- Newest
- Most votes
- Most comments
Had the same problem. It turned out to be google chrome not passing the saml request properly. To access, change your default browser.
Thank you so much David! It works for me!
it is still possible to use chrome and work around this. While the issue is being addressed, disable the chrome flag (chrome://flags/) "Reduce waiting time for Private Network Access preflights response"
Our response from AWS -
The AWS Client VPN team is aware of an issue affecting customers that use Chrome version 123 and SAML authentication. [1] We are working a new client release to address this issue, and as a workaround, we recommend using another browser, such as Firefox.
Please if possible use Firefox or Edge. AWS is currently working to identify and resolve the issue. Thank you for your patience.
Has a fix been released for the AWS VPN client or anything that is Chrome based?
Got an Update from AWS Support Hello,
The AWS Client VPN team is aware of an issue affecting customers that use SAML authentication and Google Chrome v.123 or other browsers that are based on Google Chrome v.123 such as Microsoft Edge and Brave. A new feature, PrivateNetworkAccessForNavigation, was released in Chrome v.123 that resulted in an additional HTTP message being sent to the AWS Client VPN during the SAML authentication request. Chrome has rolled back this feature and workarounds exist for Chrome, Edge, and Brave which are included within this message. Although the underlying issue was with the new Chrome feature, we are proactively adding capabilities to AWS Client VPN to filter out additional HTTP messages during SAML authentication with an estimated release date of April 12, 2024.
WORKAROUND FOR MICROSOFT EDGE BROWSER:
- Open the Edge Browser
- In a new tab paste: edge://flags/#block-insecure-private-network-requests
- This will highlight the required flag, set this to 'Disabled'.
- Select the Restart button on the lower right of the browser.
WORKAROUND FOR GOOGLE CHROME BROWSER: Chrome Browsers v123.*
- Open Chrome
- In a new tab paste: chrome://flags/#block-insecure-private-network-requests
- This will highlight the required flag, set this to 'Disabled'.
- Select the Relaunch button on the lower right of the browser.
Hello.
Since that message alone doesn't tell you anything, I recommend checking the logs listed in the document below.
https://docs.aws.amazon.com/vpn/latest/clientvpn-user/macos-troubleshooting.html
ovpn_aws_vpn_client_20240321.log 87 │ 2024-03-21 10:56:26.254 +09:00 [DBG] >LOG:1710986186,,AUTH: Received control message: AUTH_FAILED,CRV1:R:instance-2/7348629710229681913/012808df-d │ 626-4ddc-851b-4a6970ebf886:b'Ti9B':https://lguplus.okta.com/app/aws_clientvpn/exk3vmn49ctSIu6ub697/sso/saml?SAMLRequest={SAMLREQUEST} 88 │ 2024-03-21 10:56:26.372 +09:00 [DBG] >LOG:1710986186,I,SIGUSR1[soft,auth-failure] received, process restarting 89 │ 2024-03-21 10:56:26.372 +09:00 [DBG] >LOG:1710986186,,MANAGEMENT: >STATE:1710986186,RECONNECTING,auth-failure,,,,, 90 │ 2024-03-21 10:56:26.372 +09:00 [DBG] >LOG:1710986186,,Restart pause, 5 second(s)I followed your link, troubleshooting guideline. But the error didn't be resolved.
The error log msg as followed,
execute shell command "tail -f *.log" at the /.config/AWSVPNClient/logs [ERR] Exception recieved by connection view controller jystem. Exception: Failed to find SAML response in request at ACVC. Core. Saml. Sam Manager. Login (System.String loginURL) [0x001b7] in <80a8cd494153490890bebf3908844eb4>:0 at ACVC.Core. OpenVpn. OvpnConnectionManager. GetSamlAssertion (System.String url) [0x0008f] in <80a8cd494153490890bebf3908844eb4>:0```From the error message, I thought there was something wrong with SAML authentication. Are there any problems on the SAML side or have you changed any settings? I'm not sure which authentication provider you are using, but if you can delete sessions etc., you may want to try deleting them once.
I adopted Okta SAML authentication. I did delete session, AWS clientvpn application, configuration, and reinstall those. But It didn't work.
The lastest Chrome update breaks AWS client VPN when using SSO. Many are reporting this
interesting. I have Chrome 122.0.6261.129 and my AWS VPN Client still works.
My MacBook version was 13.2.1, and I encountered the same symptom while performing SAML authentication with Okta. I have updated the MacBook version to 14.4, but the same symptom persists.
