Help with configuration of AWS Client VPN with Saml

Hi guys,

Has anyone had anyluck configuring Ive taken a look at this https://aws.amazon.com/blogs/networking-and-content-delivery/authenticate-aws-client-vpn-users-with-saml/ and configured the aws side, however im unsure of where to go when configuring an app within Auth0 itself.

Any pointers would be helpful!

Thanks,
Richard

Hi @richard.dabreo,

You’re in luck - after much trial and error, I was finally able to get this working yesterday. I hope this helps!

Application Callback URL:

http://127.0.0.1:35001

SAML Settings:

{
  "audience": "urn:amazon:webservices:clientvpn",
  "passthroughClaimsWithNoMapping": false,
  "mapUnknownClaimsAsIs": false,
  "mapIdentities": false,
  "signResponse": true,
  "signatureAlgorithm": "rsa-sha256",
  "digestAlgorithm": "sha256",
  "typedAttributes": true,
  "includeAttributeNameFormat": false,
  "nameIdentifierProbes": [
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
  ],
  "nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
  "AuthnContextClassRef": "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
}

Rule:

Note: You may not need this. I had to split user.name to populate given_name and family_name.

function (user, context, callback) {
  if (context.clientID === '<REDACTED>') {
    // Run for AWS VPN connections only!
    let first = '';
    let last = '';
    if (user.name && !user.name.includes("@")) {
      [first, last] = user.name.split(" ");
    }
    user.given_name = first;
    user.family_name = last;
    context.samlConfiguration.mappings = {
      "FirstName": "given_name",
      "LastName": "family_name",
      "memberOf": "groups"
    };
  }
  callback(null, user, context);
}
2 Likes

Hi bmcmanus,

Thanks for posting this!

Best Regards,

Richard

Teamwork makes the dreamwork!