat set to "Unspecified"
• For "memberOf" SAML attribute we used a Group List mapper with Group attribute name and Friendly Name set to "memberOf", SAML Attribute NameFormat set to "Unspecified" and Single Group Attribute enabled