How to configure SAML with AWS

Introduction

OpenVPN Access Server 2.11 and newer supports authentication using SAML with AWS as the identity provider. You can configure this in AWS with Access Server as your service provider using AWS IAM Identity Center.

The following steps walk you through how to enable SAML authentication for users and groups from AWS to Access Server.

Before you begin

You need the following to get started:

Note: We recommend using all lowercase usernames when logging in with SAML.

Step 1: Create the AWS SAML application

With AWS, you must create a custom SAML application.

First, gather information about your Access Server as the service provider (SP).

  1. Sign into your Access Server Admin Web UI.
  2. Click Authentication > SAML.
  3. You’ll need the following information:
    1. SP Identity.
    2. SP ACS.

Now that you have your SP information, you can create a new AWS SAML app and enter that information during app creation:

  1. Sign into your AWS portal and open the IAM Identity Center console.
  2. Under Application assignments, click Applications.
  3. Click Add Application.
  4. Under Custom application, click Add custom SAML 2.0 application, and click Next.
  5. Under Display name, enter the name of your SAML custom app and an optional Description.
  6. Under Application properties, and Application metadata, use the SP information from Access Server to enter the following into the AWS app:
    1. Application ACS URL: Enter the Access Server SP ACS.
    2. Application SAML audience: Enter the Access Server SP Identity.
    3. Relay state - (optional): Enter ‘cws’ for the Client Web UI or ‘profile’ to provide users with a downloadable profile. (Refer to “How to set up IdP-initiated flow” below for more details.)
  7. Click Submit.
  8. Click on Assign Users.
  9. Select your users and click Assign Users.

In our testing, AWS SAML IdP produces invalid SAML assertions that violate the XML Schema Definition if no or only one SAML attribute is configured. We therefore recommend configuring two SAML attributes until this problem is fixed by Amazon.

 With the AWS SAML app, configure attribute mappings:

  1. Under Applications, click your SAML custom app.
  2. Under the Actions tab, click on edit attribute mappings.
  3. Under Maps to this string value or user attribute in IAM Identity Center, enter ${user:AttributeName} and map at least two attributes. For example: If you want your AWS IAM username as the SAML username, enter ${user:subject}, or if you want your AWS IAM email address, enter ${user:email}.
  4. Click Add new attribute mapping.
  5. Under User attribute in the application, enter name.
  6. Under Maps to this string value or user attribute in IAM Identity Center, enter email.
  7. Click Save changes.

To download the AWS metadata file for automatic configuration (option 1):

  1. Under Applications, click your SAML custom app.
  2. Under the Actions tab, click edit configuration.
  3. Under IAM Identity Center SAML metadata file, click Download.

To copy the AWS SAML data for manual configuration (option 2):

  1. Under Applications, click your SAML custom app.
  2. Under the Actions tab, click edit configuration.
  3. Copy the content in IAM Identity Center sign-in URL, and IAM Identity Center SAML issuer URL.
  4. Click Identity Center Certificate to download the certificate in PEM format.

Step 2: Configure AWS SAML data with Access Server

The simplest way to set up AWS SAML for Access Server is by providing the metadata XML file (option 1), but you can also manually configure it (option 2).

To upload the AWS metadata file in the Admin Web UI (option 1):

Provide the downloaded metadata XML file to your Access Server through the Admin Web UI to automatically configure SAML:

  1. Sign into your Access Server Admin Web UI.
  2. Click Authentication > SAML.
  3. Click Configure Identity Provider (IdP) Automatically via Metadata to expand the section.
  4. Click Choose File for Select IdP Metadata File.
  5. Select your AWS metadata XML file and click Upload, then Update Running Server.
  6. The IdP fields are now populated under Configure Identity Provider (IdP) Manually.

To manually configure AWS SAML (option 2):

  1. Sign into your Access Server Admin Web UI.
  2. Click Authentication > SAML.
  3. Click Configure Identity Provider (IdP) Manually to expand the section.
  4. Paste the following from Okta to the Access Server fields:
    1. Paste the AWS IAM Identity Center sign-in URL into Access Server’s Sign On Endpoint.
    2. Paste the AWS IAM Identity Center SAML issuer URL into Access Server’s IdP EntityId.
    3. Paste the AWS Identity Center Certificate into Access Server’s Certificate (PEM format).
  5. Click Save, then Update Running Server.
  6. The IdP fields save.

Step 3: Assign SAML as user authentication

Once you’ve provided the SAML configuration for AWS, you can enable it for users.

  1. Sign into the Admin Web UI.
  2. Click Authentication > SAML.
  3. Click the toggle to turn on Enable SAML authentication, then click Save Settings and Update Running Server.
  4. You can now enable SAML as the global default authentication or for specific groups and users.

How to set up IdP-initiated flow (optional)

You can configure an IdP-initiated flow for signing into Access Server from AWS with the following steps:

  1. Sign into the AWS admin portal.
  2. Under Applications, click your custom SAML app.
  3. Under the Actions tab, click edit configuration.
  4. Under Application properties, enter one of the following for Relay state - (optional):
    1. cws: This directs your users to the Client Web UI after sign-in.
    2. profile: This directs your users to a profile download after sign-in.
  5. Save changes.