Securing AWS Client VPN Access with Google Workspace IDP

5 minute read

Content level: Intermediate

This article demonstrates how to enhance your organization's security posture by integrating AWS Client VPN with Google Workspace Identity Provider (IDP). As organizations increasingly adopt cloud solutions and remote work becomes prevalent, securing VPN access through trusted identity providers is crucial for maintaining robust security controls while ensuring seamless user experience.

Security Benefits

Single source of truth for identity management
Reduced risk of unauthorized access
No need to maintain separate credential systems
Leverages Google's robust security infrastructure

Step 1: Configure Google Workspace to act as an identity provider for AWS

Setting up SAML authentication in Google Workspace requires creating a custom SAML application to enable AWS Client VPN authentication. To begin this process, log into your Google Admin Console at admin.google.com using your administrator credentials. Once logged in, navigate to the Apps section and select "Web and mobile apps." From there, click the "Add app" button and choose "Add custom SAML app" from the available options.

Choose a descriptive and easily identifiable name for your SAML application, such as 'AWS Client VPN Access' or 'AWS VPN Authentication.'

In the Service Provider Details screen enter below details

ACL URL: https://127.0.0.1:35001

Entity ID: urn:amazon:webservices:clientvpn

Select the Signed response checkbox

Note: While Google Workspace requires HTTPS URLs for initial setup, AWS Client VPN specifically needs to use ‘http://127.0.0.1:35001' as its endpoint. Due to Google's security requirements, we'll need to temporarily enter an HTTPS URL to proceed with the configuration. Don't worry about this temporary mismatch - we'll modify this setting later using a curl command to set the correct URL required by AWS.

In the Attributes page, set up the following three mappings, then click Finish.

First name: FirstName

Last name: LastName

Primary email: memberOf

After finishing SAML configuration, we require to change ACL URL using curl.

To capture the necessary POST request format for the SAML application, open the Developer Tools by either pressing F12 or right-clicking and selecting 'Inspect' on service provider details page. Navigate to the Network tab in the Developer Tools panel, which will allow you to monitor all network traffic. Make sure to enable network recording (the red circle should be active) before performing any actions.

In the Network panel, locate the first HTTP POST request labeled 'batchexecute'. Right-click on this request and select 'Copy as cURL' from the context menu. This will copy the complete cURL command to your clipboard. The copied command will include all request details, though for security purposes, the cookies have been omitted from the following example:

--data-raw 'f.req=%5B%5B%5B%22DcqUrb%22%2C%22%5B%5C%2202z0yxrj%5C%22%2C%5C%22758237404685%5C%22%2C%5C%22AWS%20Client%20VPN%20Test%5C%22%2C%5C%22urn%3Aamazon%3Awebservices%3Aclientvpn%5C%22%2C%5C%22v1%5C%22%2C%5C%22%5C%22%2C1%2C%5C%22https%3A%2F%2F127.0.0.1%3A35001%5C%22%2C%5C%22%5C%22%2C%5C%22aws_client_vpn_test%5C%22%2C%5B%5B%5C%22FirstName%5C%22%2C%5C%22_MqPMTTHQumVcl7ZFFhjWw%3D%3D%5C%22%2C%5B14%5D%5D%2C%5B%5C%22LastName%5C%22%2C%5C%22seZJM2nrSlmxuFUmvi4LBA%3D%3D%5C%22%2C%5B18%5D%5D%2C%5B%5C%22memberOf%5C%22%2C%5C%22JEqubiT9RqyLNGLvM5c_bw%3D%3D%5C%22%2C%5B33%5D%5D%5D%2C%5B0%2C%5C%22UNSPECIFIED%5C%22%5D%2C%5B33%5D%2Cnull%2C0%2C%5C%22member-of%5C%22%5D%22%2Cnull%2C%22generic%22%5D%5D%5D&at=ACVhbYtHLWiYgPecFi23uP9W675J%3A1753177185035&‘

I ran this output on MAC Machine. You can perform same openration any linux OS.