I'm getting the same error with couple of users and we have the same Okta + AWS VPN Client usage. For one of. the users, I changed the default web browser to Microsoft Edge and it started working. But for the other user, since she is on other domain, it's getting difficult due to many restrictions.
Try this guys.
Not sure what is to be pinpointed in Google Chrome at the moment.
Edit: I had no issues on macOS, just windows and AWS VPN Client on 3.11.1
Can confirm, at least in Chrome version 123.0.6312.59 (We pushed this last night) is not working.
Edge: 122.0.2365.92 works or until Microsoft catches up with Chromium
Firefox: 123.0.1 => works
We don't use Okta but still use SAML with Microsoft Entra AD via SAML application.
Yes, it is the same issue with AWS client VPN, and on the latest Chrome version 123.0.6312.59 is not working with SAML
The SAML issue with Jumpcloud occurs on both Mac and Windows in Chrome version 123.0.6312.59 as well
Confirmed by several people in our company that the breaking change happened in Chrome 123.0.6312.59 (Official Build) (arm64) when using Okta.
The regression still exists in:
124.0.6367.8 (Official Build) beta (arm64)125.0.6370.0 (Official Build) canary (arm64)
If you use macos you can try setup an additional app to open aws vpn client url like Firefox or Safari instead of chrome if you have it as default .
check this apps to handle that
https://github.com/will-stone/browserosaurus
Personal i Tried with FF and Safari and the auth work correctly
As a note, the actual error message has "occurred" spelled incorrectly as "Unknown error ocurred. Try again." There's a new update to Chrome 123 that seems to fix this issue.
This issue might not be related to the browser, because I got the same error on Arc Browser and it was resolved when I switched to Chrome. Since everyone is complaining about Chrome in this topic, I think it's not directly a browser-related issue. It seems to be an issue related to the last browser you used. It doesn't matter which one it is.
For those who have not seen it, Okta has release a "solution":
- Open Chrome
- In a new tab paste: chrome://flags/#block-insecure-private-network-requests
- This will highlight the flag, set this to Disabled
- Select the Relaunch button on the lower right of the browser.
- Retry enrollment
I tested on MacOSX and it worked for me.
Got an Update from AWS Support Hello,
The AWS Client VPN team is aware of an issue affecting customers that use SAML authentication and Google Chrome v.123 or other browsers that are based on Google Chrome v.123 such as Microsoft Edge and Brave. A new feature, PrivateNetworkAccessForNavigation, was released in Chrome v.123 that resulted in an additional HTTP message being sent to the AWS Client VPN during the SAML authentication request. Chrome has rolled back this feature and workarounds exist for Chrome, Edge, and Brave which are included within this message. Although the underlying issue was with the new Chrome feature, we are proactively adding capabilities to AWS Client VPN to filter out additional HTTP messages during SAML authentication with an estimated release date of April 12, 2024.
WORKAROUND FOR MICROSOFT EDGE BROWSER: Open the Edge Browser In a new tab paste: edge://flags/#block-insecure-private-network-requests This will highlight the required flag, set this to 'Disabled'. Select the Restart button on the lower right of the browser.
WORKAROUND FOR GOOGLE CHROME BROWSER: Chrome Browsers v123.* Open Chrome In a new tab paste: chrome://flags/#block-insecure-private-network-requests This will highlight the required flag, set this to 'Disabled'. Select the Relaunch button on the lower right of the browser.
Relevant content
- asked 5 months ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 10 months ago
Got an Update from AWS Support Hello, The AWS Client VPN team is aware of an issue affecting customers that use SAML authentication and Google Chrome v.123 or other browsers that are based on Google Chrome v.123 such as Microsoft Edge and Brave. A new feature, PrivateNetworkAccessForNavigation, was released in Chrome v.123 that resulted in an additional HTTP message being sent to the AWS Client VPN during the SAML authentication request. Chrome has rolled back this feature and workarounds exist for Chrome, Edge, and Brave which are included within this message. Although the underlying issue was with the new Chrome feature, we are proactively adding capabilities to AWS Client VPN to filter out additional HTTP messages during SAML authentication with an estimated release date of April 12, 2024. WORKAROUND FOR MICROSOFT EDGE BROWSER: Open the Edge Browser In a new tab paste: edge://flags/#block-insecure-private-network-requests This will highlight the required flag, set this to 'Disabled'. Select the Restart button on the lower right of the browser. WORKAROUND FOR GOOGLE CHROME BROWSER: Chrome Browsers v123.* Open Chrome In a new tab paste: chrome://flags/#block-insecure-private-network-requests This will highlight the required flag, set this to 'Disabled'. Select the Relaunch button on the lower right of the browser.