{"id":3217,"date":"2021-06-11T13:59:00","date_gmt":"2021-06-11T11:59:00","guid":{"rendered":"https:\/\/blog.besharp.it\/?p=3217"},"modified":"2024-02-02T12:02:31","modified_gmt":"2024-02-02T11:02:31","slug":"managed-dialup-vpn-with-custom-sso-authentication","status":"publish","type":"post","link":"https:\/\/blog.besharp.it\/managed-dialup-vpn-with-custom-sso-authentication\/","title":{"rendered":"Managed Dialup VPN with custom SSO Authentication"},"content":{"rendered":"\n
In these days of remote and smart working giving users access to private resources and applications is a hot topic. <\/p>\n\n\n\n
A dial-up VPN is the tool that can solve this problem, giving home users and road warriors access to private corporate services that are not exposed on the internet (even if they are hosted on the AWS Cloud). <\/p>\n\n\n\n
Implementing a VPN for end users is always a non-trivial task, because there are always opposite requirements like:<\/p>\n\n\n\n
AWS offers the AWS Client VPN<\/strong> service that can help you to give remote access to resources in a VPC and leverage external identity providers to authenticate users such as Okta, Active Directory and other services using the SAML protocol.<\/p>\n\n\n\n AWS Client VPN users can connect to a self-service web portal, download client software and the configuration needed to connect to the private resource, easing the effort needed to implement the solution because there\u2019s no need for an administrator to be involved in the process.<\/p>\n\n\n\n Some time ago we released an article on how to implement single sign on on the aws console using G Suite as an identity provider<\/a><\/p>\n\n\n\n Based on the considerations made in the previous article about different IdPs we want to configure the AWS Client VPN service using G Suite as the authentication provider, unfortunately there\u2019s a catch that we\u2019re still investigating. <\/p>\n\n\n\n The issue is that the AWS Client VPN software uses a plain http service to authenticate requests, while G Suite accepts and validates only https addresses (we\u2019ll see some details about configuration later).<\/p>\n\n\n\n We\u2019ll set up AWS SSO as an authentication provider, so we\u2019ll be able in the future to switch the user database quite easily and finally configure G Suite as our Identity Source.<\/p>\n\n\n\n AWS SSO is also useful if you\u2019re using AWS Organizations to manage a multi-account scenario to give users different access to specific accounts, you can find some topology examples here<\/a>. <\/p>\n\n\n\nExample scenario<\/h2>\n\n\n\n