Mymachine> vim testfile

Copy and past entire output on new file. Locate the 'data-raw' parameter in the cURL output Change 'https' to 'http' within this parameter Save the file ( using this command :wq!)

mymachine>  bash testfile
)]}‘

109
[["wrb.fr","DcqUrb","[]",null,null,null,"generic"],["di",2062],["af.httprm",2062,"4882627042853074679",11]]
25
[["e",4,null,null,145]]

After executing the bash command, refresh your browser window to verify the changes. The ACS URL field should now display 'http://127.0.0.1:35001' instead of the previous HTTPS version.

Section 2 : Create IAM provider

In the AWS Identity and Access Management (IAM) console, navigate to Identity providers and choose Add provider. For Provider name, enter a name for your identity provider. Next, upload the metadata file that you downloaded in the previous step. Once you've added the required information, choose Add provider to complete the process.

Section 3 : Create clientVPN endpoint

To create a Client VPN endpoint, open the VPC console and choose Client VPN Endpoints. Choose Create Client VPN Endpoint and enter a name and description for your endpoint. For Client IPv4 CIDR, specify a CIDR range (between /22 and /18) that doesn't overlap with your target network resources. Under Authentication for Server certificate ARN, select your ACM certificate. Configure your authentication options using 'Use user-based authentication' and select SAML provider which we created in section 2. For VPC settings, select your VPC ID and choose a security group. Review your configuration settings, and then choose Create Client VPN Endpoint.

To associate a subnet with your Client VPN endpoint, choose Client VPN Endpoints. Select Target network associations tab, and then choose Associate target network. Follow below public doc for more information.

https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-working-target-associate.html

To configure access permissions for your Client VPN endpoint, open the Authorization rules tab in your Client VPN endpoint settings. Choose Add authorization rule and specify the network that you want your VPN users to access. You must create a separate authorization rule for each network that requires VPN access. After adding the rules, wait until the state changes to Available before proceeding. Follow below public doc for more information.

https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-working-rules.html

After completing the configuration steps, you can now connect to AWS Client VPN using your Google Workspace credentials. To connect, download and install the AWS Client VPN desktop application from https://aws.amazon.com/vpn/client-vpn-download/

Launch the application, import the Client VPN endpoint configuration file (.ovpn) that you downloaded earlier, and select the endpoint you want to connect to. When prompted, enter your Google Workspace email address and password for authentication. Once authenticated, you'll have secure access to your AWS resources through the VPN connection.

Topics: Networking & Content Delivery
Tags: AWS Client VPN
Language: English

EXPERT

Vatsal

published 4 months ago532 views

No comments

Relevant content

Usage of Security Group associated with AWS Client VPN
EXPERT
Karthikiran Ilango
published 2 years ago
AWS Client VPN connection and traffic flow handling simplified
EXPERT
Karthikiran Ilango
published 2 years ago
Securing the Cloud: The evolution and future of AWS root access management, MFA integration and MFA adoption timelines for enhanced security design
EXPERT
Harish Mandhadi
published 9 months ago
Authenticate AWS Client VPN users with AWS IAM Identity Center that has an external identity store (Google Workspace)
FrederikP
asked 2 years ago
AWS Client VPN Self Service Portal for Google Federated idp
rePost-User-3674092
asked 3 years ago
Issue with using Google Workspace as Idp for AWS WorkSpace (using AWS MS AD Managed)
winstonl
asked 3 years ago
How do I use a VPN in WorkSpaces?
AWS OFFICIALUpdated a year ago
How do I provide my Client VPN users with access to AWS resources?
AWS OFFICIALUpdated a year ago
How do I set up Google as a federated identity provider in an Amazon Cognito user pool?
AWS OFFICIALUpdated 4 months ago
How do I associate a target network with a Client VPN endpoint?
AWS OFFICIALUpdated 2 years ago