AWS Client VPN (SAML)

This guide configures Casdoor as a SAML identity provider for AWS Client VPN.

Pré-requisitos

• AWS account with permission to configure the service
• Amazon VPC with an EC2 instance (VPC setup, EC2); in the instance security group, allow ICMP from the VPC CIDR for testing
• A private certificate in AWS Certificate Manager (ACM) (import guide)
• Windows or Mac with AWS Client VPN installed

Configure the SAML application in Casdoor

• Set Redirect URL to urn:amazon:webservices:clientvpn.

• Set SAML reply URL to http://127.0.0.1:35001.

• Save the SAML metadata as an XML file for the next step.

Configurar AWS

Add Casdoor as an identity provider

1. In the IAM console, open Identity providers → Create provider.
2. Choose SAML, give the provider a name, and upload the metadata file from Casdoor.
3. Click Next step → Create.

Create a Client VPN endpoint

1. In VPC → Client VPN Endpoints → Create Client VPN Endpoint.
2. Set Client IPv4 CIDR for remote users.
3. Select your Server certificate (from ACM).
4. Under Authentication, choose User-based authentication → Federated authentication.
5. Select the SAML identity provider you created.
6. Clique em Criar Endpoint de VPN do Cliente.

Associate the VPN with a VPC

1. In the endpoint, open Target network associations → Associate target network.
2. Select the VPC and subnet.

Authorization rules (optional)

1. Open Authorization rules → Add authorize rule.
2. Set Destination network (e.g. 172.31.16.0/20 for your EC2).
3. Under Grant access to, choose Allow access to users in a specific access group and enter the group name (e.g. casdoor).
4. Add the rule.

Conectar à VPN do Cliente

1. Select the endpoint (state: Available) → Download Client Configuration.
2. In the AWS Client VPN app: File → Manage Profiles → Add Profile → select the downloaded file.
3. Select the profile and click Connect.